A recent study from the Brookings Institution found one in four hacking attempts will focus on the healthcare industry. The study’s findings reflect the scale of these breaches, with it noting since late 2009 that the health information of more than 155 million Americans was exploited through a security breach. These records are valuable because they provide a fairly complete picture of a person, with Social Security numbers, addresses, health data, and sometimes even payment methods.
Much of this hacking comes through “cyber-crime-as-a-service”, where criminals can purchase the tools to conduct malware attacks. For example, they can buy exploit kits where malware is packaged in a usable form, allowing individuals with minimal technical expertise to carry out damaging breaches and ransomware attacks. Organized crime groups are behind many of these incidents, where they use malware or someone on the “inside” to steal records and sell them for upwards of $50 each.
Unfortunately, many companies in the healthcare sector are susceptible to breaches. For example, with the regulations pushing for electronic health records (EHR), there were benefits in terms of accuracy and speed of information sharing, but the downside is some organizations were not prepared for the security implications. And these companies lack monitoring capabilities – they simply don’t know when a breach occurs and who carried it out. For CIOs, CSOs and compliance officers, their total user bases are poorly understood, so they can’t manage the “acceptable use” of their PHI.
Exploring the Root Causes
The main driver for such security breaches is of course monetary gain. Hackers attack health records because there’s value in selling the information to other bad agents. On a smaller scale, a person at a health center’s front desk might provide unauthorized patient information to a friend. In either case, there’s a lack of awareness into data access and security, which means many breaches are undetected or only come to light in the following weeks or months.
According to recent studies from Level 3/HIMSS Analytics, nearly 80% of surveyed health IT executives noted employee awareness as their top threat. Whether it’s through negligence or actual criminal intent, it’s the people working at a healthcare provider that are often the source (or entry point) of a breach.
Third-party vendors working with healthcare facilities are a frequent source of hacks, as many of these workers are granted access, but their activities aren’t often tracked. These parties might include various vendors, such as EHR providers, other physicians’ office, and diagnostic clinics that help coordinate labs and other elements of care. These third parties do not have visibility into which individuals under their employ have access to the information. And in some cases these vendors might also contract out to other third-parties, which adds another layer of exposure and prevents complete transparency into access points. These people are also not typically trained on security procedures, including password creation policies, log in/out procedures, avoiding public Wi-Fi, etc. A contractor might leave an EHR vendor and take their credentials with them, allowing them to access databases months or even years after leaving a position.
Consider as an example a large multi-faceted hospital and healthcare group that might have merged with several other groups over the past 20-25 years. Acquisitions often come with layoffs. Did this hospital have visibility into the names and access rights of previous employees? What about the contractors that worked with the other groups? Due to the expansive types of care provided, the hospital/health group might operate hundreds of interconnected technology systems, with more than a thousand different vendors and a pool of tens of thousands of potential current and past users.
Tackling Multiple Problems
On the people front, healthcare providers need to first identify all of the known and unknown users. Companies cannot govern processes or people if they are unknown, so there must be a thorough review of all past and present third parties to find all the possible users.
Providers should then use technology tools to find out what the entire user base is doing. This means employing advanced monitoring tools to identify sloppy security patterns, so they can retrain staff quickly. Retraining should always be the first step, with termination of the employee a last resort for these types of security lapse issues. These tools should look for registration patterns, so if there’s a large spike in patient record access, then an alert will be sent. Such solutions should map to HIPAA guidelines so the organization can navigate through any audits. Some of these tools also use predictive analytics to spot potential problem employees or situations, which allow IT and compliance time to remedy the situation proactively.
Identity management should be conducted in tandem with the monitoring. This involves full “access rights management” procedures that includes pulling in all available users, understanding who they are, where they work, what applications they should have access to, and how their access should be restricted. The organization should also develop a strategy for onboarding new users that includes a detailed look at the access rights they need to perform their job, and what happens when they voluntarily or involuntarily leave the company.
Users must be identified through identity management best practices before training, governing, and (if necessary) sanctioning users, which occurs after a complete accounting of all users and implementation of monitoring. Firms need to mandate security awareness training for all staff members, with specialized procedures for those working directly with data. The current training model is broken and does not provide staff with clear direction on the right and wrong types of data access and how they can stay in compliance. For example, a nurse might decide to look up the health history of her niece to ease her brother’s worry. But instead of the basic bloodwork and tests, she finds records of a neonatal exam. It’s this breach in privacy that is common, and should be treated with the same seriousness and security as instances of cybercrime as a service. The staff training needs to be dynamic and adaptable, through learning management systems in order to adjust to the latest attack methods. Training needs to scale to meet both the sheer number of people involved in healthcare and to react in time to the quickly-changing attack methods.
Looking Forward
In regards to privacy there are several elements that will need to come together to better protect patient and provider information. Technology tools such as advanced user monitoring are essential, as they provide visibility into user actions and give IT to shut down suspicious actions before they turn into criminal thefts.
On the people side, there’s significant strides organizations need to make in terms of providing security training to clinicians, administrative staff, nurses, and physicians. The challenge is organizations cannot simply “turn off access” to large pools of their staff. Nurses and clinicians need instant access to patient information, so there has to be a level of trust built between the provider and its staff. It requires a delicate balance built on “trust but verify” where such staff need to be monitored, but not have restrictions placed on saving lives.
On the technology side, analysis should be conducted to find ways to make privacy protections more powerful without replacing the human element from healthcare. Companies in healthcare have to accept that many breaches start with users who have current or expired access rights, and know they must track these people in order to proactively stop breaches from occurring. Monitoring tools are essential in order to transform healthcare organizations into reactive groups that respond to breaches after the damage is down into proactive groups that can spot and squash potential problems.
The people and technology sides should come together harmoniously, where predictive tech and machine learning work with educated employees to prevent security problems. For the healthcare industry to thrive, this has to be the future dynamic, where a “culture of security” is developed in which every employee understands their role in protecting privacy, and the organization implements the right complementary technology tools.
[su_box title=”About Kurt Long” style=”noise” box_color=”#336588″][short_info id=’102247′ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.