[BreachExchange] Managing the effects of 'Crime-as-a-Service' within healthcare

[Audrey McNeil]

http://www.securityinfowatch.com/article/12342667/managing-
the-effects-of-crime-as-a-service-within-healthcare

>From late 2009 to 2017 there were healthcare industry data breaches that
exposed the health information of more than 155 million Americans.
According to a study from the Brookings Institution, a quarter of hacking
attempts are focused on healthcare, due largely to the monetary value of
selling this information on the black market.

The vehicle for many of these hacking attempts is through
“cyber-crime-as-a-service,” where malware is pre-bundled together into an
exploit kit. This prepackaged format means criminals with limited tech
experience can successfully carry out attacks and breach a healthcare
provider’s defenses with minimal effort. Organized crime elements are
behind many of these breaches and often use an “insider” to steal records.

Despite the risks and the relative ease of initiating an attack, many
healthcare organizations do not have the most advanced security measures in
place. In some instances, there are unintended consequences from other
regulatory measures that help put data at risk. For example, the push
towards electronic health records (EHR) increased data access but some
organizations were not ready for the security side of managing all of that
digitized information. Most healthcare organizations are also not using
monitoring solutions – so they don’t know when breaches occur.

Internal and External Threats

Hackers are “in it for the money” so they often target healthcare records
because they fetch an attractive price on the open market. These types of
records are also easier to obtain. Besides sophisticated criminals, another
source of healthcare breaches is internal staff members. For example, a
front desk employee at a large hospital group might access someone’s health
records as a favor for a friend. Their intent is not to sell the
information, but it represents a breach nonetheless. In either this example
or a hacking incident, there is typically not visibility into the problem,
so the organization does not learn about the breach until weeks or months
later.

Employee awareness around data security is noted as a top threat by IT
health executives. This lack of awareness means internal staff is often the
entry point of a breach due to their actions that do not follow security
protocols.

Another source of breaches that’s hard to manage is third-party vendors. A
complex hospital group might utilize dozens of vendors at a time (EHR
vendors, clinics, labs, IT consultants), and these workers are often
granted access to a variety of systems. However, the activities of these
individuals are not typically tracked, their identities and levels of
access are not typically cataloged. The hospital group is largely operating
on faith that the vendor hires reputable people and those people are
properly trained on security. That’s a tall order, especially in situations
where the vendors outsource some of their own work to another third party,
which creates another layer of data-access complexity.

Vendor staff is also not typically trained on security procedures,
including password creation policies, log in/out procedures, avoiding
public Wi-Fi, etc. A common situation is for a contractor to leave a vendor
and no action is taken to restrict them from still accessing systems and
databases. So a few months or years after leaving the company, this
individual can pose a risk to the entire organization.

A large hospital group could have merged with or acquired multiple entities
during a 20-year span, and worked with hundreds of vendors. It’s not likely
that internal IT has records of every person during that span that had
access to patient or financial information. If 200 people were laid off
after the most recent acquisition, do their access logins still work? Do
the vendors from the new EHR solution keep track of all of their staff
people? These questions should keep the hospital group’s IT up at night, as
each unaccounted for person poses a security risk.

Managing Multiple Layers of Problems

Properly managing security within a healthcare organization requires a
“people and technology” approach. The people involved in the organization
must be identified and their access credentials kept in a managed
centralized source. This must include all past staff members and vendors in
order to build a true accounting of potential access threats.

Training is essential for compliance with security measures and to raise
awareness about improper usage of systems and databases. Specialized
training should be employed for those workers that handle the most
sensitive records. Unfortunately for the healthcare industry, the current
training methods are outdated and ineffective. Staff is not typically
provided with detailed information about log on/off policies, password
protection, and rules on distribution of records. Employees might perform
an action that might seem innocuous at the time, but could be a serious
breach. For example, an admin might open an email attachment from an
unknown source, which then allows a malware kit to take hold. Or an RN
looks up the results of their niece’s broken ankle x-rays and finds out she
also came in for pre-natal care. Staff training can prevent both types of
issues, and help the organization to avoid possible liability and help the
employee avoid termination.

Dynamic learning systems that use automated and frequent training are
essential. The scale and scope of the modern healthcare organization make
traditional training exercises pointless. You cannot simply have hundreds
of people in a room and have a presenter drone on about security
procedures. Organizations need personalized and context-based training that
includes automated and frequent messages. Staff should understand the
implications of poor security procedures and how they can play a role in
developing a security-focused culture.

On the technology side, organizations should put in place advanced
monitoring tools to identify poor security patterns, spot individual user
credentials being used in different locales, and to identify unapproved
access. Such tools can recognize odd or unapproved registration and login
patterns and then send automated alerts to managers and IT staff. For
example, the system could detect a surge in the accessing of patient
records by internal staff they typically only need to read a handful of
patient files a day.

The more advanced technology tools will have mapping to HIPAA guidelines,
which will help providers to successfully manage audits. These solutions
also use predictive analytic technologies so the organization can
proactively spot potential problem solutions or staff. This approach
contrasts sharply with the typical situation where an organization does not
know about a breach until it’s way too late. Management of access is
trickier within healthcare compared to other industries because information
can mean actual life or death. Doctors and nurses cannot be required to go
through lengthy authentication steps before they can pull up a chart. So
there must be a certain level of trust that is developed through training,
where IT can comfortably protect data without placing restrictions on the
healthcare organization’s primary care mission.

Monitoring must go hand-in-hand with identity management, a process that
catalogs every individual and business that can gain access to systems and
networks. Access rights management solutions give IT and management the
ability to delineate where people work, the exact access rights they
require, and their exact personal information. New users should always be
entered into this system, as well as vendor staff and any other outside
person that can gain entry into patient records. Setting up such identity
management takes some initial setup time, but the long-term payoff is
immense. It ensures people are accountable for their actions, and means
criminal activities can be quickly identified and curtailed.

Moving Ahead

Organizations in healthcare need to transform their security training
procedures with automated and dynamic learning systems that provide staff
with frequent context-based training. The training should provide context
to the staff about the common sources of breaches (such as
crime-as-a-service malware), and how they can do their part to prevent
large-scale problems. There also needs to be a cultural shift, where staff
is treated as part of the “security team,” instead of an adversarial IT and
staff relationship.

The technology side of the equation involves healthcare organizations
finding the right vendors that offer robust monitoring and identity
management. Firms should recognize the persistent problem of past employees
or vendor staff who use their credentials in unauthorized ways. Monitoring
is essential to turn a typically reactive process into a proactive
environment where non-compliance is quickly identified and stopped.

When used in tandem, this people-technology approach can transform
healthcare organizations into more efficient and secure institutions that
are trusted by patients to keep private information safe.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170620/4a4ac9c3/attachment.html>