[BreachExchange] How to Avoid Common Healthcare Data Security Challenges

[Audrey McNeil]

http://healthitsecurity.com/news/how-to-avoid-common-
healthcare-data-security-challenges

PHI cyber theft is on the rise.

Ponemon Institute Reports in its Sixth Annual Benchmark Study on Privacy &
Security of Healthcare Data, that nearly 90 percent of all healthcare
organizations have suffered at least one data breach in the last two years.

This phenomenon results from a confluence of trends. In addition to the
increasing sophistication of cyber attackers, many healthcare organizations
lag behind retail and financial organizations when it comes to creating
hardened, multilayered security defenses.

These companies are held back by three industry trends. First, tight
budgets, driven by the shift from a fee-for-service payment model to a
pay-for-performance model, result in organizations stretching to meet all
of their cyber security needs.

Next, healthcare and insurance providers are encouraging consumers to
access information and file claims electronically. Healthcare providers are
increasingly moving to computerized physician order entry (CPOE) systems,
potentially placing even more information at risk.

Finally, healthcare IT teams are often consumed with ensuring the ongoing
performance of advanced healthcare equipment as well as the ongoing move to
EHRs, reducing the resources available to focus on cybersecurity.

Further aggregating this situation is the fact that unlike credit card
fraud, which victims typically discover within a matter of hours or days,
PHI theft can go undetected for years.

What are the effects of healthcare data breaches?

The costs of healthcare breaches are both obvious and subtle.

The obvious ones are documented regularly; the subtle ones are much less
covered, but can be equally pernicious.

One is the time associated with investigations that can require large
amounts of data, policy, and procedure requests that pull resources away
from routine monitoring, detection and mitigation of new threats.

Another is time and budget spent on retaining third-party experts to
identify where and how breaches occurred.

The healthcare industry faces challenges beyond those impacting most
industries since so much information is shared across many different users,
providers, and devices.  When patient, healthcare devices that are equipped
with sensors to manage performance and reliability, and operations sharing
data across multiple entities, the integrity of that data is only as strong
as the weakest link.

As people and devices create and share an increasing amount of healthcare
information, the threat only becomes greater. Current laws have not kept up
with the rapidly evolving security needs of the healthcare industry.

What regulations are currently in place?

HIPAA, enacted in 1996, and HITECH, enacted in 2009, are the two critical
laws governing healthcare industry information.

The HIPAA Privacy Rule and Security Rule protect the privacy and security
of certain health information.

The Privacy Rule sets national standards for protection of “individually
identifiable” health information. The Security Rule creates a set of
security standards for protecting certain health information that is held
or transferred electronically. It addresses technical and non-technical
safeguards that organizations classified as “covered entities’ must
implement to secure ePHI.

The HITECH Tech Act was a component of President Barack Obama’s stimulus
package. Due to the expansion of healthcare-related information shared
electronically, it expands the scope of the Privacy and Security Rules and
increases the potential legal liability for non-compliance.

Most recently, President Obama issued Executive Order 136346, “Improving
Critical Infrastructure Cyber Security.”

As a result, the National Institute for Standards and Technology (NIST) has
created a Cybersecurity Framework composed of best practices from multiple
standards bodies that have proven to be successful in the past. The
Framework includes four components: Profile, Implementation Tiers and Core.

The Profile enables organizations to measure their existing cybersecurity
initiatives against recommended practices in the Framework Core. These
include processes, procedures, and technologies, such as asset management,
alignment with business strategy, risk assessment, access control, employee
training, data security, event logging, and analysis and incident response
plans.

Implementation tiers allow organizations to utilize the profile completed
to rank themselves based on four tiers of cybersecurity maturity.

These range from Tier 1, where risk management is ad hoc with limited
awareness of risks; up through Tier 4, where risk management processes and
programs are based on lessons learned, embedded in the culture and
proactive collaboration both within and outside the organization are in
place.

The Framework Core defines standardized cybersecurity activities and is
organized by five continuous activities:  identify, protect, detect,
respond, and recover. It represents an ongoing cycle that when executed
well, represents effective cyber security.

In addition, the Framework encourages effective collaboration among
organizations that share data.  Arecent PwC study found that 82 percent of
companies with high-performing security practices collaborate with others
to achieve these goals.

Some healthcare organizations are recognizing the benefits of moving data
to cloud providers that focus on healthcare. This move reduces the need to
purchase, maintain and upgrade information security infrastructure through
the organization’s adaptive defense architecture, it also minimizes the
need to hire either internal staff or third-party experts to keep security
update to date.

HIPAA-compliant cloud providers focusing on healthcare often have already
invested in an attack prevention strategy that includes firewalls,
instruction detection, intrusion prevention, sandboxes and other solutions
that protect data by analyzing and mitigating threats.

Why HIPAA compliance doesn’t guarantee data security

As with every industry, the question has shifted from if an organization in
the healthcare ecosystem will be exploited to when and how severe will the
breach be.

As healthcare organizations address these challenges, they often fall into
one or more common traps that can deflect their attention and resources
away from actual cyber security threats.

The first is mistaking compliance for security and risk management.

Just because an organization is in compliance with HIPAA, HITECH and other
regulations, doesn’t necessarily mean the organization is secure.

The broader healthcare ecosystem of companies includes significant IT
complexity and legacy systems that were never designed, coded or tested
against security best practices.

Layering new systems on top of these to support ePHI and other initiatives
may in many cases only add to complexities and increased vulnerabilities.

Focusing on the healthcare facility versus the healthcare ecosystem is
another trap.

The potential attack opportunities for hackers grow exponentially with the
number of data handlers involved in the ecosystem.

While all of these organizations have responsibility to meet regulatory
requirements, gaps can occur when these organizations then share data
beyond their networks and security infrastructure.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160805/ac94d894/attachment.html>