[BreachExchange] Security Awareness For Healthcare Professionals

Audrey McNeil audrey at riskbasedsecurity.com
Mon Oct 9 19:17:04 EDT 2017


http://resources.infosecinstitute.com/category/healthcare-information-
security/security-awareness-for-healthcare-professionals/

The healthcare industry has experienced a major change with electronic
records enablement which replaced traditional paper-based medical records.
This shift improved the efficiency of delivering health care services to
the clients/patients and minimized insurance fraud as well as billing
errors. However, shifting to an electronic mode of medical data storage
calls for additional awareness and responsibility by healthcare
professionals to protect the stored information against possible data
breach.

Health information data breach is known as a medical data breach, which may
include breach of medical billing information (from health insurance) or
personal health information of patients from the electronic records of
individuals. Any data breach has to be reported to the federal government
and the individual affected as per law in the United States.

Medical field professionals should always be well informed regarding their
liability towards safeguarding patient information. A privacy breach not
only accounts for hefty fines in the range of $1,500 per breach, but also
accounts for ethical as well as moral considerations. For example, let’s
look at the HIPAA fine of $1.725 million imposed on Concentra Health
Services. The breach happened due to an unencrypted laptop containing
patient records that got stolen from the Springfield Missouri Physical
Therapy Center. When it comes to protection of personal information and
storage of medical records, patients or clients usually take matters very
seriously. Highly confidential medical information is at risk with the
increasing number of cases involving identity theft. Therefore, it is
becoming more and more important for healthcare professionals to develop
increased security awareness.

The Importance of Healthcare Data Protection

Although the main focus of healthcare professionals should be on providing
healthcare services of superior quality to their patients, they cannot
ignore the importance of protecting patient information. Thus, they should
have adequate awareness regarding cyber security as the number and
frequency of data breaches is increasing rapidly. It is noted that the
majority of these data breaches occur due to human error such as the
breakdown of physical security (door left open) or technical errors (User
ID or Password not kept protected/sharing of account credentials).

Healthcare industry professionals always look to support their patients and
protect their health as well as personal information. They do not
intentionally want to do anything that may adversely impact the patient’s
health. The motto of health IT is to provide faster, more efficient and
more cost-effective care to the patients through the use of improved
hardware and software technologies that already proved efficient in
transforming other industries. However, potential cyber risks should be
considered, and adequate security must be employed. Providing healthcare
professionals with proper security awareness is an essential part of the
security measures to be taken.

Training of Security Awareness

The healthcare sector can be regarded as one of the most
information-intensive industries. Our day to day life and health is
critically impacted by our personal health data. To continue innovation
within the health industry, it is highly essential to maintain integrity
and confidentiality of personal health data.

Being an information intensive industry, the healthcare sector remains a
primary target for cyber attackers with the ever increasing instances of
cybercrime.

As per IBM X-Force Research in 2015, the healthcare sector remains the most
commonly attacked industry. The main reason behind this frequent attack is
the fact that healthcare industries lack the expertise to handle the cyber
security of its massive database. Moreover, it has a limited understanding
of the justification and nature of cybercrime threats.

The rapid and continuous change in technologies further compounded the
situation. Every day the information arena is experiencing the development
of some new methods to generate sensitive information. PWC research
estimated that 86% medical practitioners believe that in the next few years
mobile apps will become a significant component of health management of
patients. This will again call for a new level of data protection that was
not experienced before.

These situations clearly show the importance of building the security
awareness of healthcare professionals and the need for a good security
awareness program to educate them. A good security awareness protocol uses
knowledge and education to handle all forms of threats to security.
Improving security awareness of healthcare professionals involves bringing
everyone in the sector under the same training umbrella to ensure equal
spreading of cyber security knowledge at every level of the organization.
Security awareness to healthcare professionals revolves around:

Generating a pro-active security culture
Understanding attacks in relation to the wider security landscape (for
example, knowing the consequence of phishing)
Building respect towards the privacy of individuals
Understanding the meaning of PHI or Protected Health Information and why
one should protect it
Understanding that security is part of the whole organization and impacts
everyone
Knowing the impact of privacy and security rules that apply to the
healthcare industry

Security awareness should become an integral part of the overall security
strategy of the healthcare industry to prevent possible cyber attacks.

Healthcare organizations have countless things to look after, such as
providing patient care of the highest possible quality, retaining financial
viability as well as leveraging information technology to improve the
operational standard. Still, health care organizations have to give equal
priority towards maintaining high-quality security settings to prevent any
possible data breach. Raising cyber security awareness among health care
professionals also involves making them aware of the consequences of errors
in individual actions (such as clicking malicious links that can compromise
the whole network and lead to data breach).

Recommendations Regarding Security Awareness of Healthcare Professionals

According to the FBI, cyber attackers can get as much as $50 per record,
which accounts for information worth over $500 million at stake. The higher
lifespan of healthcare information (in years as opposed to months in case
of credit card information) makes them much more valuable. Surprisingly,
even under these circumstances healthcare professionals get minimum
training on security awareness. Only 38% of healthcare professionals get
security training twice a year, while 49% get it only once a year.
Moreover, only 7% get some security training when they are hired for the
first time and alarmingly, 6% of health care professionals never get any
such training.

Inadequate awareness training leaves health care organizations vulnerable
to cyber-attacks, as evident from the increasing incidences of data breach
in recent years. As per the KPMG reports, around 81% of health care
organizations experienced incidences of data breach in the last year.

Building a robust security awareness program is the first line of defense
against such attacks.

Some basic steps to raise the security awareness of healthcare
professionals are as follows:

Regularly update the security awareness program content as methods and
means of attack are constantly changing with the availability of new
technologies.
It is better to have interactive sessions rather than showing a series of
presentations and videos on security awareness. It has been observed that
most of the employees give very little attention to these videos or
presentations. However, some interesting ones can be used in between the
interactive sessions.
There is a difference between security training and cyber awareness
programs. While security training provides users with specific knowledge
and is generally intended for short-term conception-building, security
awareness programs usually strive for behavioral changes in the
individuals, thereby strengthening the overall security culture. It is a
continuous and long term process that ensures discipline in building
abilities, skills and knowledge within the health care professionals to
enhance hospital security.
Security awareness programs should be made mandatory to every health worker
and not kept as an optional extra. Every individual related to the health
care industry has a role in enhancing hospital security and most of the
attacks happen due to the actions of employees with limited security
awareness (clicking bad links).
It is better not to focus only on the compliances imposed by HIPAA, HITECH
or federal regulations. The security awareness program should be processed
for continuous adaptation and improvements with the changing technology and
pattern of business. The nature of threats will also change as cyber
attackers will utilize new strategies to steal data.
Support from top executives and management is extremely essential as they
can lead by example through their participation in security awareness
programs.
Ensure that employees have some fun while attending the sessions. Make the
sessions interactive and try to include some games or quizzes or
competition sessions.
Spread reminders, newsletters, posters, blogs and tips in email to
continuously keep employees updated and on their toes. Use the free
resources available through organizations such as SANS Newsletters or
MS-ISAC.
It is important to focus on the behavioral changes regarding cyber
awareness in the personal life of employees including their home and
family. This will help in the overall improvement of security culture among
them. Employees usually have more attentiveness away from work settings
with their family at home.
The awareness programs must encourage feedback, ideas, creativity and
active participation of the health care professionals. Evaluation of the
program is important for further improvement.

Changing security culture is a hard process and takes years of continual
effort to see results. It is not a simple endeavor so be focused to achieve
the desired outcome.

What happens when data is breached?

The answer to the above question illustrates why we need security awareness
of healthcare professionals. In the US, privacy and security cut across
several legal frameworks. A number of guidelines and legislations are there
to cover privacy and data protection focusing on healthcare industries.
Protected Health Information or personal information is covered by two main
healthcare legislation areas, the HIPAA or the Health Insurance Portability
and Accountability Act and HITECH or Health Information Technology for
Economic and Clinical Health. These two acts are there to work together
covering the entire security expectations of the healthcare sector, which
also involves the business associates of healthcare providers. The act
requires disclosing incidences of data breaches to the affected individual
and the government.

The fines associated with HIPAA and HITECH breaches are often very costly.
Here are some examples of a few recent incidences of imposed fines:

HIPAA fine of $4.8 million imposed on the New York and Presbyterian
Hospital and Columbia University for the PHI breach of 6,800 individuals
HIPAA fine of $4 million imposed on the Stanford Hospital & Clinics for
20,000 exposed patient records. The breach was caused when a business
associate posted the patient records on a website that was accessible to
the public.

Security awareness of healthcare professionals is important as a data
breach contradicts the layer of ethics associated with the health care
system. However, lack of security awareness and risky behavior has become
part of health care organizations. Healthcare professionals often admitted
that they kept information at risk in the workplace. Security awareness is
beneficial to both healthcare organizations and professionals. Cyber
attacks can be minimized through good security practice of individual
workers. As cyber attacks on healthcare industries become more prevalent,
improving the security awareness of healthcare professionals will be even
more important.

The situation is even more critical to the imposed legislative compliance
needs. Generating an educated workforce with the understanding of the cyber
security implications is essential to the security strategy of the
healthcare industry. The presence of the human element in most of the
recent data breach incidents also compounded the condition and called for
better security awareness among health care workers.

Proper means of addressing any possiblebreach

All types of security problems can be resolved by the IT industry. However,
in case a breach has taken place, it is important to know what to do at
that critical moment other than panicking.

Immediately address the breach: The first step is to make sure no further
breach takes place through the same loophole. Detect and address the
security flaw immediately. Locating the reason for the data breach such as
the server, human error or physical security lapse is important so that
damage can be minimized.

Form a team of experts to handle the situation: Forming an expert team
capable of handling the breach is essential. Without a team, it is
impossible to follow up the process of informing the authorities on the
breach and taking help from the legal department.

Properly test security after fixing the lapse: After resolving the problem,
it is important to test the system and ensure that the flaw is completely
resolved. Being counteroffensive is vital, even before reporting the breach
to the individuals and the government.

Notify the outside parties: After resolving the security problem, it is
imperative to start notifying the internal legal cell, local authorities,
and public relations section. Although there is often a set time within
which a health care breach has to be reported, stopping further breaches
should always remain the priority.

Solving other related matters: Sometimes even the most obvious issues get
overlooked. Therefore, long-term implications of the breach should also be
considered while resolving breaches. Quickly fixing the security flaws that
caused the breach may be faster, but this should be followed by a thorough
remedial process that may take much longer. Locate potential flaws that may
get attacked in the future. Once attacked, health care organizations should
continuously analyze their infrastructure and cyber security and test it at
regular intervals.

Conclusion

Cyber security involves health care workers which include every individual
in the system ranging from researchers, administrators, front desk workers,
medics (laboratory technicians, nurses, consultant and social workers),
transcriptionists, handlers of medical claims to IT and technical staff. In
a chain, the human touch point always remains a potential weak link. Cyber
attackers use this weak point to steal data through social engineering
(such as phishing). Increasing the security awareness of healthcare
professionals is the most potent tool to fight against such attacks.
However, security awareness is not limited to fighting against social
engineering and involves the creation of a culture of security.

The incorporation of HITECH Section 13407 increased the number of
stakeholders required to be included in the culture of security awareness.
It is extended to cover every associate of the business interacting with
PHI and personal information. Thus a vastly diverse group is created among
the health care stakeholders who need to have a sound understanding of the
healthcare security scenario. Proper knowledge of healthcare security also
enables them to adhere to the security rules of HIPAA and HITECH. Security
awareness of healthcare professionals will only provide positive outcomes
to the entire healthcare industry and related sectors.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171009/30ff91f5/attachment.html>


More information about the BreachExchange mailing list