Bridging Communication Between Privacy and IT Security in Healthcare
Guest post by Kim Lennan serves as director of healthcare markets for Hexis Cyber Solutions.
The cost of IT security data breaches in the highly regulated healthcare industry is staggering, as it tops even the likes of financial services market. No one is immune. Nearly 94 percent of medical institutions report that their organizations have been victims of a cyber attack, according to findings by the Ponemon Institute. With the update last year to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and HITECH Act of 2009, signs of increasing expenses are again a reality. The annual cap on fines for security breaches has also skyrocketed from a maximum of $25,000 per year to $1.5 million.
With breaches in healthcare spanning from insider, nosey-neighbor snooping, to external, cyber-threats, such as malware, there is an obvious urgency for detection and remediation solutions that engage not only the hardened perimeter, but also the soft center, spanning all the way out to the ancillary systems which at once stood alone, but are now networked and part of the entire electronic healthcare ecosystem.
Establishing a single, integrated, active defense approach to bolster your security posture and mitigate insider breach, as well as cybercrime in healthcare, begins with a motion to break down internal barriers. Organizations need technology and organization leaders who champion a bridging the gap between the two influential and liable, yet often un-collaborating services providers responsible for protecting these domains: Privacy and compliance and enterprise IT security.
Coordinating the effort to monitor networks and applications to achieve a greater understanding of risky behavior is a giant step toward detecting early indicators of compromise and strengthening the weak links in your security practice. We recommend an assessment of the often overlooked, non-standard variety of electronic data carriers, which can fall into the category of the “Internet of Things,” those medical device end-points, video surveillance systems, x-ray machines and call contact systems. These must be treated as part of the entire electronic ecosystem to achieve a greater degree of data protection. They carry patient health information (PHI) and even intellectual business property, and are largely unprotected by traditional intrusion detection solutions. While often perceived as immune to breaches, they represent readily available ports of entry for an attacker.
A unified approach to end-user education and monitoring for early breach detection that fosters risk mitigation requires tight coordination between privacy and IT security. The challenge is in how. Functional groups are often siloed and share very little information with each other. This becomes a major issue in the event of a breach, as neither side is able to understand the full spectrum of the threat without the others’ data. Let’s take a look at a couple of examples.
We are inundated today with concerns for insider threat. An individual’s actions may look legitimate, but when correlated with other activities, a malicious intention may be under way. A workstation that has always accessed clinical or other patient information would look anomalous and raise suspicion if it suddenly exhibited a steady increase in traffic, correlated with communication to an unauthorized or new IP address. The same example could apply to an external threat with a malicious actor using social engineering methods to entice an unwitting user to download malware. Once inside the network, the malware operator can move laterally, gaining credentialed access to neighboring devices to gain a foothold for data exfiltration that is reputation damaging and resource draining to remove. Regardless of point of entry, a breach has occurred. The IT security department may discover this situation, investigate and handle it and move on to the next task. But without visibility into user behavior correlated with data flows across the entire institution, how would the compliance and privacy department learn about a possible data leakage and take the necessary steps to investigate and validate such a threat?
On the flip side, the compliance department is the only group authorized to see private and sensitive patient data so there are very strong access controls to protect that information. But the compliance department doesn’t have the training or tools to detect atypical or anomalous system activity. While the IT security department should not have access to privacy data, certain data can be summarized and presented to IT security without disclosing sensitive information. Specifically, system data, such as total number of accesses by hosts or by role on a machine, won’t disclose patient records or clinical data but could indicate a malicious threat to alert an investigation.
It cuts both ways. For either side of the organization, limited data visibility and collaboration hampers the ability to identify a breach and, in turn, limit losses.
Whether a breach is caused by an employee’s actions or whether it’s a targeted attack from outside the organization, the goal is to find and stop the breach as quickly as possible to minimize damage. Limited budgets and competing priorities often, and rightfully, placed on patient care, prevent the funding for and attention to hiring the necessary resources and implementing the most current technologies to bolster healthcare data security posture. Despite these constraints, with strong technology leadership and best practices in place, healthcare organizations can mitigate breach and minimize the consequences.
The same Ponemon report finds that the top three factors that decrease the cost of a breach include: having a CISO with overall responsibility for enterprise data protection, a strong security posture and an incident response plan. Below are a few recommendations to help healthcare organizations make inroads on these fronts.
A CISO with overall responsibility for enterprise data protection. Successfully bridging the gap between IT security and privacy/compliance is predicated on having support from the highest levels within the organization. An innovative C-level IT security executive who understands the challenges and appreciates the value that comes from an enterprise-wide approach to protecting data must be at the helm. The most effective CISOs are able to collaborate across the organization, aligning technology with business objectives to ensure risk tolerances are met while supporting business imperatives. They also understand the necessary action to take should a breach occur, including involving the appropriate parties to protect the organization and patients. And they know how to leverage technology to optimize resources while accomplishing the mission.
A strong security posture. With limited resources, healthcare organizations need to be savvy about technology investments. They need solutions that satisfy requirements now but can also carry them into the future. IT security teams should ask technology vendors the following questions:
- What types of data can you integrate with? Healthcare companies need to collect data from a large variety of sources including off-the-shelf and custom applications. Such sources could include medical device endpoints, patient health record systems, infrastructure devices (switches, routers, firewalls, VPN concentrators, proxy servers, etc.), servers and desktops, application access logs and physical security data (badge access records). They also need to be able to add more sources easily over time.
- Big data retention capability? In the healthcare industry, regulations can require storing data for up to 10 years. Organizations need storage infrastructure that can support collection and analysis of increasingly large data sets over long time frames. Traditional relational database technologies can be a poor match for storing and querying massive volumes of unstructured or semi-structured time series event data.
- Strong correlation capabilities across disparate data types for audits and investigations? Stitching together a scenario for investigation takes time, money and is subject to error. Access to data in a single place with appropriate access controls by user is essential for an enterprise-wide threat prevention approach. The ability to automatically analyze relevant data from patient systems and IT systems in order to identify anomalous patterns that could indicate potential malicious activity increases effectiveness.
An incident response plan. The Verizon 2013 Data Breach Investigations Report found that in 22 percent of the incidents investigated, it took months to contain the breach. Security events happen, yet many organizations don’t have an incident response plan in place with a designated team and documented processes and policies for education and alerting. With fines that mount as breaches progress, technology solutions with an alerting mechanism that ties into a well-implemented incident response process will help expedite investigation and threat remediation and minimize risk.
Healthcare organizations are facing cyber threats daily and the need to protect highly sensitive patient data is more critical now than ever before. Government fines are skyrocketing and for many healthcare organizations, the enduring collateral damage is a cost they can ill-afford. With a better understanding of the key ways to lower the costs of a breach, healthcare organizations can bridge the gap between the privacy office and the enterprise security department for a faster, more accurate and cost-effective approach to data protection.
Kim Lennan serves as director of healthcare markets for Hexis Cyber Solutions, which provides complete cybersecurity solutions for commercial companies, government agencies and the intelligence community.