Sponsored: Enhancing security programs to handle today’s rising threats
Hacktivists, ransomware, nation state attacks and espionage, the motivations of cyber security attackers today on healthcare are entirely new and never before imagined. These bad actors are very smart, creative and have their sights set on healthcare. Kurt J. Long, CEO and founder of FairWarning, Robert Rost, IT operations director of defensive services, IT security at Banner Health, and Dave Summitt, director of cyber security operations at H. Lee Moffitt Cancer Center and Research Institute, shined a light on today's greatest threats to protected health information (PHI) and provided a game plan to help healthcare systems secure and protect their organizations during "Escalated Threats to PHI Require a New Approach to Privacy and Security," an educational event at the HIMSS Annual Conference in Las Vegas in March.
Long kicked off the session by describing how security threats to PHI have escalated over the past several years from the era of lost laptops and paper records in a dumpster to today's more sophisticated threats to PHI including identity theft, foreign national espionage and ransomware. "Hollywood Presbyterian was recently taken hostage and the servers were encrypted by hackers who then began the blackmail process," remarked Long, speaking just a few weeks after the case had made headlines across the country.
Such attacks are far removed from the security risks present just a few years ago. "With the bad guys, there are no rules," Long said. "The attacks we are talking about today, they were not even contemplated in 1996 [when HIPAA was introduced]."
In addition to dealing with these more sophisticated - and malicious - attacks, organizations need to cope with a growing number or breaches. As of November 2015, breaches affected 119,959,229 patients, according to the Identity Theft Resource Center, a not-for-profit organization in San Diego.
The upshot of this increasingly precarious environment? Security strategies need to change. "The old security tactics no longer work," Long said. "The industry is still operating off a batch basis with its healthcare applications and many of its critical systems. But that's a little bit like having a home monitoring system, where at the end of the 24-hour period, you review the tape of what's happened. The bad news is you could be a day late and find yourself watching the people take your jewelry, your furniture, your watches out of the house. Starting now, I believe EHR vendors will increasingly compete on all aspects of information security including their ability to support real-time security monitoring."
Long concluded, "Every doctor, every nurse, anyone who touches an EHR has the potential to have their credentials compromised. The number one thing healthcare organizations can do to protect against breaches is to engage their workforce in security awareness training."
Reinventing security programs
Rost and Summitt agreed that change is necessary and offered recommendations drawn from working on the front-lines at their provider organizations. Rost suggested that healthcare organizations continue with many current "blocking and tackling" strategies, governance and risk compliance programs, as well as the use of encryption in an effort to safeguard protected health information (PHI). However, he emphasized that it's important to go beyond these practices and reinvent security programs by:
- Changing investment strategies. "We need to stop overinvesting in the 'protect' control. The actors coming against us as an industry, they're well-funded, well-tooled, well-motivated and they'll bypass any protect controls we have. We need to invest in controls that are more focused on attacks and on instant response and instant management," Rost said.
- Refusing to buy disconnected products. "If products are not connected, they cannot communicate; if they cannot communicate, there's no opportunity to automate, orchestrate and coordinate," he said. "If that continues, the adversaries are going to continue coming into organizations."
- Biting off what can be chewed. "We cannot solve all of our problems at once," Rost said. "A better approach is to keep your eye on the elephant, but have a more manageable scope and address that scope to have incremental change."
- Cutting ties with uncooperative vendors. "Most organizations buy security products from multiple vendors, and essentially they are competitors," he said. "To be successful in protecting patient data, those vendors need to play nicely together to really have an integrated, orchestrated and unified platform to protect against attacks."
- Abolishing meaningless metrics. "Just because you can measure something doesn't mean you need to measure it," Rost emphasized. "If a metric doesn't create any value, why are you wasting your time on it? A better approach is to define what is meaningful to you to help you make better decisions to protect patient data and patient health."
- Addressing audit protocols. "You cannot ignore the Office of Civil Rights audit protocol," he said. "You need to use it to really say how is your HIPAA security program doing and how do you prepare it for an eventual audit."
- Acknowledging information technology's overall importance. "If you continue to isolate IT security risk, then basically what's going to happen is IT security is going to continue to be seen as only a technical problem, which it is not," Rost said.
Going above and beyond
Summitt also pointed out that it is important to go beyond established practices. For example, at H. Lee Moffitt, Summitt has enhanced security initiatives by providing training aimed at ensuring that users understand how the connection between their online activities and security.
In addition, IT security staff is encouraged to routinely interact with end-users to keep security a top-of-mind issue. "Cyber-security staff need to engage with users. Don't let them sit in a cubicle all day long just looking at stuff. The more they engage, the better chance you have of stopping something before it starts," he said.
The provider organization has adopted a more proactive monitoring approach. "I have to understand what my net flow is. I have to understand those packets that are going across the network from one building to another or through my firewall to the outside, and what's coming in. If I don't know that, I can't look for anomalies," Summitt said. "We need to be watching for certain things and as soon as something that pops up out of the ordinary, you know immediately to go find out what that is."
Finally, H. Lee Moffitt is always ready to respond to security incidents. "Your incident response plan better be ready because there is going to be a time when you're going to need it, and if it doesn't work, you've lost the battle," Summitt said.
By adding such strategies to security initiatives, healthcare organizations can quench expanding threats with programs that truly protect. In essence, to truly safeguard valuable health information in today's environment, healthcare organizations need to make sure that they have the ability to monitor, analyze and respond in near real-time and to coordinate safeguards across traditional vendor lines to protect against the full array of potential external and internal attacks.