[BreachExchange] Healthcare cybersecurity must complement HIPAA compliance

[Audrey McNeil]

http://searchhealthit.techtarget.com/tip/Healthcare-
cybersecurity-must-complement-HIPAA-compliance

The biggest threat to healthcare data security is often unauthorized access
by staff. Behavior tracking can detect snooping by employees and identify
users who have been hacked.

Meeting HIPAA's vast array of regulations isn't enough to secure patient
data in today's connected healthcare environment. Protecting against
healthcare cybersecurity threats and unauthorized access to patient medical
records requires a comprehensive, scalable approach that addresses how an
organization's evolving IT infrastructure impacts electronic protected
health information (ePHI).

For Sharp HealthCare, that means investing in technologies that monitor
information entering and exiting their network, said Bryan Kissinger, CISO
and vice president of IT risk management at the San Diego-based institution.

With 18,000 employees, 3,000 physicians and more than 30 separate
locations, Sharp's primary external ePHI risk is email -- specifically
phishing emails containing malicious software. Kissinger plans to allocate
at least $1 million of his $4 million FY2017 budget -- a 33% increase over
2016 -- on security incident and event management, database monitoring,
privileged account management and multifactor authentication.

Similarly, Children's Mercy Kansas City in Missouri needs a scalable,
reliable way to perpetually monitor and scan the six million daily hits on
its server, as well as all outgoing traffic, said Vice President and Chief
Information and Digital Officer David Chou. He opted to outsource their
security operations, and, effectively, the role of a CISO, to a security
operations center that can take immediate action to halt or mitigate an
attack.

"We're in the business of providing care. I don't want to be in the
business of enterprise security," he said. "It's too expensive to do
ourselves, and we can't staff the talent." A third-party vendor performs
continuous web application and vulnerability scans to assess computers,
computer systems, networks and applications for weaknesses. These "white
hat" scans operate similar to a hacker looking to gain unauthorized access.

So far, they've successfully foiled attempted logins from Asia, Brazil and
the Middle East. "We had no idea how many hits we were receiving," Chou
said. "We didn't have the tools in place."

He also hired a director of information security to help build upon and
implement their security program and will hire security and access
management engineers as well. Staffing these key positions could take
several months or longer since finding the right talent is challenging.
Chou needs security specialists who can keep up with the fast-changing
technology landscape and balance healthcare cybersecurity with the unique
needs of providers, staff and patients.

Chou spent about 10% of his $60 million IT budget in 2016 to bolster
internal and external data security, and he will likely spend more in 2017.

"It's a very healthy budget to ensure we're able to afford the right
security tools," said Chou, who joined the organization in May 2016.
"Security is top on my radar and should be the organization's top priority
and investment."

Security is quickly replacing data analytics and population health as a top
concern among healthcare CIOs, with healthcare organizations dedicating an
average of 12% of their health IT budgets to internal and external
cybersecurity protection, the Ponemon Institute estimated. It found that
nearly 90% of healthcare organizations experienced a data breach during the
last two years. And while most of the breaches involved 500 or fewer
records, the average cost was more than $2.2 million.

Cyberthreats from within

Like many healthcare organizations, Sharp HealthCare's biggest internal
HIPAA threat is its own workforce -- "snooping" by staff or employees who
access patient records without a legitimate reason.

"Once you're internal to the network and have the credentials, moving
laterally from system to system or accessing information resources" isn't
as difficult as it should be, Kissinger said. He'll pilot a scalable
auditing system in 2017 that employs user behavior analytics to track and
identify patient record access and maps the clinical or operational reasons
for it. This third-party tool tracks user-specific trends to quickly spot
anomalies and unauthorized access to medical records. It's designed to not
only weed out snooping, but to also identify users who may have been hacked.

In fact, more data breach incidents (57) were reported in November 2016
than in any previous month of the year -- and more than half (54%) of them
were caused by employees, according to Protenus, which publishes a monthly
report of incidents reported to the Department of Health and Human Services
or first disclosed in the media.

"Hacking pales in comparison to insider breaches," the company stated in
December. Forty-five percent of the insider breaches were due to
intentional wrongdoing and compromised nearly 265,000 records. Fifty-five
percent were due to error or accident and resulted in far fewer exposures
(about 17,000).

Education should play a key role in your IT strategy

Because a cybersecurity IT strategy is only as strong as an organization's
weakest staff member, education must be a primary ingredient of a
comprehensive strategy.

Sharp HealthCare has hired a full-time training and awareness coordinator
to engage staff and build awareness of their critical role in Sharp's
cybersecurity program. This key staffer has already mapped out a
comprehensive education plan for 2017 that targets different groups of
employees throughout the year, Kissinger said.

Gila Regional Medical Center includes prank phone calls and mock phishing
emails as part of its healthcare cybersecurity training, said John Little,
enterprise system architect at the organization, which is based in Silver
City, N.M. For example, employees may receive a phone call from someone
calling from an outside line who claims to work for IT.

"They'll say, 'I'm going to send you an email, and you need to click on the
link and log into our portal so I can update your account,'" Little said.
If the staff member falls for it, Little provides them with additional
training. "A hacker only needs one person to click that attachment, and
they're in."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170131/55f97e98/attachment.html>