3 best practices in healthcare IT security: How Group Health Cooperative does it

The one thing we learned for sure in 2015 was that healthcare has become a target for hackers across the globe. Over 100 million healthcare records were compromised in data breaches in 2015 and research firm IDC predicts that 1 in 3 individuals will have their healthcare records compromised in 2016. According to John Halamka, CIO of Beth Israel Deaconess in Boston, 2015 has been filled with denial of service attacks, hard-to-detect malware, and a skyrocketing number of personal internet connected devices at the same time that HIPAA enforcement has expanded. 

An important feature of these attacks on healthcare is the apparent involvement of overseas actors, including nation-states. Nigeria and the Baltic States are  well-known sources of phishing attacks for profit. State-sponsored actors from the far-east are now said to be targeting healthcare records. A recent episode on the 60 Minutes TV show reported on industrial espionage on a staggering scale involving the Chinese government. If the report is to be believed, the Chinese are stealing valuable intellectual property, spying on competitors, and hacking into government servers.

Why healthcare? Why now?

One reason for the increase in attacks on healthcare is that as other sectors such as retail and financial services have become more sophisticated with IT security processes and tools as well as the value of credit card data going down.  As a result, the hackers have turned their attention to “softer” targets with more valuable data such as healthcare as the logical next step. Within healthcare, payers have been hit more than providers. As opposed to gathering fragmented data from individual hospitals, hackers choose to target Payers because of the opportunity to gain access to state-level population medical records, or even more. In other words, a better return on risks and effort involved.

First, the good news – IT security budgets are increasing across the board. With most of the Meaningful Use (MU) work and ICD 10 preparedness out of the way, this one big CEO-level issue is getting more funding. And when there is funding available, there is a tendency to throw money at technology and tools. However, the question is whether additional funding will by itself solve the fundamental issues of information security in healthcare.

Chris Grant, Chief Information Security Officer at Seattle-based Group Health Cooperative (GHC), a non-profit health system that serves nearly 600,000 members, believes that “It’s not just about technology tools. You can’t buy your way out of trouble on this.”

Best practices from GHC

Grant has taken an approach to combat IT security threats that provide insights into best practices that are emerging in healthcare IT security practices.

— Process vs. Tools: At GHC, Grant constantly prioritizes between process and tools – in layman’s terms, between firefighting and “building code” upgrades. His team focuses on understanding incidents, early containment, and automation at the incident response level. Using a number of detection and monitoring tools, the GHC team identifies risks and focuses on remediation areas. Vulnerability scans combined with penetration tests designed to identify specific sets of vulnerabilities, and tools such as Splunk, a technology that records and analyzes system logs, enable reuse of the data for improved security results.

— Analytics: Another best practice is the use of analytics for correlations and geo-locational hot spotting. We have all experienced alerts from Google whenever we try to log into Gmail from an overseas location. At GHC, they have taken it a step further to develop correlations between log-ins from multiple locations and have created a scoring system that manages validations and exclusions based on the location disparities for the user at the time, answering potential questions like, “How can Scott be accessing his account from Florida and England at the same time?”

— Data Privacy: This is an issue that is closely related to IT security, especially in healthcare. Health systems are required to monitor access to EMR data as a part of MU requirements. Grant and his team have built a production application and framework on the Splunk platform that uses a set of medical record access scenarios to identify potential privacy violations and triage them using a weighted score model for GHC’s privacy team to take further action.

Existing and new challenges

IT environments in healthcare tend to be outdated and the top priority for most CISO’s is the protection of the legacy environment. Organizations need to be really good at firefighting, quickly, and can take time to towards upgrading the “building codes” – identifying and remediating system vulnerabilities and configuration issues. Penetration tests, according to Grant, and other traditional IT security practices tend to be reactive to security incidents with limited ability to identify key aspects of an attack by hackers. The focus of healthcare IT security functions, like other verticals with critical data to protect, should be the lateral movement, or system to system movement, of a would be cybercriminal set on finding and exfiltrating data.

The governance model in health systems is also changing, with IT security increasingly considered a risk function and not a technology function – albeit with a strong appreciation of technology and an ability to work in tandem with CIO organizations. The talent shortage for IT security pros will make such collaborations – with internal as well as external partners – key to success.

At the same time, as enterprise IT interacts more with external systems, including cloud-based vendor platforms and the proliferation of connected medical devices and the Internet of Things (IoT), the mandate for IT security will expand to address new vulnerabilities. The Medtech industry, in particular, seems unaware of the enormity of the risks that their devices can cause for the rest of the healthcare system. In some ways, healthcare IT security may soon need to be called IoT security.

IT security is now a national security issue, in many ways. With the heightened focus on Healthcare data, best practices are emerging that will ensure that our data and our healthcare system is well protected.