[BreachExchange] Security’s Challenge in the Highly-Regulated Health Care World

Audrey McNeil audrey at riskbasedsecurity.com
Tue Feb 20 09:52:30 EST 2018


Bruce Forman, chief information officer (CIO) at UMass Memorial Medical
Center, describes how to balance legitimate data access with security in a
highly regulated environment.

Is your organization’s traditional “network perimeter” dissolving? If so,
does this affect your approach to security?

 The network perimeter has been dissolving for quite some time, as more and
more organizations, including our own, source some of our core applications
from application service providers. The perimeter thus has to include
entities that are not a core part of the network.

Your approach has to first rely on the security controls maintained by
those other entities, to validate that their controls are reasonable. You
then need to focus on where the data resides and provide controls that are
data centric, rather than network centric. These controls are built into an
application and, leveraging user authentication and authorization, give an
individual access to a particular set of data so you can control what they
can and cannot access.

As a health care provider, we need to provide our partners the information
they need to provide a continuum of care while protecting patient privacy
and complying with HIPAA requirements. To balance those needs, we try to
provide the minimum necessary access using a combination of preventative
and detective controls. A preventative control, for example, might specify
which patients an outside provider can access data on. A detective control
might aggregate all the audit log events, such as who accessed or made a
change to a record, actively monitor those actions, and find and
investigate anomalies.

How do you track “data sprawl” as a health care organization?

This challenge isn’t completely resolved, but it became much less of a
problem last October when we switched to a single application to house most
of our medical records. Prior to that, data sprawl was a very large issue.
We had concerns about which system was the single source of truth, with
different groups accessing the same data from different systems. This would
lead to questions about which data is the most up-to-date.

Have you implemented a people-centered IT security strategy?

I think of this as role-based access. Based on information about a user,
such as job title, we uniquely identify what they should be allowed to
access. We then use our monitoring capabilities to find behavior that
deviates from the norm.

For example, it might be normal for a scheduler to visit 200 patient
records each day. If we saw somebody instead access 2,000 records a day,
that would be something to investigate. In addition, you would expect them
to make an edit in most of those 200 records as they make or change
appointments. A scheduler going in and out of a few records without making
a change is understandable, because those patients might not make an
appointment during the call. But, again, if the scheduler accessed many,
many records without editing any, they might be harvesting information to
commit identity theft.

Is data from the Internet of Things (IoT), such as wearables, a security
concern for you?

 I’m more concerned about the efficacy of the data than the security. If
you come into my office and I take your blood pressure, I know it’s
accurate. But if you go to another provider to have your blood pressure
taken, or get a reading from a wearable device, I have less assurance of
its accuracy. It’s useful, but I need to know where it came from when I
make a medical decision.

What other IT security issues are you grappling with?

One of the biggest is around the increasing number of medical devices that
are being connected to the network, so information from them can be
automatically added to medical records. Since many of these devices were
not originally intended to be network attached, the security available on
them is not necessarily enterprise grade. It’s a challenge for us to
inventory those devices, and then put controls in place to assure the
confidentiality and integrity of the data, as well as patient safety.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180220/2aa53317/attachment.html>

More information about the BreachExchange mailing list