Implementation best practices: The optimal way to approach security
Security technologies and strategies have never been more important in healthcare than they are today. Healthcare provider organizations are one of the top targets of hackers today. The criminals are looking for those treasured electronic patient records, which fetch a hefty price on the dark web.
Healthcare CIOs and CISOs have to erect powerful defenses to keep evildoers at bay. And there are good approaches to take to healthcare cybersecurity technology and less effectual approaches. It’s important for health IT and health security leaders and workers alike to know the best ways to implement security technologies and to think about security in general.
Here, three healthcare cybersecurity experts offer their decades of experience to help CIOs, CISOs and others when it comes to best practices for safeguarding patient data and implementing security technologies.
Right off the bat, resilience
When implementing any new security technology, it should be reviewed for how it supports the organization’s resilience posture, said David Tobar, senior cybersecurity engineer at the Software Engineering Institute’s CERT Division at Carnegie Mellon University.
“Resilience is the capability for an organization to continue to operate, even when under attack, and to recover quickly when attacked,” he explained. “Establishing resilience requires implementing not just core functional requirements that a technology might provide, but also ensuring that the practices supporting it are institutionalized such that they will continue to operate even in times of organizational duress.”
"A good place to start in establishing resilience is with hygiene practices."
David Tobar, Software Engineering Institute’s CERT Division
Institutionalization of practices is what drives resilience, Tobar continued. Establishing it involves a number of additional supporting activities, including governance, configuration management, resources, training, and involvement by stakeholders and higher level management, he said.
“A good place to start in establishing resilience is with hygiene practices,” he suggested. “Basic hygiene practices should include lifecycle management practices such as managing hardware and software assets – maintaining inventories and upgrading systems to avoid having them become unsustainable – vulnerability management practices – patching systems for vulnerabilities – and additional controls on administrative privileged accounts.”
Encryption best practices
Sean Atkinson, chief information security officer at the Center for Internet Security, advised that healthcare provider organizations need to take encryption practices very seriously when implementing new security technologies and approaches.
“Implementing new technology is both exciting and scary,” he said. “It is critical to understand the underlying threat to properly define the controls and risk mitigation strategies necessary to deploy security technology. The threat and the value of healthcare rely on data exchange, primarily the personal health information they generate, store and transmit.”
Loss of data can occur anywhere throughout the chain. If one thinks of a security technology to assist in the control of access to this data, encryption is critical, Atkinson contended. If the data is encrypted, it becomes a simple process of key management and access control based on a need to know, he said. Once the need to know is established, the ability to decipher the information will allow for controlled access to the data.
“So why encrypt? The process is twofold,” he explained. “The data should be encrypted both at rest and in transit. The storage of data should be encrypted to mitigate unauthorized access, as it is possible for misconfiguration of a storage device, which could lead to data loss. However, with the data encrypted the value of the data is minimal.”
Data in transit
Second, when the data is in transit, access will be required at the data storage location point, application interfaces (the system requesting the data) and the transmittal across a network from storage to user, he added.
"It is critical to understand the underlying threat to properly define the controls and risk mitigation strategies necessary to deploy security technology."
Sean Atkinson, Center for Internet Security
“Therefore, this connection must be secure from eavesdroppers,” Atkinson said. “With the encryption mechanisms in place, the data loses its value because it is no longer ‘plain text’ but cipher text, thereby rendering it unreadable. When encryption standards are used appropriately, the ability to ‘crack the code’ becomes a lengthy and cumbersome process and in some cases impossible. Thereby diminishing the worth of the data.”
Overall, when encryption mechanisms are in place for the storing and transmission of health data, security is strengthened and privacy is protected, he said.
Preparing for ransomware attacks
Although ransomware attacks on city and state government systems have been making headlines recently, hospitals remain a target of choice for ransomware attacks. After all, when vital hospital computer systems are shut down, patient safety is placed at risk, leaving few options for hospital administrators.
Unfortunately, if a healthcare organization is the victim of a ransomware attack, the only response then is reactive. But planning for resilience is a proactive approach that can help prepare and protect an organization for many types of attacks, including ransomware.
“Further preparations to counter ransomware attacks should include updating incident and disaster response plans to include ransomware response options,” said Tobar of Carnegie Mellon University. “The most effective way to deal with ransomware attacks is to have regular, verified data backups. Plans for reliable backups – particularly of key systems and servers – should consider restoral times based on downtime impacts.”
Backups should be tested regularly as part of response exercises and should include worst-case scenarios for operating without computer systems, Tobar added. Training staff and conducting exercises are vital to smooth operational responses, he said.
Basic activities for reducing the risks of ransomware attacks, according to Tobar, include:
- Backup critical data regularly (and keep it offline so it isn’t impacted by an attack).
- Keep systems updated and patched.
- Train employees regarding ransomware and exercise a response plan.
- Employ antivirus/spam filters to scan downloads and emails with links to ransomware.
- Whitelists are a good way to prevent running of applications that are not approved.
"Paying the ransom should be avoided if at all possible,” Tobar warned. “It may be a quick way to resolve your crisis, but it also encourages the continuation of the criminal cycle and its spread to others. Instead, organizations should manage ransomware risk by strengthening their cybersecurity posture and improving their plans for ransomware protection, detection, analysis and response.”
It also is worth noting that some ransomware attacks may be undone by openly available encryption recovery tools. Europol has a repository of keys and applications that can decrypt data locked by some types of ransomware (available at No More Ransom, click here). And there are recommendations from the FBI (click here), and those recently released by the DHS Cybersecurity and Infrastructure Security Agency (click here).
Internet of Things device monitoring
On another front, as the Internet of Things continues to grow, device monitoring within the healthcare industry is a critical component, said Atkinson of the Center for Internet Security.
“Each connected device is uniquely complex and requires an understanding of the security controls that should be implemented,” he explained. “With the prevalence of multiple connected devices within the healthcare environment, the need to centrally log and monitor usage and access is a must. These connected devices are a weak point within the infrastructure.”
"In the rush to hold off an attack, many providers overlook the fact that healthcare networks are like computer hard drives. It’s not a question of if they will fail, but when."
Paul Cerrato, author, “Protecting Patient Information”
Because of the increasing demand of internet connectivity, the access and footprint of connected devices is part of an ever-expanding attack surface.
“The threat of privacy and data exposure becomes a concern when there is a lack of visibility into the connected devices, if a system is incorrectly configured, or when out-of-the-box solutions are vulnerable to attack,” he said. “Through functionality and utilization of the data generated from connected devices, there is no going back. It is of critical importance to ensure proper diligence in the visibility and monitoring of connected devices.”
Rapid response teams
While preventive measures are absolutely critical when implementing security technologies and strategies, it’s also important at the same time to consider the aftermath of an attack if the technologies and strategies fail.
“Emphasizing the importance of a rapid response team doesn’t imply there’s no need for preventive measures: To an adage, ‘Hope for the best, prepare for the worst,’” said Paul Cerrato, a cybersecurity expert and author of the book “Protecting Patient Information.” “One of the most vexing issues to prepare for is a medical device data breach. Securing infusion pumps, EKG machines and other hardware has become more challenging in recent years because many of them are now connected to the internet or the hospital’s computer network.”
The unending turf war between a provider organization’s IT staff and the device manufacturers makes it even harder to prevent a breach, he added.
“Both parties want to keep hackers at bay, but their priorities are somewhat different,” he explained. “Manufacturers’ main concern is keeping patients safe by making sure their software delivers the correct dose of medication or accurately transmits electrical signals from an EKG lead. To do that, many companies essentially lock out a hospital’s technicians, increasing the vulnerability to a cyberattack. That’s especially worrisome when dealing with legacy medical devices.”
Federal regulators stepping in
The situation has attracted the attention of federal regulators, including the FDA, which has issued a draft guideline for device manufacturers so that they can build strong cybersecurity into their products from the ground up, rather than play catch-up with all sorts of aftermarket security patches.
“The guidelines urge vendors to adhere to the NIST cybersecurity framework,” Cerrato said. “The device should also be designed to notify users if it detects a potential data breach, and have the ability to recover services that were compromised by the incident. Lest some healthcare providers think this concern about medical device breaches is an overreaction, the agency lists several vulnerabilities, including risks in certain Medtronic insulin pumps, wireless telemetry in implantable cardiac devices and more.”
Of course, all the advice on how to build a secure medical device does nothing to address the threat posed by legacy devices, he added. There are, however, several security firms with expertise in this area, sometimes labeled Medical Device Data Security as a Service, he noted.
Not if, but when
Common sense might suggest that closing the barn door after the horse escapes is pointless, but when it comes to health data security, that approach may actually be smarter than one thinks, Cerrato advised.
“There’s a long list of technological tools to help prevent a data breach, including new penetration testing platforms, email protection software that detects phishing threats, and mobile device management systems,” he said. “But in the rush to hold off an attack, many providers overlook the fact that healthcare networks are like computer hard drives. It’s not a question of if they will fail, but when.”
In his book “Protecting Patient Information,” Cerrato devotes a chapter to “Preparing for and coping with a data breach.” That is part of the HIPAA regulations, which include an implementation specification: “Response and reporting (Required). Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes.”
“Fortunately,” Cerrato said, “there are several vendors to help providers manage this responsibility with the latest technology, including big players and small players. The Federal Trade Commission and other government agencies also offer practical advice. Closing the barn door after a hacker compromises your patient data may not be the ideal situation, but pretending that it will never happen doesn’t make a lot of sense either.”
Prepare for next-gen cybersecurity threats and join the #HITsecurity discussion at the HIMSS Healthcare Security Forum this Dec. 9-10 in Boston.
Health IT implementation best practices
This 20-feature series examines in-depth what it takes to deploy today's most necessary technology and tools.