Instructions for Healing Healthcare Cyber NetworksBy: Cliff Kittle
Attacks on two healthcare organizations swept the news in January. One breach exposed 13.5 million records, giving attackers access to Social Security numbers, financial information, medical claims data, addresses, email addresses, names and dates of birth.
That attack looks like small beans compared to the other healthcare victim, whose 80 million member and employee records were exposed.
Healthcare Organizations Are a Target
In a recent healthcare edition of a Harris Poll commissioned by Vormetric, 26 percent of healthcare IT decision makers said their organizations had experienced a data breach in the past, and 54 percent said that compliance requirements were the largest driver for securing sensitive data. Although compliance certainly can help secure an organization, when focused on compliance rather than on security, trouble brews. Concentrating on compliance creates a reactive approach to information security; organizations take action because they have to fix a problem. Instead, they should develop a long-term security strategy. Healthcare organizations must constantly have an eagle-eye view of their environment so they can act quickly when prey is sighted. Threat actors lie in wait to attack. So organizations need to think like hunters to proactively design, implement and defend critical assets, such as electronic protected health information (ePHI). Practically every successful attack involves some mistake on the side of a defender, who could have been more vigilant.
Proactive Security Starts with Awareness and Assessment
Your watchful eye and defensive stance should start with Security Awareness Training that is tailored to your organization’s unique operating environment. Training should stress and reinforce key teaching points aimed at minimizing errors within your environment. Throughout the year, you should continually test employees for their comprehension and retention of those teaching points. Whether or not you test employees, attackers will be testing them for you, so get there first.
In tandem with training, a Security Assessment should be conducted, preferably by a third-party who can assess your network without prejudice to identify risky areas where vulnerabilities exist that could be likely points of unauthorized entry. The assessor should evaluate probabilities of and potential impacts of both passive and active security incidents.
- A passive incident occurs when employees inadvertently compromise ePHI. For example, a nurse might accidentally save ePHI to a folder in which unauthorized people could see it, or he might provide to a third-party business vendor information that should have remained confidential.
- An active incident could be an employee who steals ePHI for her own financial gain or who purposely provides an authorized party access to ePHI. An active incident could also be an adversary who breaches the organization’s network.
Determining if You’re at Risk
In combination with the security assessment, your assessor should conduct a risk analysis to discover possible unauthorized entry points to your network and any vulnerabilities in your system. The assessor should then rank the likelihood of that risk occurring from very low to very high. Based upon the requirement of the standard you are trying to meet, such as HIPAA or PCI DSS, you should conduct a representative sample assessment of all your devices containing ePHI. All the devices containing ePHI need to meet the standard. Because the HIPAA standard is vague, to help you interpret it properly you may want to meet with a cybersecurity consultant so you meet all requirements.
Know What’s In Your Network
Your security program should also include event monitoring to catch intruders before they can capture valuable information, such as patient and billing records. These event logs are a requirement of the HIPAA Security Rule and help with conducting forensics after an organization has been breached. Because most every organization will be breached at some point – whether they realize they’ve been breached is another issue – all organizations should have a Cyber Security Incident Response Plan (CSIRP), complete with a Contingency Plan, a HIPAA requirement.
You can’t always stop a breach, but with the right security program in place, you can stop it long before you lose 13.5 million records.