'The Trouble with Tribbles': surprising places ePHI lurks, and how to protect it

What can Star Trek teach us about cybersecurity?
By Aaron Miri
10:30 AM

One of my all-time favorite Star Trek original series episodes is entitled "The Trouble with Tribbles." In this episode, Captain Kirk urgently races to a space station that's in distress. Once at the space station, he and the crew of the starship USS Enterprise encounter small furry creatures that purr and resemble something between a small cat and a cute guinea pig that are called Tribbles. Once these creatures are brought onto the Enterprise, they start immediately reproducing into litters of Tribbles and threaten to overwhelm the Enterprise and the crew.

In much the same way that the cute and cuddly Tribbles start to overtake the USS Enterprise, so too have devices with ePHI overtaken and in some cases overwhelmed the hospital and healthcare technology ecosystems. The truly hard part is not simply containing the obvious devices and applications that store and transmit ePHI such as servers, computers, interface engines or electronic medical records. The real challenge are standalone devices, sometimes decades old, that unbeknownst to the users store and transmit ePHI. So where all can we look for these devices and how can we get in front of them so that they don't threaten your starship?

First, it is critically important to conduct an ePHI data landscape analysis and document where and how ePhi data moves throughout your network. It is amazing how many times a network subnet or route takes a "hop" that is unaccounted for and could find its way to a device. For example, unassuming multi-function devices that users perceive to simply be photocopier / fax / printers can connect to your corporate network and can store documents on a network shared drive or email users on your behalf.

Additionally, those multifunction devices can contain hard drives and copies of the print jobs or fax jobs that it has completed. One large health plan recently was penalized by the Office of Civil Rights to the tune of over one million dollars because the leased copy machines they returned contained hard drives that were unencrypted and had the ePHI information for over 300,000 individual's stored on them.

Next, look for devices that do not connect to your corporate network but actually store and forward ePHI. There are a number of clinical modalities (hearing test machines, radiology systems, cardiology systems, etc.) that are considered clinical devices but connect to a standalone PC or laptop via a serial cable or some sort of connection from the instrument to the computer. An easy rule of thought is; if it has a hard drive on it then encrypt it!

One of the most annoying tribbles that seems to have infiltrated organizations is the ever present 1980's style pager. Even more annoying is the fact that these pesky devices won't go away in the industry, much less that they can easily store hundreds of alpha numeric messages that surely could contain ePHI. If your organization has them, make sure that they are encrypted or better yet get rid of them for a smart clinical communication application that can take its place. There are a number of leading vendors out there that have clinical applications designed for the modern healthcare worker that take into account ePHI data storage and transmission.

In the same sentence of a pager is the issue of healthcare workers texting each other patient information on their personal devices. While it's difficult to try and curtail behavior that occurs on a device completely out of the control of the organization, there must be thorough education, policy, and user attestation efforts to educate your healthcare worker population on why this must not occur. Convenience simply does not take precedence on what could be a major risk and issue for ePHI.

Additionally, another legacy device that must be addressed is the standalone fax machine. Some fax machines have hard drives and can store the fax cover sheets for easy reprinting. If ePHI can be stored on those fax machines that could constitute a risk that needs to be addressed and mitigated.

Another pesky tribble are automated batch and FTP jobs that "put" files onto network shares or distribution points for organizations to share information among each other. Make sure that these FTP jobs are secure and do not use network account credentials that are generic in nature or easy to guess. It's amazing how many of these jobs are setup by vendors when an application is initially installed, but are left on autopilot for years without audit.

Lastly, work closely with your purchasing and finance departments to put controls into place that any electronic item coming into an organization is reviewed and has a proper ePHI risk assessment completed on it to ensure that there are appropriate ePHI controls in place. Beyond technology, it is the organizational culture that must be primed to understand the risks of ePHI proliferation and ensure all of the dimensions are addressed. Too often a tribble can quickly be introduced into an organization because it's the new cute and fuzzy creature that is admired and wanted by all.

Captain Kirk ultimately saved the Enterprise by finding every single tribble and getting them off of the USS Enterprise. While that may not necessarily need to be the course of action for every tribble in your organization; you must try your absolute best to identify and remediate the risks before you suddenly realize one day that your starship has been overrun by what everyone assumed were cute and fuzzy innocent looking creatures.