Large numbers of healthcare organizations adopting encryption
One year ago, when the largest data breach on record took place, at Anthem, the call went out from numerous IT security experts for the healthcare industry to take its data protection measures to a whole new level. For once, it seems, the industry listened.
In the wake of the Anthem data theft, “Adopting security technology has received a lot more attention throughout the healthcare sector. That, plus falling price points, has led to it being more widely adopted than it was a year ago,” says Kathy Hughes, chief information security officer for Northwell Health (formerly Northshore-LIJ Health System), New York State’s largest healthcare provider.
So does that mean patient data is safer today than at the time of the Anthem break-in? “Yes,” replies Hughes, “absolutely.”
At the heart of these efforts to safeguard medical records and other patient information have been moves by hospital CISOs and others to make more extensive use of encryption. At the time of the Anthem attack last March, many experts pointed to the health insurer’s failure to encrypt its database as a key vulnerability.
Anthem, like many other healthcare-related businesses, had resisted encrypting the content of its databases, commonly referred to as data at rest, because of the impact on performance it imposed. Healthcare providers, in particular, were reluctant to slow response times for doctors and other staffers who frequently query databases like electronic health record (EHR) systems.
Those concerns have since abated. New technologies like hardware security modules (HSMs) enable users to run encryption with only a tiny degree of performance degradation. According to Hughes, the latest storage encryption tools are not only more cost-effective, their impact on database performance is so minimal “that it’s virtually invisible to the end user.”
Encryption at rest “is becoming much more pervasive,” agrees Russ Branzell, president and CEO of the College of Healthcare Information Management Executives (CHIME). “Not everyone is there, but it’s becoming the norm.”
Of particular significance, Branzell says, is that more healthcare organizations are now writing encryption requirements into their service contracts for cloud-based solutions. These not only cover data encryption-at-rest, but also temporary encryption during transport, delivery and de-encryption.
And while encryption at rest “implies encryption of data center storage or big block storage,” Branzell adds, “now it also encompasses laptops, smartphones and other mobile devices.”
While the use of encryption is steadily gaining ground within all major industries worldwide, the Ponemon Institute’s 2016 Global Encryption Trends Study finds that it has become more prevalent in healthcare and pharmaceuticals than any other sector with the exception of financial services.
Based on a survey of 5,009 individuals across multiple industries in 11 countries, the study determined that, on average, 14 different encryption technologies are used by 49 percent of all health and pharma organizations. This compares with 56 percent for financial services.
Encryption, however, is only one element of the healthcare industry’s current leading-edge security practices.
“Encryption creates workflow issues,” says Larry Ponemon, Ph.D., chairman and founder of the data security research institute that bears his name. In a hospital setting, for example, doctors and nurses need to constantly access EHR data, which is useless to them if it remains encrypted. From the standpoint of a would-be data thief, such access activity continuously creates potential new openings for an attack. To counter this, “You have to build a workflow to ensure that you’re not vulnerable at points where the data is decrypted and in clear text,” the researcher explains.
Despite the growing use of encryption, Ponemon argues that, in certain respects, healthcare providers are more at risk than ever of a data breach. This has less to do with whatever security measures they have in place and is more the result of an increasingly widespread and pernicious threat.
“Medical data has become increasingly valuable on the black market, and the bad guys are getting more persistent and better at what they do,” Ponemon says. “We’ve seen over the past year that healthcare companies are building better security, but at the same time, the attacks are becoming more stealthy and sophisticated. This makes hospitals very vulnerable.”
In light of the increasing value of healthcare data, there has been a sea change in the way many healthcare organizations are viewing cybersecurity. Their strategy has shifted from one of total prevention—and spending millions on perimeter protection and network control in an effort to stop each and every attack—to one of detection and containment.
The latter approach accepts that some breaches will inevitably occur, but seeks to mitigate the damage they inflict by limiting their potential impact with technologies like authentication, rights management and data sandboxes.
With many hospital CISOs reporting as many as 1 million break-in attempts a day, “More healthcare providers are planning for a breach or a data event,” acknowledges CHIME’s Branzell. “They’re drilling their organizations to prepare. This is the biggest transition that has occurred.”
Another Ponemon study reflects this new way of thinking. In a 2016 report on the state of U.S. healthcare’s cybersecurity, the 535 IT professionals interviewed ranked encryption of data at rest and encryption of data in motion as the second and third most important tools for achieving their security objectives. Topping the list of most effective security technologies, however, was authentication and identity management.
Those results are in line with the recognition that some attacks will make it through the firewall, and providers must be prepared to contain the damage.
“There are two different encryption paradigms,” says Hussein Syed, chief information security officer for Barnabas Health, New Jersey’s largest integrated healthcare delivery system. The first is “brick-level” encryption of mobile devices, drives and storage networks. The other uses authentication and rights management technologies to limit an individual’s ability to decrypt data.
Using the rights-management model, “Even a system administrator with privileged access won’t be able to decrypt data to which he hasn’t been granted explicit rights,” Syed explains.
On the plus side, such an approach “is very effective at mitigating both insider and outsider threats.” But the downside is that “it’s a pretty big endeavor and requires a lot of resources and planning.” Nevertheless, he adds, Barnabas is “looking in that direction ourselves.”
But to contain a threat, first it must be detected.
“Usually, there’s a fairly large gap of time between when a breach occurs and when it’s remediated or even identified,” says CHIME’s Branzell. “The sophistication of these attacks is such that they appear to be a routine job running the background, giving you no flag or warning that they’ve even occurred.”
“Being able to detect activity quickly is the key nowadays,” agrees Syed.
To spot an attack, Barnabas makes use of several techniques, such as user analytics, which it employs to track the provider network’s users’ day-to-day online activities. Whenever a user’s behavior deviates from that individual’s norm, the system assumes it could signal that the user’s identity has been compromised and issues an alert. The technique is applied selectively, Syed says, and “users with greater than normal permissions are monitored more closely.”
In addition, Barnabas inspects all its outbound traffic. Anything suspicious is trapped in a data sandbox for further analysis. Developed as high horsepower analytics tools for data scientists, sandboxes are data marts or logical partitions set up in enterprise data warehouses, where selected data can be safely confined and manipulated.
Some healthcare providers take this a step further, making use of what information security consultant Sari Greene calls a honeypot strategy. The “honey” is an intentional flaw or weakness in the organization’s defense perimeter, designed to draw a would-be data thief into making a zero-day attack. Such attacks consist of viruses or other types of malware that have never been released before—which means their signatures have yet to be identified by the provider’s antivirus software.
Once the lure is set and an attack takes place, says Greene, managing director for South Portland, Maine-based Sage Data Security, the infected data is then routed and held in a sandbox. There, the malware’s signature can be safely analyzed and shared with other organizations via a threat intelligence system. In this way, Greene says, providers can learn to identify and detect a much greater volume of previously unrecognized threats.
Providers like Northwell are deploying many of these techniques in what Hughes refers to as a defense-in-depth strategy. Northwell takes “an onionlike approach,” she says, maintaining different layers of security, each of which involves different tools and protocols.
The outer layer consists of encryption of data at rest and data in transit. But, “if a user has legitimate credentials to access some data,” the CISO observes, “encryption no longer affords any protection.” So the other layers of Northwell’s security onion include antivirus software, intrusion detection analytics and security information and event management (SIEM).
Encryption is preventative, says Ponemon, while other tools, like those in Northwell’s arsenal, are more remedial. Their role is to circumscribe and limit the outcome of an attack.
With this in mind, he says, a provider should set its security priorities as follows:
- Build a strong perimeter, including a firewall and encryption of data both at rest and in transit.
- Monitor the network with antivirus intrusion detection software to identify threats.
- Deploy analytics and threat intelligence to examine data points and pool data with other providers to identify and learn more about new threats.
Ponemon also envisions a fourth step, which he terms “hack-back.” Hospitals, he argues, “need to take the fight to the bad guys and attack their servers.” Technically, he says, this is quite feasible, although under current legal constraints, such measures might require taking action against hackers who are planning an attack before they have actually broken any laws—which means, for the time being, this remains a plan for the future.
So with all these sandboxes, honeypots, onions and other strategies in place, is patient medical data finally secure? The question draws a laugh from Barnabas’ Syed. “It’s more secure than it was a year ago,” he allows, “but ultimate security is Nirvana. There’s a lot more work to be done.”