The suboptimal state of healthcare security – and how to improve it
Preparedness for data-privacy and security is too often lacking in healthcare-provider organizations, thanks to inconsistent levels of cybersecurity education and incredibly low cybersecurity budgets.
This is one reason that healthcare has consistently been one of the most breached industries in recent years. Many health IT and infosec teams still don’t have adequate insights about where their data lives, or even whether it has been exfiltrated or otherwise compromised.
Can providers really meet HIPAA requirements?
When it comes to privacy protections, unfortunately, most healthcare-provider organizations still cannot meet basic HIPAA requirements, much less those of the California Consumer Privacy Act (CCPA) or General Data Protection Regulation (GDPR).
As Terry Ray, a healthcare cybersecurity expert and senior vice president at Imperva, a data and application security vendor, explains: “Up until recently, and by recently, I mean the last three years, data privacy has been the purview of data owners, in essence, database administrators, specific medical specialty departments, even risk and legal teams. In highly regulated businesses, these teams were mandated to meet highly specific data privacy regulations.”
"Too often, organizations prioritize their data privacy and security strategy around regulated data only at the expense of unregulated data."
Terry Ray, Imperva
“These regulations were specific enough to generally instruct organizations toward a course of action that would match an output or result necessary for regulatory compliance, but they were also vague enough to leave room for interpretation of the actions that tended to still meet regulations, but left holes in the security around PHI.”
This is evidenced by the massive quantity and scope of healthcare breaches between 2014 and 2017, which raised the question: How can organizations meet privacy regulations, yet still fall victim to massive data breaches? Isn’t preventing data breaches a driver behind such regulations?
Welcome the chief information security officer
“Today, we’ve seen data privacy responsibilities shift from the sole purview of those mentioned previously to now include, if not be driven by, the chief information security officer, and in some countries, a data privacy officer,” Ray explained. “While it’s a positive to have IT security professionals now responsible for data, the unfortunate state is that these professionals are not knowledgeable about data security or privacy.”
Consider that most data seen online, on health portals, in EHR systems and in other places is ultimately sourced from databases behind the front-end systems running the business, he added.
“Securing databases is vastly different than securing networks or end points,” he said. “But consider three questions; some are easily answered with traditional IT technology, but others, not so much.”
- “Who accessed a database?” is easy to answer with identity-access management tools and logging on the database.
- “From where did they access the database?” is easy to answer with network-monitoring tools and, again, identity-access management.
- “Did they access PHI?” is the question that traditional security tools do not answer. It requires classification of data (whether sensitive or not, and what kind of private data exists), and this requires monitoring all access to all data or, at a minimum, all access to classified private data. “Native database logging can technically provide the monitoring, but the impact to a database for this level of logging is very prohibitive, so it is simply not done,” Ray said. “Data-compliance and security-specific tools are required to provide this, but security teams are not aware that they even need them, since they think traditional tools will give them what they need. Sadly, their thinking changes very quickly post-breach, when they have more questions than they have answers.”
What was accessed versus who accessed?
While both are important, data security is marginally more about the "what" than the "who," he contended. “What was accessed” tends to have more weight than “who accessed,” he added.
“Which is more valuable?” he said. “‘John accessed data?’ Unfortunately, there is very little that is actionable about this. Compare that to ‘One million records of PHI were accessed, but I do not know by whom.’ While there’s no person named here, this is actionable and important to dig into."
In the secure data world, this would be actionable: ‘John accessed one million PHI records, and when he is compared to his peers, his action is highly unusual.’ This is a combination of data monitoring, user monitoring and analytics, and is becoming the baseline best practice in other highly regulated businesses like financial services, Ray said.
So what are a few tactics healthcare CIOs and CISOs can use to cure the poor state of cybersecurity? Ray has three pieces of advice:
“First, monitor data access,” he advised. “This is by far the most critical first step. If your responsibility is to protect something, you must be watching it. Banks can account for every missing dollar without a camera, but have you ever been to a bank without a camera? They even have cameras in the vault.
“Too often, security teams are trying to secure data without actually having any monitoring on it at all. This is an immediate failure. These teams need to implement the appropriate technology that can provide this monitoring to the degree they need for security, beyond the foundational needs of regulation.”
Log retention and reporting
Second, leverage automation, Ray advised. Unlike the network and endpoint world, data privacy and security cross a boundary that requires long-term data-access log retention and reporting, as well as incident identification, he explained.
“Most security products simply find bad behavior and bubble it to the top,” he contended. “Data security requires technology to scale and collect all data access and scan over time. HIPAA requirements for some auditors means as many as seven years of data retention. This is not something security teams are used to, nor equipped to manage.
“These professionals need to recognize a requirement here for technology that leverages heavy amounts of automation that will take the expertise of security and enhance it through analytics built with the database knowledge security teams lack.”
And third, go beyond regulations, Ray insisted.
All data within an organization
“Security teams are not only responsible for PHI,” he said. “They are responsible for all organizational data. They would do well to remember this when building a data security practice. Too often, organizations prioritize their data privacy and security strategy around regulated data only at the expense of unregulated data.”
At first glance, this may seem OK, but from the perspective of the consumer, this falls short, Ray said.
“Consider the payment card industry regulation, PCI-DSS,” he noted. “It requires organizations, including hospitals and providers who take credit cards, to audit all access to that data. However, if this is all that they secured, it would mean that they do not have to protect your name, address, phone number, SSN or other private information that consumers consider very important. For a company, this data may simply not be scope for their regulations and be left unsecured.”
It is for this reason the industry now sees consumer privacy laws like GDPR, CCPA and others. In short, Ray advised, security teams should consider all data in their environment in scope and work to prevent a breach across the board. CISOs agree that it would be better to identify a breach in unimportant data first, before it ever got to sensitive data. This is only possible if security teams are watching everything, Ray said.