Guest post by Todd Weller, vice president of corporate development, Hexis Cyber Solutions, Inc.
According to a 2014 Identity Theft Resource Center Report, the healthcare industry has officially surpassed other major industries and now accounts for 42.3 percent of all data breaches recorded last year. As the number of patient medical records transitions to a digital sharing model, the potential cost of data breaches is now substantially higher than for those less regulated, like retail and public services. It’s clear that the industry is increasingly vulnerable to sophisticated cyberattacks; hackers are after vital patient information such as social security numbers and past medical records.
With limited budgets and priorities often, and rightfully, placed on patient care, many healthcare organizations lack the resources to implement stronger security levels. Despite these constraints, with the right technology and best practices in place healthcare organizations can position themselves for success.
The costs associated with “damage control” for many healthcare providers is steep with the annual cap on fines for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and HITECH Act of 2009, up from a maximum of $25,000 per year to $1.5 million. And fines are only part of the financial burden. Investigation and legal efforts, business downtime and decreased credibility all drive up costs even further.
Unfortunately, many healthcare organizations are still facing challenges when it comes to effectively communicating and collaborating on security. In many of these healthcare organizations, there is a department for privacy and compliance and then a separate department for enterprise IT security. Functional groups are often siloed and share very little information with each other. This becomes a major issue in the event of a breach as neither side is able to understand the full spectrum of the threat without the others’ data.
The consequences of the gap between compliance and IT security becomes evident when dealing with insider threats. An individual’s actions may look legitimate, but when correlated against other activity, could indicate that malicious activity is occurring. A workstation that has always previously accessed clinical data or some other patient information doesn’t raise suspicion. But a subtle, steady increase in traffic, say of 5 percent or 10 percent, correlated with communication to an unauthorized or new IP address, likely indicates a breach. The same example could apply to an external threat with a malicious actor using social engineering methods to entice an unwitting user to download malware. Once inside the network, the malware can replicate the very same scenario. Either way, a breach has occurred. The IT security department may discover the situation, investigate and handle it and move on to the next task. But without visibility into this type of data, how would the compliance department learn about possible data leakage and take the necessary steps to investigate and report?
On the flip side, the compliance department is the only group authorized to see private and sensitive patient data – as a result, this department has stronger access controls when it comes to protecting that kind of information. Regardless of this control, the compliance department is limited in its ability to spot unusual system activity. While the IT security department should not have access to privacy data, certain data can be summarized and presented to IT security without disclosing any sensitive information. Specifically system data, such as total number of accesses by hosts or by role on a machine, won’t disclose patient records or clinical data but could indicate a potential breach and initiate an investigation.
Clearly, for either side of the organization, limited data visibility and collaboration hampers the ability to identify a breach and, in turn, limit losses. Here are three steps healthcare organizations should consider as they begin their journey towards a more secure network:
Hire a CISO with overall responsibility for enterprise data protection.
Successfully bridging the gap between IT security and privacy/compliance is predicated on having support from the highest levels within the organization. An innovative C-level IT security executive who understands the challenges and appreciates the value that comes from an enterprise-wide approach to protecting data must be at the helm. The most effective CISOs are able to collaborate across the organization, aligning technology with business objectives to ensure risk tolerances are met while supporting business imperatives. They also understand the necessary action to take should a breach occur, including involving the appropriate parties to protect the organization and patients. And they know how to leverage technology to optimize resources while accomplishing the mission.
Build and foster a strong security posture.
With limited resources, healthcare organizations need to be savvy about technology investments. They need solutions that satisfy requirements now but can also carry them into the future. IT security teams should ask technology vendors the following questions:
- What types of data can you integrate with? Healthcare companies needs to collect data from a large variety of sources including off-the-shelf and custom applications including patient systems, infrastructure devices (switches, routers, firewalls, VPN concentrators, proxy servers, etc.), servers and desktops, application access logs, and physical security data (badge access records), even medical devices. They also need to be able to add more sources easily over time.
- How much data can you store and for how long? In the healthcare industry, regulations can require storing data for up to 10 years. Organizations need storage infrastructure that can support collection and analysis of increasingly large data sets over long timeframes. Traditional relational database technologies can be a poor match for storing and querying massive volumes of unstructured or semi-structured time series event data.
- How can we access that data for audits and investigations? Stitching together a scenario for investigation takes time, money and is subject to error. Access to data in a single place with appropriate access controls by user is essential for an enterprise-wide approach. The ability to automatically analyze relevant data from patient systems and IT systems to identify anomalous patterns that could indicate potential malicious activity increases effectiveness.
Implement an incident response plan.
According to the 2014 Verizon Data Breach Investigations Report that analyzed data from 50 different organizations, in 75 percent of the cases breaches weren’t discovered for weeks, months or even years. During that time critical data and assets are at risk and attackers have ample time to establish a foothold for future attacks. Urgency in dealing with threats is essential, yet many organizations don’t have an incident response plan in place with a designated team and documented processes and policies so that the right people are notified at the right time. With fines that mount as breaches progress, technology solutions that have an alerting mechanism that ties into the incident response process will help expedite investigation and action and minimize risk.
Healthcare facilities are prime targets for hackers, making the need to protect every aspect of patient information even more critical. These in-depth approaches can help healthcare organizations mitigate risks throughout the cyber landscape and protect their sensitive information. The rise in electronic health records comes with a higher risk of theft and could cause the organization to suffer significant consequences in the wake of a cyberattack. It’s no secret that government fines are skyrocketing and for many healthcare organizations, paying the fines and enduring the collateral damage is a cost they can ill-afford. With a better understanding of the key ways to lower the costs of a breach, healthcare organizations can bridge the gap between the privacy office and the enterprise security department for a faster, more accurate and cost-effective approach to data protection.