12 Tips for Responding to Rising Healthcare IT Security Threats

Everyone knows healthcare IT security is difficult. Not everyone knows how to make it easier. The recent Privacy & Security Forum, hosted by HIMSS Media and Healthcare IT News, aimed to change that by offering practical steps that healthcare organizations can take to avoid the negligent risks that lead to hacks, breaches, negative publicity and fines. These 12 tips will help HIPAA-covered entities and business associates – be they payers, providers, vendors or subcontractors – react and respond to an evolving threat landscape. Meanwhile, the event’s session on how Boston Children’s Hospital hit back at Anonymous offered organizations a firsthand account of responding to all-too-common attacks and provided some suggestions for trying to get ahead of hackers. 

HIPAA compliance audits are coming, though the Department of Health and Human Services’ Office for Civil Rights hasn’t said when or how many. Linda Sanches, OCR’s senior advisor for health information privacy, did say the agency will do about 200 “desk audits” as well as “a large number of on-site audits,” adding that HIPAA business associates will be audited in addition to HIPAA covered entities. With timelines in doubt, Sanches says, “This is a good time to get your house in order.” Conduct a risk assessment (more on that later), get to know your business associates, encrypt devices and stay abreast of threats. “You can certainly make [an audit] easier if you’re actually in compliance.”

Healthcare CISOs are hard to come by, in part because of the industry’s longstanding security struggles. The omnipresent internal vs. external talent debate hinges on whether organizations desire business or security acumen, respectively.

To look within, John Pritchard, IS director at St. Charles Health System, encourages finding “gems on your team.” Those who show interest in information security get a copy of The Cuckoo’s Egg; if they like it, Pritchard continues the conversation. (Appropriate leadership training can follow.)

To look externally, eschew the beaten path. Consider veterans (recommends Heather Roszkowski, CISO of Fletcher Allen Health Care) or college students studying cybersecurity (says Ken Patterson, CISO of Harvard Pilgrim Health Care), as industry experience hasn’t hardened either.

Meaningful use stage 1, in conjunction with the HIPAA Security Rule, requires this. Stage 2 adds encryption and data confidentiality – but don’t forget data integrity and availability, says Adam Kehler with Quality Insights of Pennsylvania.

Beyond simple compliance (more on that later), consider a security risk audit. Beth Israel Deaconess Medical Center did this following 2013’s Boston Marathon bombings. CIO Dr. John Halamka says this offered lessons in identity management, event logging and monitoring, governance, user awareness training and cloud security (namely, getting providers to sign business associate agreements). Looking at workstreams is key, Halamka says. This includes data ownership, asset management, endpoint security and “enterprise resilience,” or the strength of business continuity and disaster recovery plans.

On new technology, that is. Jim Routh, CISO of Aetna, takes a portfolio management approach, investing in emerging tech before it’s mature (and, therefore, expensive). His new network intrusion detection tool, for example, cost 4 percent as much as his original tech, leaving more than enough to invest in micro-virtualization and whitelisting tools. Another “risky” investment helps the insurer sniff out rouge apps pretending to be Aetna apps. When evaluating the firms behind emerging products, focus more on tech talent and less on financial results, Routh says. Another perk of new security technology: It covers the so-called SMAC stack – social, mobile, analytics and cloud – better than conventional controls.

Compliance doesn’t foment change, says CynergisTek CEO Mac McMillan. Fines and public embarrassment do. HIPAA, PCI and NIST all articulate security standards, but even collectively they don’t address all aspects of robust risk management. Sean P. Murphy, vice president of Leidos Health, offers an example: You may encrypt data and think you’re done, as you’re now compliant, but the bigger question is whether you need that data in the first place. Fletcher Allen’s Roszkowski puts it succinctly: “I’m not going to wait until somebody tells me to do something if I think it’s the right thing to do.”

[ Analysis: Healthcare Organizations Still Too Lax on Security ]

For healthcare, BYOD presents several operational challenges, from cameras to prohibited devices to application layer access. As in other industries, users as opposed to IT departments drive this movement, seeing a potential to improve productivity. Michael Boyd, CISO at Providence Health & Services, sets this baseline: If the device or the data on it can’t be encrypted, then it can’t connect to the network. Don’t chase devices, McMillan says. You’ll catch the ones you know but miss the ones you don’t know. Instead, control data: “If data’s never on the perimeter, you don’t have to worry about the perimeter.” When in doubt, examine the risk profile: What safeguards do you need, and where must you draw the line?

Get IT and clinical representation on your buying team; both departments have different needs and considerations. Ask employees if they like the process of buying a car, says Steven Fox, principal at Post & Schell; if not, don’t put them on the team. IT executives should offer advice but not make the final decision, he adds. That way, the team can go back to them, privately, during negotiation.

Before signing a contract, hammer out software licensing (on-site vs. SaaS), acceptance testing, warranties, confidentiality, limitations of liability and dispute resolution. Don’t let vendors use de-identified patient data for any purpose unless they truly understand HIPAA compliance, recommends Daniel Schroeder, partner-in-charge of information assurance services at Habif, Arogeti & Wynne.

FBI Special Agent Carmine Nigro lists pending layoffs, job dissatisfaction and the resale value of medical data among an insider’s motivation to improperly access sensitive information. (Panelists cite employees, medical students, business associates and contractors – remember the Target breach? – as insiders.) The “see something, say something” policing mantra works well here. Look for anyone encrypting emails sent to private accounts or trying to access remote networks after termination or contract expiration. Laptop encryption is a must, says Anahi Santiago, CISO at Einstein Healthcare Network, as it prevent accidental as well as intentional data theft. To deter snooping into records, Santiago recommends the “public flogging” of anyone who’s caught, adding, “Everyone knows we’re looking.”

“Hidden pitfalls” pervade healthcare organizations, says Fernando Martinez, senior vice president and CIO of Parkland Health & Hospital System. Nearly everything poses a latent risk, he suggests:

• Cloud storage (access rights)
• Distributed data (all too easily shared)
• Identity management (easily cracked passwords)
• Social engineering (human nature)
• BYOD (including flash drives)
• Medical devices (potential exploit vectors, especially at your business associates
• Data breach fatigue (unavoidability begets complacency)

To combat latent risks, Martinez recommends cyber insurance, data abstraction layers, anomalous activity detection, event logging and hands-on education efforts such as simulated phishing attacks. These steps won’t fix healthcare IT security outright, but they will bring these problems out of the darkness and into the light.

Hospitals use social media to connect with patients; hospital employees use social media to, well, socialize. Drafting healthcare social media policies, then, must be an explicit and inclusive process, says David Harlow, principal at The Harlow Group. He suggests the following:

• Limit the number of “official” spokespeople allowed to access branded accounts.
• Since triangulation can uncover anonymization, obtain permissions from anyone appearing in photos or posts.
• Set up “break room” computers (on a separate network) so employees can safely access personal social media accounts.
• Avoid strict restrictions on employees’ personal posts; the NLRB protects certain types of speech.
• Don’t assume people can connect dots. When in doubt, spell it out.
• Above all, include social media in your overall risk analysis.

Headlines can drive security initiatives (think Community Health Systems), but “what you read in the papers is just the tip of the iceberg,” says Phil Alexander, CISO at University Medical Center. Put another way, organizations must look ahead instead of fighting the war they just fought, says Fletcher Allen’s Roszkowski, who spent 11 years in the Army.

What’s more, many threats go undiscovered for months or even years. That’s because cybercriminals have grown “incredibly sophisticated,” says Esmond Kane, deputy CISO for Partners Healthcare, both in how they access information (“drive-by attacks”) and what they do with it (black market sales). If there’s any consolation, CynergisTek’s McMillan says, it’s that today’s criminals target everyone. It’s nothing personal.

Security-wise, healthcare aims to do in five years what financial services did in 25 years, says Nathan Russ, director for the East Region of Symantec’s U.S. Healthcare Industry. With targeted attacks hitting healthcare hard, now’s a “critical time” to improve security. Russ offers practical recommendations:

• Asset inventory
• Patch management
• Virtual server security
• Endpoint security
• Compensating controls such as firewalls and sandboxes
• Managed security services
• Cloud use for high-volume functions
• Exact data matching for patient records
• Multifactor authentication for patient portal users
• Compliance exercises as barometer for security budgeting

Bottom line? “Assume that every network is under attack all the time.”