The healthcare industry has a unique position with relation to cybersecurity. It is the only industry that provides services with the intent to avoid major repeat clients and visits. It focuses on maintenance to avoid major health issues and prefers a sustainment model to a person’s health verses dealing with an emergency.
While the latter is fundamental to critical care, regular check-ups, preventative care and other low-risk interventions always are preferred. In essence, healthcare is trying to provide a routine verses dealing with crisis events.
Data here, there and everywhere
When one considers this model for an individual’s healthcare, the data used for sustainment and check-ups is not centrally located. It can be located in a general practitioner’s office, specialist’s care, insurance company or hospital – to name a few.
In addition, financial information regarding coverage and payments is intermixed with all this information, adding a level of sensitivity to the data being stored.
Finally, technology has played a massive role in healthcare. This includes everything from diagnostic equipment to medical devices embedded in living tissue to provide critical care through routine check-ups. This equipment suffers from similar flaws to servers, workstations and IoT devices deployed in any organization. They can be hacked and compromised just like any other computer, causing a potential disruption to their basic operations and potentially lead to a life-threatening situation.
“Executives should strive to ensure they are not the weakest link in the personally identifiable information supply chain.”
Morey Haber, BeyondTrust
“We are not dealing with the data in just one secure location,” said Morey Haber, chief technology officer and chief information security officer at BeyondTrust, a vendor that specializes in privilege management, access management and cybersecurity. “By definition, the Health Insurance Portability and Accountability Act (HIPAA) provides critical guidance for mandating industrywide standards for healthcare information on electronic billing and requires the protection and confidential handling of protected health information.”
Basic cybersecurity hygiene challenges
The challenges in meeting these requirements, even after a decade, Haber continued, manifest themselves in basic cybersecurity hygiene:
- Maintaining secure assets by performing vulnerability assessments, patch managements and privileged access management.
- Storing, processing and backing data up in using secure processes and protocols.
- Removal of end-of-life operating systems that process sensitive data.
“If you consider all the locations your healthcare information exists, from a pharmacy to general practitioner and urgent care center, there is no way for any consumer to know if the provider is maintaining basic cybersecurity hygiene to protect their information,” he said. “In fact, many of them probably are not because statistically the majority of breaches are based on flaws in basic hygiene.”
90% of vulnerabilities are associated with excess administrator rights, according to the 2018 Microsoft Vulnerabilities Report. 81% of breaches start with stolen and/or weak passwords, according to the BeyondTrust 2018 Privileged Access Threat Report. And 80% of breaches are the result of privilege account abuse or misuse, according to Forrester Research.
“In fact, I would label this as a flaw in HIPAA,” Haber contended. “Just like privacy shield initiatives, PCI and other data privacy acts, it would be good for a rating system to be developed to grade a healthcare provider’s cybersecurity hygiene and make those ratings public to consumers and other providers. This would be similar to a restaurant’s health rating, and people and organizations could determine if they want to trust an organization with their sensitive information.”
What can CIOs and CISOs do?
So what can healthcare provider organization CIOs and CISOs do to tackle this challenge of protecting data that is widely dispersed?
“CIOs and CISOs should get back to cybersecurity basics and do them very well,” Haber advised. “Executives should strive to ensure they are not the weakest link in the personally identifiable information supply chain.”
These basics, Haber advised, include:
- Discover all of the assets and resources on a network. Identify and remove any shadow IT or rogue devices.
- Perform vulnerability assessments and configuration management on a regular basis to identify risks.
- Perform patch management using a service level agreement to hold IT and vendors accountable for risk mitigation.
- Embrace an identity governance methodology to manage users, accounts, entitlements and roles to prevent inappropriate user access.
- Perform privileged access management to secure sensitive accounts from misuse.
- Use secure remote access technology for vendor access to avoid a breach from uncontrolled assets.
- Ensure security defenses from anti-virus to firewalls and VPN are up-to-date, within maintenance and regularly reviewed life expectancy.
- Develop an incident response plan, and, most important, test it.
- Consider hiring white hat ethical hackers to perform a pen test to identify advanced and potentially persistent flaws that could be leveraged by a threat actor.
Data must always be live and available
Personal health information needs to be available at any time or any place from a routine visit to critical care in an emergency room. This means that the data must be live and available at any time to a properly authorized individual.
While making data available all the time is not a challenge, determining appropriate access can be very difficult. This is why identity governance using an identity and access management system is so important, Haber contended. It can create the proper roles for staff to have access and provide certification reporting to determine if the access is appropriate, he added.
“CIOs and CISOs should not think about access to sensitive information using accounts,” Haber advised. “They should think of access in the form of identities. Identities can have multiple accounts associated with them from email to application and resource access. If executives manage access to sensitive information at a higher level – identities and people – and can perform cybersecurity basics well, there is a good chance that their defenses will lower their security risk substantially and avoid an incident and ultimately, a breach.”
Prepare for next-gen cybersecurity threats and join the #HITsecurity discussion at the HIMSS Healthcare Security Forum this Dec. 9-10 in Boston.