By Kurt Long, Founder, and CEO, FairWarning
The recent study from the Brookings Institution detailing that 25 percent of hacking attempts will focus on healthcare data should serve as a critical notification for industry providers. Since 2009 the study found the health data of more than 155 million Americans were breached, representing a massive number of records containing SSN’s, addresses, and payment data.
The vehicle for a considerable number of these hacks comes through “cyber-crime-as-a-service”, where criminals can go online to purchase virtual tool kits to conduct malware attacks. These are packaged in a ready-to-go format, so criminals with limited technical backgrounds can carry out successful ransomware. The payoff can be immense (especially compared to the low risk of being caught), with health records on sale via the “Dark Web” for upwards of $50 each.
Despite the risks, many healthcare sector companies are ill-prepared to stop such breaches. And the passage of regulations such as those requiring electronic health records (EHR), there were benefits in terms of accuracy and speed of information, but firms were not ready to secure all of the new virtualized information. This combines with a lack of transparent monitoring (who is accessing what information), and organizations have a difficult time to even spot if a breach occurred.
Detailing the Causes
Easy monetary gain is the main cause of such breaches. Thieves that target these records do not need a getaway car and don’t need to worry about selling a physical product at a pawnshop. They can conduct the attacks from any internet connection, with little fear of law enforcement actions.
Breaches are not always committed by hacker groups. Many of them are performed either intentionally or not by staff members at the provider or a vendor. Perhaps a front desk agent agrees to look up the health records of a friend’s close family members, in violation of HIPPA rules. Or a vendor with expired access decides to access and sell a few hundred records for some quick cash. The problem with these smaller-scale breaches is they are often undetected for weeks or months, and in many cases are not discovered at all. For internal staff, it’s often a case of lack of awareness and faulty training. They might not clearly understand the right and wrong ways to access data, or they might unwittingly provide access to other agents.
Another frequent source of hacks are third-party vendors working with healthcare facilities as many of these workers are granted access, but their activities aren’t often tracked. Vendors might be EHR providers, outsourced IT analysts, technicians, or labs that are all part of coordinated care. These third parties often do not have tight controls over their staff’s actions in regards to systems access, and the actual provider might have zero visibility. Another layer of complexity is added when the vendors then contract out to other vendors. Many vendor staff is not typically trained on security procedures, including password creation policies, log in/out procedures, avoiding public Wi-Fi, etc. A diagnostics consultant might leave the vendor but then discover their access credentials are still valid a year later and be tempted to offer access to a hacking group.
The sheer size and complexity of a large multi-faceted hospital and healthcare group underscore the threat. Perhaps these groups have merged with several other providers and worked with hundreds of vendors over the past 20 years. There might be hundreds of systems operated by the group that all contain patient information. During those 20 years, there could easily be a hundred thousand personal users, between vendors and actual staff. Manually monitoring all of these potential access points is a massive undertaking.
Managing the Problems with Technology and Training
Mitigating the security risks requires a two-pronged “people and technology” approach. On the people front, healthcare providers need to first identify all of the known and unknown users and compile them into a centralized source that is easily managed and analyzed. Such auditing must include all past staff members and vendors, to provide a true count of potential access threats.
Staff training is essential, with providers offering mandated security awareness training. This should include specialized training for those that work directly with the most sensitive records data. Unfortunately, the current model of training is broken, and staff is not provided with clear direction on log on/off policies, password protection, and rules on the distribution of records. Staff might perform seemingly innocuous actions that end up being major breaches of privacy. For example, an RN might look up the x-ray scan of their nephew to check on their broken arm, but find previously undisclosed private health information. This type of breach does not have the same ramifications as a massive cyber breach, but it should still be handled with seriousness and include additional training for the staff.
In order to handle the scale of healthcare organizations (in terms of staff and number of systems), providers must adopt dynamic learning management systems that provide automated and frequent training. Users must receive repeated messages about their part in managing data compliance, so the organization can become a security-focused culture.
The technology piece of improved security is intended to keep track of the entire user base, across staff and third-party vendors. Firms should put in place advanced monitoring tools to identify poor security patterns, spot individual user credentials being used in different locales, and to identify unapproved access. These tools will look at registration and login patterns and send automated alerts to IT and management when it spots surges inpatient record access.
Advanced tools will map directly to HIPAA guidelines, which will help providers to successfully manage audits. Tech solutions can also be used to run predictive analytics which can help IT to spot problem staff members or entire processes which pose a risk. This allows proactive responses which could be the difference between a problem, and a 10-million record breach. Managing and training staff is tricky within healthcare because the clinical information is necessary for the health of patients. Doctors and nurses cannot be restricted from health information, but should not have access to financial payment information. There must be a certain level of trust between the staff and IT that comes from training and smart implementation of technology.
Monitoring should go hand-in-hand with identity management, with full access rights management process for all users that includes where they work, who they are, and the exact rights they should use in their daily work. New users should be on board within such a structure, where their user rights are clearly delineated before they start the job.
Moving Forward
Technology tools such as advanced user monitoring provide visibility and accountability, and when combined with the training they provide organizations with a layer of breach protection. While no solution makes the organization immune to threats, the right approach can make the healthcare provider a much less appealing target and provides IT the chance to stop small breaches before they spiral out of control.
The trend of healthcare breaches continues year-over-year, with a Gartner analyst predicting every person in the country will have their health information hacked by 2024 (if not sooner). Healthcare industry organizations can limit the scope of such incidences by employing the two-pronged approach of training and technology to introduce control and visibility into data access.
About the Author
Kurt Long is the Founder and CEO of FairWarning®, whose Patient Privacy Intelligence customers represent over 8,000 healthcare facilities globally, and protects financial services customers with over $500 Billion in assets. Prior to FairWarning®, Mr. Long founded and served as CEO of OpenNetwork Technologies a leader in web single sign-on and identity management software solutions. As CEO, Mr. Long led OpenNetwork to over 2,000% growth with customers across the United States, United Kingdom, Europe, and Australia. the open network was acquired by BMC Software of Houston. http://www.fairwarning.com/ https://www.linkedin.com/in/kurt-long-8223211/ https://twitter.com/FairWarningInc
Its customers include the FBI, the US Air Force, the United Nations and Barclays — each of which rely on IS Decisions to prevent security breaches; ensure compliance with major regulations; such as SOX and FISMA; quickly respond to IT emergencies, and save time and money for the IT department.