Governance, training and, yes, monitoring can go a long way to reducing a system’s risk, expert says.
A healthcare organization’s workforce is its greatest cybersecurity threat, but there are reliable steps organizations can take to lessen the risks, said Kurt Long, founder and CEO of FairWarning, a cybersecurity firm that protects patient information in more than 8,000 healthcare facilities worldwide.
“People are the greatest vulnerability statistically, whether it’s the Verizon breach report, the IBM breach report, or any other survey being conducted, statistically it is obvious the workforce is untrained and vulnerable,” Long said. “Most of these breaches start by an inside user making a mistake. But 45 percent of all the breaches in the IBM breach report were malicious insiders. The solution is much more holistic than the industry currently thinks, and until we wrap our hands around the people problem, there is no amount of technology that is going to make a dent in breaches.”
Luckily, there are a variety of approaches that healthcare organizations can take to tackle the people problem.
“The first focus for healthcare organizations is to vet the people that are joining your team,” Long said. “Vetting can go deep into background checks, making sure people are not on any of the federal fraud lists.”
The next areas of focus are for healthcare organizations to have a governed workforce and a trained workforce, Long explained.
“For governed, this means the workforce has signed and is aware of the policies of acceptable use for that care provider,” he said. “And for trained, this means not just trained on acceptable use but also trained to report – this is a big one –suspected incidents. The first level of training is what is appropriate use of PHI, but this second level of training is to report to a security team, some central agency within the healthcare provider, what is suspicious. We’ve seen where workforces can be transformed to help become a line of defense.”
After vetting, governance and training comes monitoring, Long said.
“Monitoring is a trust but verify matter,” he added. “Care workers have access to a great deal of data, which they should because it is required in the course of patient care. It is very difficult to ratchet down the access control, so you need to monitor the workforce for various scenarios. For example, you want to statistically monitor is this person well outside the boundaries of what they should normally be accessing.”
And finally, healthcare organizations should identify, track and correlate their users, Long concluded.
“Organizations have many different applications that touch PHI, and those applications could be legacy systems that they’ve had for a long time, so they don’t have modern user management controls,” Long said. “Or they could have acquired different group practices and brought in different users they have never seen before. Or in the past they simply could have had poor information practices. It all adds up to poor identification, poor governance and poorly trained users; all those users accessing the PHI, organizations don’t really know much about them at all.”