From late 2009 to 2017 there were healthcare industry data breaches that exposed the health information of more than 155 million Americans. According to a study from the Brookings Institution, a quarter of hacking attempts are focused on healthcare, due largely to the monetary value of selling this information on the black market.
The vehicle for many of these hacking attempts is through “cyber-crime-as-a-service,” where malware is pre-bundled together into an exploit kit. This prepackaged format means criminals with limited tech experience can successfully carry out attacks and breach a healthcare provider’s defenses with minimal effort. Organized crime elements are behind many of these breaches and often use an “insider” to steal records.
Despite the risks and the relative ease of initiating an attack, many healthcare organizations do not have the most advanced security measures in place. In some instances, there are unintended consequences from other regulatory measures that help put data at risk. For example, the push towards electronic health records (EHR) increased data access but some organizations were not ready for the security side of managing all of that digitized information. Most healthcare organizations are also not using monitoring solutions – so they don’t know when breaches occur.
Internal and External Threats
Hackers are “in it for the money” so they often target healthcare records because they fetch an attractive price on the open market. These types of records are also easier to obtain. Besides sophisticated criminals, another source of healthcare breaches is internal staff members. For example, a front desk employee at a large hospital group might access someone’s health records as a favor for a friend. Their intent is not to sell the information, but it represents a breach nonetheless. In either this example or a hacking incident, there is typically not visibility into the problem, so the organization does not learn about the breach until weeks or months later.
Employee awareness around data security is noted as a top threat by IT health executives. This lack of awareness means internal staff is often the entry point of a breach due to their actions that do not follow security protocols.
Another source of breaches that’s hard to manage is third-party vendors. A complex hospital group might utilize dozens of vendors at a time (EHR vendors, clinics, labs, IT consultants), and these workers are often granted access to a variety of systems. However, the activities of these individuals are not typically tracked, their identities and levels of access are not typically cataloged. The hospital group is largely operating on faith that the vendor hires reputable people and those people are properly trained on security. That’s a tall order, especially in situations where the vendors outsource some of their own work to another third party, which creates another layer of data-access complexity.
Vendor staff is also not typically trained on security procedures, including password creation policies, log in/out procedures, avoiding public Wi-Fi, etc. A common situation is for a contractor to leave a vendor and no action is taken to restrict them from still accessing systems and databases. So a few months or years after leaving the company, this individual can pose a risk to the entire organization.
A large hospital group could have merged with or acquired multiple entities during a 20-year span, and worked with hundreds of vendors. It’s not likely that internal IT has records of every person during that span that had access to patient or financial information. If 200 people were laid off after the most recent acquisition, do their access logins still work? Do the vendors from the new EHR solution keep track of all of their staff people? These questions should keep the hospital group’s IT up at night, as each unaccounted for person poses a security risk.
Managing Multiple Layers of Problems
Properly managing security within a healthcare organization requires a “people and technology” approach. The people involved in the organization must be identified and their access credentials kept in a managed centralized source. This must include all past staff members and vendors in order to build a true accounting of potential access threats.
Training is essential for compliance with security measures and to raise awareness about improper usage of systems and databases. Specialized training should be employed for those workers that handle the most sensitive records. Unfortunately for the healthcare industry, the current training methods are outdated and ineffective. Staff is not typically provided with detailed information about log on/off policies, password protection, and rules on distribution of records. Employees might perform an action that might seem innocuous at the time, but could be a serious breach. For example, an admin might open an email attachment from an unknown source, which then allows a malware kit to take hold. Or an RN looks up the results of their niece’s broken ankle x-rays and finds out she also came in for pre-natal care. Staff training can prevent both types of issues, and help the organization to avoid possible liability and help the employee avoid termination.
Dynamic learning systems that use automated and frequent training are essential. The scale and scope of the modern healthcare organization make traditional training exercises pointless. You cannot simply have hundreds of people in a room and have a presenter drone on about security procedures. Organizations need personalized and context-based training that includes automated and frequent messages. Staff should understand the implications of poor security procedures and how they can play a role in developing a security-focused culture.
On the technology side, organizations should put in place advanced monitoring tools to identify poor security patterns, spot individual user credentials being used in different locales, and to identify unapproved access. Such tools can recognize odd or unapproved registration and login patterns and then send automated alerts to managers and IT staff. For example, the system could detect a surge in the accessing of patient records by internal staff they typically only need to read a handful of patient files a day.
The more advanced technology tools will have mapping to HIPAA guidelines, which will help providers to successfully manage audits. These solutions also use predictive analytic technologies so the organization can proactively spot potential problem solutions or staff. This approach contrasts sharply with the typical situation where an organization does not know about a breach until it’s way too late. Management of access is trickier within healthcare compared to other industries because information can mean actual life or death. Doctors and nurses cannot be required to go through lengthy authentication steps before they can pull up a chart. So there must be a certain level of trust that is developed through training, where IT can comfortably protect data without placing restrictions on the healthcare organization’s primary care mission.
Monitoring must go hand-in-hand with identity management, a process that catalogs every individual and business that can gain access to systems and networks. Access rights management solutions give IT and management the ability to delineate where people work, the exact access rights they require, and their exact personal information. New users should always be entered into this system, as well as vendor staff and any other outside person that can gain entry into patient records. Setting up such identity management takes some initial setup time, but the long-term payoff is immense. It ensures people are accountable for their actions, and means criminal activities can be quickly identified and curtailed.
Organizations in healthcare need to transform their security training procedures with automated and dynamic learning systems that provide staff with frequent context-based training. The training should provide context to the staff about the common sources of breaches (such as crime-as-a-service malware), and how they can do their part to prevent large-scale problems. There also needs to be a cultural shift, where staff is treated as part of the “security team,” instead of an adversarial IT and staff relationship.
The technology side of the equation involves healthcare organizations finding the right vendors that offer robust monitoring and identity management. Firms should recognize the persistent problem of past employees or vendor staff who use their credentials in unauthorized ways. Monitoring is essential to turn a typically reactive process into a proactive environment where non-compliance is quickly identified and stopped.
When used in tandem, this people-technology approach can transform healthcare organizations into more efficient and secure institutions that are trusted by patients to keep private information safe.
About the Author:
Kurt Long is the Founder and CEO of FairWarning®, whose Patient Privacy Intelligence customers represent over 8,000 healthcare facilities globally, and protects financial services customers with over $500 Billion in assets. Prior to FairWarning®, Long founded and served as CEO of OpenNetwork Technologies a leader in web single sign-on and identity management software solutions. As CEO, Long led OpenNetwork to over 2,000 percent growth with customers across the United States, United Kingdom, Europe and Australia. OpenNetwork was acquired by BMC Software of Houston.