Security Survival Guide: 10 Steps for Protecting Patient Data
With increasing numbers of access points to protected health information under attack, the healthcare industry continues to be plagued with damaging breaches. Just yesterday, CareFirst BlueCross BlueShield announced a hacking that compromised the information of more than a million of its members.
Not surprisingly, a Ponemon Institute report released earlier this month found that over 90 percent of healthcare organizations have been breached in the last two years and the breaches are a growing $6 billion annual epidemic that is putting millions of patients and their information at risk. The study, sponsored by security software vendor ID Experts, reveals that most healthcare organizations are still woefully unprepared to address the rapidly changing cyber threat environment and lack the resources and processes to protect patient data.
With cyber criminals actively targeting healthcare, Rick Kam, president and co-founder of ID Experts, argues that the threats to patient data have never been greater. However, as chair of the PHI Protection Network, a cross-industry collaboration of vendors formed to help expedite the adoption of PHI best practices, Kam also believes there are some critical strategies healthcare organizations can employ for protecting patient information.
Probably the best place to start is really to do a risk assessment, says Kam. It needs to be front and center as the starting place to help decide and prioritize wherefor the most parta very limited IT security budget might be allocated. What the risk assessment will do is identify those assets and systems where PHI lives. He sees this as an inventory of where an organizations patient information exists, not only internally in a hospital or clinic, but also with external business associates and partners that are involved in managing that data.
Specifically, the PHI Protection Network recommends 10 steps necessary to protect patient data:
*Demand organizational leadership engagement. Workforce training and safeguards alone will not be effective. Organizational leadership must embrace and champion compliance as it would any other component of the organizations value chain. Leadership must visibly and actively foster a culture of compliance throughout the organization by setting expectations and holding all workforce members accountable to the same standards.
*Find and identify your data. Organizations need to know where their data lives, where it travels, and in what form (encrypted, identified, de-identified, etc.).
*Control PHI workflow and minimize necessary workforce access. Organizations must find ways to better control PHI workflow within the organization, and movement outside the organization. This not only includes safeguarding it from impermissible uses and disclosures, but also will require integration of HIPAA with other health information protection activities to ensure a single point of control within the organization.
*Assess risks. Organizations must have solid processes in place for assessing risk with new systems, devices, services and partners, and determine how best to use their power as purchasers to weed out those that dont meet best security practices.
*Prioritize third-party vendor management. Organizations will need help with third-party vendor management to strengthen oversight and review processes. Smaller business associates are particularly vulnerable since they may not have as many resources to devote to security and compliance, and may be more likely to experience a data breach.
*Get proactive. The healthcare industry needs to take a proactive stance when it comes to regulations to protect patient health information. Companies that go above and beyond baseline protection requirements will be seen as industry leaders, and patients will choose to use their services over others.
*Make privacy an integral part of new technology adoption. The pace at which new technology is being introduced into the healthcare industry is increasing, with thousands of new health-related mobile applications available this year, devices such as Apple Watch and the Internet of Things. But we have little evidence that patient privacy or security features are being considered. The healthcare industry and its technology service providers need to take advantage of existing technology as well as how they design, construct and deliver new tools.
*Measure to Improve. You cant manage what you cant measure. The healthcare industry needs to get better at determining key metrics to continuously measure and improve security postures.
*Look for non-standard systems as potential PHI data stores. In particular, voicemail systems, customer service call recording systems, and closed-circuit television systems could all potentially be storing PHI, but may not be as carefully safeguarded as traditional IT systems such as EHRs and patient billing.
*Instill a culture of security. Every employee is a guardian of the customers data.
Although employee negligence and lost/stolen devices continue to be primary causes of data breaches, as Kam points out, one of the major findings of the recent Ponemon Institute report is that criminal attacks are now the leading cause of breaches in healthcare. While criminal attacks are often referred to as cyber-attacks, they can also include malicious insider threats, according to Kam.
He advises that instead of trying to protect everything from everyone, the next step is really trying to better understand what the criminals are doing right now to get access to the data and whats causing the breaches in the type of organization youre trying to protect.
Nathan Wenzler, a certified security administrator and network auditor who works for IT security firm Thycotic, notes that Ponemons report on the security incidents healthcare organizations have experienced are almost all related to the intentional exploitation of technical systems. These are not accidental missteps resulting in data loss, with 78 percent of survey respondents experiencing Web-borne malware attacks, 38 percent citing SQL Injection incidents, and 88 percent suffering from spear phishing.
While some may argue Spear phishing is a form of employee negligence, its really just a means to get a foothold into a network in which to begin the real reconnaissance and attack on the network, argues Wenzler. The attacker is trying to compromise user accounts or credentials that have elevated privileges, which permit access to sensitive systems and critical data. If stronger technical controls were in place around credentials, especially those passwords with access to high-value systems, this could start to solve many of the worries healthcare organizations are feeling and directly address several attack vectors theyve reported to have already taken place.
Most attack vectors are designed to get credentials and then elevate them and, unfortunately, healthcare organizations dont get the administrative credentialsthe high-end credentialsright, he adds. Thats the one big blind spot that just doesnt get the visibility it deserves. If you can start to eliminate the ability to get to those elevated accounts, you can neutralize all kinds of attacks.
Understanding the value of patient data is critical, according to Jay Atkinson, CEO of secure cloud hosting vendor AIS Network. He recommends that healthcare organizations schedule frequent penetration testing and vulnerability scans to uncover vulnerabilities and show how well they are protecting their networks and data. Performing monthly or quarterly tests will help to establish critical processes (e.g., data encryption, hardened authentication) and to develop a clear understanding of how to avoid breaches as well as strategies for remediation, Atkinson asserts.
But, Wenzler cautions that taking an outside-in approach to identifying security vulnerabilities is too limited a perspective.
We hear this all the time now, but the perimeter is deadthere is no more perimeter, he says. A strategy that looks at things from the outside-in is really a losing battle because the outside is always going to grow, with the explosion of mobile and remote medical-monitoring devices collecting personal data. Taking things from an inside-out approach is a much stronger position from which to control access so that in the end it really doesnt matter how much the outside grows. By focusing on the inside part first and working their way out, organizations will have a much better chance of getting ahead of the threats.