Healthcare and Data Security—The DOs and DON’Ts
January 21, 2020
How do Healthcare providers ensure data security? John Brady, CISO at Secure-24 shares some dos and don’ts of data security below.
What should Healthcare Providers do to Protect Data?
#1—Know What and Where the Most Sensitive Data is Located
The foundation of any information security program is asset knowledge, classification and management. Without this foundation, gaps will exist, and risks will go unnoticed. Efforts will be targeted incorrectly, and funds will be wasted. Auditors will cite this as a program failure, and in the case of a lawsuit following a breach, plaintiff lawyers will note this deficiency. Cyber insurers generally insist on the completion of this aspect of an information security management program. Most organizations really struggle to accomplish this objective, but it is necessary to get this done first.
#2—Phishing Awareness Training and Simulations
Phishing is still the number one attack vector used by criminals attempting to steal healthcare data or hold providers for ransom by locking up their data and/or systems. This means regular training for all employees and contractors is mandatory. There are many good products that provide short, interesting lessons for purchase. Secure-24 Managed Services can provide advice on the best approaches.
Do not rely on employees skimming training that has been provided, even if they pass a quiz associated with it. Regular, targeted simulated phishing attacks should be conducted. These campaigns can be designed to focus on the most common targets (executives, treasury and supply chain staff), but all employees and contractors should be included. Again, there are several good tools available to do this testing and Secure-24 Managed Services can help design the campaigns, based on client experiences.
#3—Create, Maintain, and Test an Incident Response Plan
Most data security experts say that having a successful attack against any given enterprise is not a matter of “if” but “when” and further, almost every organization has already been impacted by a successful attack, even if they are not aware of it. The key is how quickly and appropriately the response is executed, once the intrusion is detected. There are several good templates for incident response to information security incidents that can be customized to a particular healthcare enterprise.
In many respects data security incident response guidelines are similar to those for general IT incidents like system downtime:
- Conduct a thorough assessment of the impact.
- Ensure that there is a clear command and control structure and process in place.
- Restore systems in an orderly fashion.
- Communicate frequently to management, staff and the public (if they are affected) and other stakeholders.
The main aspects to add in a data security incident are:
- Take the correct steps to preserve data for forensic investigations.
- Contain, mitigate and eliminate the intrusion.
- Engage law enforcement and legal staff at the right time.
- Control communications details.
Again, there are many more details. Secure-24 Managed Services can help design an incident response process for healthcare enterprises based upon our extensive real-world experience. Writing the plan without testing it will give similar results to that of an acting company whose actors skimmed over the script and never rehearsed it. The performance would have many serious errors and would be considered a flop. The director would be fired for not conducting rehearsals. In healthcare, surgeons don’t just perform a quick read of how to do a new type of surgery. They practice first and often use smart mannequins that can react to the process.
These tests should be taken very seriously but constructively so that missteps are caught and improved upon. No finger pointing should be done. These “rehearsals” are the chance to catch errors and make improvements. Different scenarios should be tested, results documented, and lessons learned followed up on.
#4 –Implement Multi Factor Authentication (MFA)
The objective of phishing attacks is to gain the credentials of the person being phished. Although not impossible, it is much more difficult to gain the full credentials of the person if multi factor authentication is used. In the past, using MFA was seen as somewhat cumbersome, requiring a separate token or some other method. Newer methods do not require the need for a separate device other than one’s cell phone. Biometrics can be combined with the authentication to make it faster, easier and more difficult to break. Devices can be tested and secured by various tools. NTT Managed Services can assist in the creation of an MFA strategy that works for a specific enterprise as well as accomplish the actual implementation. Include nurses and physicians in the planning process as their buy-in is critical.
What Healthcare Providers Shouldn’t Do
#1 – One Time Efforts
Information security programs are never ending. All of the “DOs” above are continuing efforts. In fact, they should be analyzed to improve them over time and to deal with new threats as they come up. This is a key item to make sure that executives and the board understand that information security is a journey, not an end of itself. This is similar to patient health—patients need to maintain proper diet and exercise, take their medications and see their doctors regularly for life in order to stay healthy, so the idea of a journey to maintain good security health is not new in this field. Secure-24 Managed Services has Security Advisors who can help craft this message.
#2 – The New, Bright, Shiny Information Security Tool
Many enterprises waste significant time and funds chasing a silver bullet that will be the ultimate protection tool or even the ultimate tool for just one component of their information security program. This is an unnecessary and futile effort. Attackers take the easiest path to stage an attack. They look for unaware users, outdated systems without updated patches, open ports, private information accessible publicly by mistake, unsecure third-party vendors, etc.
Just as in healthcare, where hand washing, clean equipment and environments, and confirmation of right patient/medication/procedure are the simple processes to prevent adverse patient impacts, it is good IT hygiene that is required to protect patient data. User awareness, patching, written processes, network segmentation, asset management, tested backups, etc. are not only good for IT operations, they are good for information security.
Secure-24 can provide all of the basic operations needed so that information security management and IT executives can focus on value added work to further improved security and patient care.
#3 – Focus on Compliance
Most experienced information security professionals know that checking off boxes to make sure the enterprise is HIPAA compliant does not mean the data is really secured. Just as a caregiver will visually look over a patient and listen to the patient describe their medical complaint besides looking at their lab results to come to a proper diagnosis, a holistic approach is necessary. A risk-based, comprehensive approach that encompasses and understanding of the data and its attributes (classification, location, value, etc.) and the current threat landscape is necessary to protect sensitive data.
Ensure that the level of risk of a particular item is taken into account. Use the asset inventory to make sure that the most sensitive and valuable data is addressed first. Another example–when managing operating system or application vulnerabilities, focus first on any that are externally facing and take care of higher severity. Realize that not every risk can be eliminated or even mitigated and ensure that you can show management how scarce resources were allocated based upon risk level.
#4 – Go It Alone
Most healthcare enterprises have named a Chief Information Security Officer or at least designated someone to manage information security for the enterprise. Those in this role quickly found that they could not do the job alone, nor could they possibly hire enough staff to manage all of the tools, programs and processes required for a reasonable information security management system (ISMS) that complies with HIPAA and provides an adequate level of information protection.
The following components can be handled by third parties, the fewer the better:
Management of tools for:
- Security information and event management (SIEM)
- Firewall management and compliance
- Configuration compliance
- Endpoint protection
- Vulnerability Scanning
And many more…
- Forensic Investigations
- Incident Response and Tracking (partial)
- Security Operations Center
- Threat Intelligence
- Security Advisory
Key things to keep in the enterprise:
- Strategic Plan Formulation
- Budgeting and Purchase Decisions
- Determining specific regulatory requirements and including in vendor contracts/SOWs as needed
- Vendor Selection, Relations, SLA Audits and Oversight
- Relationship with External Auditors
- Communications to Law Enforcement and Regulatory Bodies
- Maintain Information Security Current Threats. Knowledge, and Certifications
- Management Presentations and Regular Reporting
- Internal Communications
- Working with HR, Public Relations, Privacy, Legal and other key departments
- Approval of policies and internal procedures
When changes are made, communicate to all of the stakeholders in an organization. Communicate frequently and repetitively in different formats. Market the program and be prepared to explain how good information security hygiene to protect patient data is like personal hygiene to protect patients. Conduct regular update meetings with the different leadership groups and select staff. Everyone can help be the eyes and ears of the information security organization, but they need to be kept up to date and also consulted upon. Work closely with nurses and physicians to make sure that security processes do not make their jobs unreasonably difficult.
Form a multidisciplinary information security advisory team consisting of representation from the following areas: physicians, nursing, legal, privacy, HR, supply chain, medical records, internal audit, IT management and compliance.
Data protection is an organizational responsibility – and not limited to IT. The dos and don’ts in this blog can assist providers in protecting sensitive patient data. Contact Secure-24 professionals to help you plan or execute your data or information security program. Click here for information about our Advanced Healthcare solutions.
John Brady is the CISO at Secure-24.