How connecting disparate data sources opens the doors to hackers
With all the focus on EHR and data interoperability, digital health, and Internet of Things devices, security and tech execs must remember a certain reality: connecting previously disparate information systems often opens up weaknesses that hackers can exploit.
Cybersecurity weak points, in fact, arise just about any time change happens, IT services are added or removed, or new products and vendors enter a network, said Glenn Stover, IT security manager at Beebe Healthcare, a Delaware health system.
Stover and FairWarning CEO Kurt Long shared insights for IT and security executives constantly connecting new and legacy systems to their networks — and it begins with transforming the way you think about both IT and infosec.
“Information technology exists across nearly every aspect of healthcare and can no longer be considered an independent department, but rather as an integrated body that is in line with the organization’s vision and direction,” Stover said.
Begin with the basics
There are known strategies and tactics that healthcare CIOs and CISOs can employ to help shore up weak points between disparate information systems.
For starters, many infosec basics apply: maintain accurate inventory of hardware, software and data flow, enable visibility into these systems through audit trails that track who is accessing them and when that access is occurring, and of course, inventory all data stored on them.
Security teams also need to update their acceptable use policies and broadcast them to all persons with access to protected health information, said Kurt Long, founder and CEO of FairWarning, a data protection and governance firm.
Target and HIPAA
Whereas oft-considered health data sources include apps and EHRs, hospitals also have a range of non-traditional IT devices that can be vulnerable as well.
Remember the Target breach of more than 100 million records?
Healthcare infosec pros can learn a lot from that infamous incident. That breach started with one of Target’s HVAC vendors being phished. Unfortunately, that vendor had a direct connection into Target’s network that the attackers, in turn, managed to leverage the phished account from the HVAC vendor.
To that end, there are dozens if not hundreds of questions, Stover said, to ask new vendors prior to signing any contracts: When was their last risk assessment performed? Do they routinely and regularly provide security awareness training to their staff? Do they have appropriate password, data storage and transmission, and encryption policies?
Anytime a hospital is looking to add a new vendor, in fact, regardless of whether they sell heating units or health apps, it’s important to consider all aspects of the administrative, technical and physical security considerations, and Stover recommended those range from compliance at the state and federal levels as well as financial and risk impact, not to mention product support.
“Blank stares or lack of positive response to any one of those questions is a significant weak point that can affect not only their capabilities as a vendor but ultimately may impact the hiring healthcare organization’s patient data and business resiliency,” Stover said.
Beyond regulatory and administrative weak points, there are technical weak points that most CISOs likely are familiar with: unsupported operating system use, failure to patch known and critical vulnerabilities in a timely manner, the lack of an anti-virus system or delays in signature updates, the inability to track assets or data, and the lack of appropriate role-based unique access controls.
“These technical vulnerabilities all point back to appropriate administrative controls because if a vendor is going to perform a thorough risk assessment, an omission of any of the aforementioned technical controls should easily rank as a documented risk,” Stover said.
APIs and open interfaces
So how much of this problem is on the systems vendors and how much is on the healthcare organizations?
“Generally, healthcare providers tend to under-prioritize security and privacy; however, healthcare software vendors are making life pretty difficult on their customers in this area,” Long said. “For context, security vulnerabilities and HIPAA compliance responsibilities are to secure all systems that access PHI. EHR vendors may bundle information security solutions for things like privacy monitoring of audit logs, which are compatible with their software.”
As long as the vendor provides an open interface for third parties to access audit logs, customers can acquire third-party products to secure their entire environment, and they’re in luck, Long added.
“But that’s not always the case,” he said. “When an EHR vendor closes information security interfaces, such as audit logs, to third-party products, customers are stuck with a bundled security product, usually that they pay for. This is deficient because there is no technical solution to collecting audit logs from all systems to monitor.”