By Carl Kunkleman, senior vice president and co-founder, ClearDATA.
Carl Kunkleman
Working in the world of healthcare security and compliance, I find one of the biggest dangers organizations face is having a false sense of security that their PHI is adequately protected. I’ve done hundreds of security risk assessments, and I have yet to find one single organization that did not have a security gap they were unaware they had in one or more of their administrative, technical or physical safeguards.
Add to this, the complicated current state of healthcare battling COVID-19, and we are likely to see administrative systems that have gaps in off-boarding or off-boarding employees, technical infrastructures that didn’t have time or resources for patch management, and physical scenarios in makeshift triage units with compromised physical safeguards that simply cannot be addressed in the current haste to stop the spread of the virus.
Sadly, this sense of chaos creates the ideal conditions for the hackers of the world looking to infiltrate via phishing, malware and ransomware and more. Once this spread is arrested and we all get a moment to catch our breath and assess business practices, a good move would be to conduct a security risk assessment known as an SRA. Your internal teams and resources are stressed, overworked and possibly burned out and an SRA can identify security gaps that will inevitably arise and present an actionable plan to remediate. This will help reduce risks while protecting your organization’s finances and reputation while we all find out what “getting back to normal” will mean.
Right now, we are all doing everything we can. And the Department of Health and Human Services recognized that with their decision last week to waive penalties for providers that are serving patients through everyday communications technologies during the COVID-19 public health emergency. A security risk assessment this summer will help you put the compliance health of your organization back in order. In addition to the HIPAA requirement that you have an SRA on file annually, it helps unite your team in a strategic path forward by articulating what your highest and lowest risks are, before a hacker uncovers them.
Because an SRA covers administrative, technical and security safeguards, your entire organization will benefit from the process. I continue to find organizations who think their PHI is protected because they have password protected their computers and mobile devices. Our penetration testing has revealed that passwords are relatively easy to defeat. We continue to find gaps in encryption, patch management and even with PHI inventories. If you don’t know where all of your PHI resides, how can you protect it?
With the healthcare sector a top target of hackers, cybersecurity and privacy are of paramount concern—so much so that HIMSS20 has dedicated an entire track to the topic. According to its description, “Every organization must respect and maintain the privacy and security of patient information, no matter how small or large and no matter where they are located.”
While cybersecurity is clearly a primary area of focus, the frequency of attacks on healthcare institutions is on the rise—the HIPAA Journal found that the equivalent of 50% of the U.S. population has been affected by data breaches over the past decade. While there are several reasons healthcare institutions continue to fall prey to attacks, one of the most common ones may surprise you: employee password reuse and password sharing.
Risk Rises with Password Reuse
Most healthcare workers know better than to reuse passwords across multiple sites and applications. Still, this security best practice is often overlooked in the name of convenience and the urgency associated with providing high-quality care. However, password reuse puts the entire organization at risk when an unrelated third party is breached, as cybercriminals can easily obtain breached or leaked credentials via the Dark Web and use them against other online accounts or systems.
With breaches occurring on a daily basis, hackers can select from an unlimited supply of newly compromised passwords. If even just a handful of your employees reuse passwords across applications and accounts, it won’t be long before hackers leverage this password faux-pas for their own advantage. And if your organization is anything like the average company, it’s likely that password reuse is also pervasive. According to Google, at least 65% of people use the same password for multiple, if not all, sites and systems.
Password Sharing Increases Vulnerabilities
When every second counts in administering critical care, the last thing hospital staff have time for is issues with login. For this reason, many healthcare workers will share credentials, with 74% of respondents in one study admitting they had obtained a colleague’s password. The researchers state, “Apart from…large-scale mistakes and malicious acts… one of the most common breaches of PHI is the use of another’s credentials to access patient information, i.e., the use of the EMR password of one medical staff member by another.”
It’s easy to understand why healthcare workers would default to this practice, but it’s equally easy to visualize how password sharing substantially increases security vulnerabilities.
With threats inherent in everything from:
How the password is initially shared (i.e. is it stored in multiple email accounts?)
What else individual staff members may use it for (e. is it being reused for other work and/or personal accounts?)
What is the staff turnover (e. what happens if a disgruntled former employee can still access company systems?)
It’s evident that hospitals cannot afford the risks associated with password sharing.
By Ilia Sotnikov, vice president of product management, Netwrix.
On February 21, UConn Health reported that personally identifiable information (PII) from 326,000 patients was compromised. A malicious third party illegally gained access to several employee email accounts that contained patient names, dates of birth, Social Security numbers, addresses, and limited medical information, such as billing and appointment information.
What is most important about this data breach is that the hackers were not necessarily looking for patient medical records — they seem to have been looking for any personal information they could steal. That vividly illustrates the importance of having stringent policies to protect PII, supported by employee training on best security practices. Specifically, there are three lessons to learn from this event if you want to mitigate your risk of suffering a similar breach.
Lesson #1. Classify your sensitive data
The 2018 Netwrix IT Risks Report shows that healthcare organizations generally lack proper data governance practices and rarely check what data they store and how sensitive it is. The majority of respondents classify data based on its sensitivity (61 percent) and clear up unnecessary data (67 percent) only once a year or even less often.
It’s estimated that by 2020, each person will generate 1.7 MB of data every second. However, not all of that data needs special protection. Therefore, an effective strategy is to develop a data classification policy to discover all the data you have and classify it according to your organization’s needs. That way, you can prioritize your security efforts on the data that deserves it the most. At the same time, you can eliminate duplicate and unneeded files, which will reduce your attack surface area and lower your storage and backup costs.
I hope healthcare organizations delivered lots of TUMS and Advil to their beleaguered cybersecurity teams as a holiday bonus in 2018 – and maybe even a masseuse! With an overload of alerts, attacks and system compromises, it’s safe to say that working in a security operations center (SOC) can take both a mental and physical toll:
From 2010 to 2017, nearly 2,150 breaches involving more than 176 million patient records were reported to the Office of Civil Rights at the U.S. Department of Health and Human Services, according to a study published by the Journal of the American Medical Association (JAMA). During this period, the total number of breaches increased every year (except for 2015), with 199 reported in 2010 and 344 reported in 2017.
Guest post by Joseph Schorr, director of advanced security solutions, Bomgar.
Moving into 2016, healthcare organizations will continue to be one of the most attractive targets for hackers. Last year, attacks against healthcare organizations were up 125 percent from 2010 and cost the industry $6 billion, according to the Ponemon Institute.
As illustrated in the Anthem and Excellus Blue Cross Blue Shield data breaches, hackers are moving beyond phishing attacks and random malware drops, and adopting methods that are more sophisticated. By leveraging third-party access and privileged account credentials (such as those held by IT security professionals, IT managers and database administrators) to exploit IT systems, hackers can gain an unrestricted and unmonitored attack foothold on the network. Once they have this foothold, they are remaining inside the victim’s environment for an incredible span of time – on average more than 200 days.
With this trend continuing, healthcare organizations can expect to see an uptick in these types of attacks within the industry. To combat this rise, healthcare organizations will need to focus on shoring up IT security around vendors and other third parties in the year ahead. The following are areas where they can concentrate attention to aid in this effort:
Reevaluate the legacy
In particular, third parties such as vendors are particularly juicy targets because they often use VPN and other legacy access methods to access systems. Examining and implementing more secure, sophisticated remote access and privileged access solutions is a good place to start strengthening IT security for the new year.
It’s a common misconception that a VPN guide is a secure way to provide third-party vendors with network access. The problem lies in that an organization cannot ensure that third-party vendors’ security policies and practices are as strenuous as internal practices. If a criminal compromises a valid VPN connection, they have an open tunnel to an organization’s network and the sensitive data within.
Be in control
For too many healthcare organizations, vendors have more access than they need or their access can’t be monitored or restricted. It’s a scary question: Does your IT department know who their privileged users are and what level of IT permissions they have? If not, taking stock of those users, the systems to which they need access, and when they must access them is a critical undertaking for 2016. Following that, the organization can set access parameters that allow those privileged users to be productive and gain access to tools, data and systems they need to do their jobs, while limiting risk. Proactively controlling and monitoring access to critical systems can help tighten IT security within healthcare organizations.
Data breaches and HIPAA violations became common, almost daily, news in 2015, exposing sensitive client information with devastating results. Understanding HIPAA compliance will be critical in 2016, especially since the Office for Civil Rights (OCR) will begin a new round of HIPAA audits.
In spite of record spending on firewalls, anti-virus software, malware detectors and the widget of the day, healthcare organizations keep getting hacked because the focus is in the wrong place. Here are three trends taking presence in 2016 that can help any organization fight the good fight against cyberattacks.
Buying Technology Alone is a Security Strategy That Does Not Work
Healthcare is under constant pressure to safeguard assets, however too many firms focus on security for HIPAA compliancy and then call it a day. Compliance is a legal necessity, but organizations expose themselves to cyberattack when use technology as a crutch. Many organizations will need to look at their operations as a critical network and seek ways to defend it.
A majority of breaches are from data that has been stolen, via record removal, virtually and physically. We see the trend in 2016 shifting from technology to people if healthcare organizations are going to defeat hackers.
Focus on the Human Element
Examine the largest data breaches of 2015. Technology did not protect the vast majority of these companies. In each case, data was breached due to hackers successfully exploiting humans.
The proliferation of mobile devices in healthcare like smartphones and tablets have also made the human element even more vulnerable because this area of security is often overlooked and is, in fact, the weakest link.
Technology is only as good as the people who use it and is merely a tool in the fight against cybercrime. Technology alone cannot fully protect an organization’s data, networks, or interests. This is a trend in 2016 and beyond that must be recognized if organization hope to safeguard patient records.
Guest post by Stephen Cobb, senior security researcher, ESET.
HIPAA’s privacy and security rules are often labeled as being burdensome and restrictive. The rules are increasingly criticized as ineffective and people wonder how an organization can be HIPAA compliant and still suffer a breach of protected health information.
A medical approach to answering that question might be to think about infection prevention and control. Infection control protocols exist to prevent the spread of infectious diseases. However, a patient can get infected at a hospital or clinic that has such protocols in place. The reasons for such anomalies include lapses in conformance to the protocol and inappropriate protocol relative to potential infection vectors.
Such language maps closely to the demands of healthcare data protection, which could be described as the prevention and control of unauthorized access to protected health information. Clearly there is a need for healthcare organizations and their employees to fully comply with “policies and procedures that are appropriate to the threats.” Getting people to comply requires organizational commitment from the top down, backed by the adequate equipping and educating of staff at all levels.
But what if those policies and procedures are not appropriate to the threats? What if the infection vectors are different from those you trained to defend against, or the threat agent more virulent than you supposed? That’s where a lot of health data security breaches occur, in that gap between established practices and emerging threats. The difference between being “HIPAA compliant” and “secure” often comes down to underestimating threats. Continue Reading
Guest post by Michelle Blackmer, director of marketing, Healthcare, Informatica.
The volume of protected health information (PHI) in electronic form is exploding – both from the wholesale move from paper charts to electronic health records for capturing clinical data and with the proliferation of new sources of electronic data from networked medical devices. Additionally, IT staff have been overwhelmed by regulatory mandates, rampant technology changes (e.g., virtualization, BYOD, big data), massive application projects and flat or decreasing budgets.
This increase in electronic PHI combined with the challenges for health systems IT make it even more important for providers and non-providers to find efficient ways to secure their data. However, with malicious activity showing a consistent upward trend, absent a change to an almost maniacal leadership focus on protecting patient data and the deployment of available tools and processes as an organizational imperative, 2014 will bring even more frequent and larger breaches of PHI.
Current data security climate
Even still, many healthcare organizations are not taking the necessary steps to reduce the proliferation of unprotected PHI in non-production test and development environments. Ninety-four percent of respondents to the third annual Ponemon Institute Benchmark Survey on Patient Privacy and Data Security had at least one data breach in the past two years, and 45 percent reported having had more than five total incidents each. Even more surprising is that the leading cause for a breach is a lost or stolen computing device that houses PHI. The survey also found that:
Unrestricted database administrator (DBA) access heightens risk: 73 percent of DBAs can view all data.
Data compromise/theft remains rampant: 50 percent of respondents say data has been compromised or stolen by a malicious insider such as a privileged user.
Organizations are under-coping:68 percent have difficulty restricting user access to sensitive data, 66 percent have difficulty complying with privacy/data protection regulations and 55 percent lack confidence that they would even detect data theft/loss from their own production environments.
On February 21, UConn Health reported that personally identifiable information (PII) from 326,000 patients was compromised. A malicious third party illegally gained access to several employee email accounts that contained patient names, dates of birth, Social Security numbers, addresses, and limited medical information, such as billing and appointment information.
