“It’s not inconceivable that there could be a large infrastructure attack in America and if there was, it could absolutely affect a hospital’s ability to deliver care.”
---Mac McMillan, chairman, CEO and co-founder of Austin, Texas-based consulting firm CynergisTek, in a recent interview with Healthcare Informatics
The healthcare cybersecurity crisis does not seem to be significantly improving, and experts continue to warn us of the potential ramifications. According to the 2017 year-end data breach report from Baltimore-based cybersecurity software company Protenus, last year there were 477 healthcare breaches reported to the U.S. Department of Health and Human Services (HHS) or the media—compared to 450 reported breaches in 2016 (it should be noted that there was also a drastic decrease in the number of affected patient records—27.3 million records breached in 2016, over five times greater than the number of records affected in 2017). Nonetheless, 2017 still saw an average of at least one health data breach per day throughout the entire year.
At healthcare organizations across the U.S., chief information security officers (CISOs) are deploying new strategies and approaches to cyber defense as they continue to face the new reality that data breaches are at this point becoming expected. In fact, a recent survey of more than 600 CISOs and other information security professionals across multiple industries, conducted by the Ponemon Institute, revealed that two-thirds of respondents believe that their companies are more likely to fall victim to a cyber attack or will face a data breach this year.
According to that same survey, when asked what they predict will happen to their organization in 2018, CISOs and other top security leaders indicated that human error actually leads the list of their worries. Sixty-five percent of respondents specifically reported they worry that a careless employee will fall for a phishing scam that results in a credential threat.
So what are some ways in which CISOs and other healthcare security leaders are working to fight off cyber attackers and better protect their data? None of the experts who Healthcare Informatics interviewed for this piece believe in any “magic bullet” approach, but more frequently now, leading minds are pointing to a few specific areas in which organizations can improve their strategies—namely, monitoring users’ behaviors and leveraging identity and access management (IAM) protocols.
Advanced Behavioral Monitoring and How it Could Help
CynergisTek’s McMillan, who has long been a strong advocator for cybersecurity strategies that do more than simply “following the rules” and performing traditional audit methods as a manual process, feels that organizations have to think about behavioral monitoring— in which organizations monitor their users at a high level—in terms of “attributes.” What he means by that is just about everything that happens in the system is an attribute—a user, a person, a patient, a time of day, and a location can all be attributes. And the more attributes one can associate with a given series of events, the more accurate one can get with analysis, he says.
Mac McMillan
As such, McMillan opined that using behavioral analytics, when focused on all of these attributes, is more effective than traditional methods that don’t take into consideration these attributes, but rather take in more things that are compliance- or rules-based, and are very limited in the information they look at.
He brings up an example of a nurse working in the ED. There is typically a pattern that emerges after studying numerous nurses in the ED that shows what a nurse’s profile looks like. When a person in that role begins to have a different role or something changes in that profile that’s an anomaly, the system then can alert someone to check up on it since this person isn’t acting like he or she is expected to act in that role.
“That’s the difference in these new behavioral analytics type tools that give you the ability to do more granular analysis, pulling in more attributes than the old manual compliance processes that are literally looking to see if Nurse Betty looked at someone’s record that wasn’t on her floor. And then someone has to go follow that lead and do a bunch of other data collection to figure out if Nurse Betty should have been over there, why was she there, and what were the circumstances? That is very time consuming and inefficient,” McMillan says.
Meanwhile, these [newer] tools can quickly look at everything associated with Nurse Betty and narrow down that this was the day that she was not working in her normal location, but she was assigned somewhere else and saw X patients. “You can quickly identify those events that look [like] outliers,” McMillan explains. He adds that behavioral analytics tools “allow you to study the behaviors of all of the different players in the equation of an event—not just the patient, but the caregiver, whoever was involved in the access, as well as the location and the activity, so you can understand more accurately what’s going on and what is really happening.”
Indeed, while there is a general consensus that behavioral monitoring strategies are becoming increasingly necessary, the question then becomes, how many healthcare CISOs are deploying these methods? And how sophisticated are their processes?
McMillan, for one, attests that healthcare as an industry “is way behind,” but adds that organizations “are now starting to move in that direction as they realize the capability of behavioral monitoring tools.” Meanwhile, Michael Ebert, a Philadelphia-based healthcare and life sciences leader for cybersecurity at KPMG, feels that these tools “are not being utilized at the level they should be.” Ebert says that the behavioral monitoring concept is one that’s tough to deploy in healthcare because most organizations haven’t yet matured their baseline security requirements so that they could even capture and measure that data effectively. He notes, “They don’t have good identity management or good privileged access management in place. They don’t have data analytics tools in place to understand data movement in their enterprise. They might not even understand all the assets associated within their network,” he says,” adding, “They are dealing with fundamental issues.”
One such security leader who is on that journey is Bryan Kissinger, Ph.D., vice president and CISO at Phoenix, Ariz.-based Banner Health, one of the largest health systems in the U.S. Kissinger notes that in some ways his organization is on the advanced side of behavioral monitoring tactics, but in other ways it is behind. In regards to analyzing clinician behavior within patient records, he says that there is technology in place that evaluates a number of inputs such as: the clinician’s job; where he or she physically is doing work; and which patients he or she is looking at, and it makes sure that clinicians are only accessing patient records they should be accessing.
Bryan Kissinger, Ph.D.
But on the side of malicious activity traversing the network or systems behaving the way they shouldn’t be, Kissinger admits, “We’re only at the beginning,” adding, “We’re looking at baselining what is normal behavior for most of our systems. We have implemented some database anomaly monitoring technology to be able to look for normal behavior on our most critical databases, and then alert and take action when that behavior is not considered normal. And that all feeds into our SIM [security information management product],” he says.
IAM and Behavioral Analytics—A Powerful Combination
In addition to monitoring users’ behaviors, the sources interviewed for this article agree that identity and access management (IAM) protocols also need to be deployed, as healthcare data breaches are often caused by unauthorized access or disclosure of information.
KPMG’s Ebert explains that there are two components to identity, with one being the basic concept of managing users and what they access. This is what Ebert calls “joiners and leavers,” referring to those users in an organization who gain access (joiners) and those who have access removed due to changing jobs within the organization or leaving outright (leavers). These users typically have basic functional access to do things such as look at the directory service and send emails.
Then there is more privileged access, Ebert says—the users with admin rights. “Today, in a lot of environments we look at, organizations are still running Windows 7, which principally has more than one authenticated right, so you can [designate] a user versus an administrator. But the user isn’t orchestrated in the right way in that [access] could barely be managed and deployed,” he says. “Windows 10 fixes a lot of that, but most users have administrator rights on their local laptop. They have privileged access. And that’s why so many viruses and forms of attacks can be executed because [people] have admin rights,” Ebert contends. He also brings up the challenge that oftentimes doctors are not in a single hospital, but rather are contracted in. “So they may work in three or four hospitals just in a two-week period. Even full-time doctors can be rotational-based so their access rights have to change based on the role they are playing. You can have three different access rights in the same organization,” he says.
Michael Ebert
As such, Ebert says that once a good identity access process for joiners and leavers has been established, then the behavioral aspect and security modeling could be implemented at a higher level. Indeed, together, Shefali Mookencherry, principal advisor at Naperville, Ill.-based consulting firm Impact Advisors, says that using what she calls “the user and identity behavior analytics” simultaneously can be “very advantageous for organizations.” With traditional SIM tools, Mookencherry notes, “We’re only looking at limited context of a user’s data. We are looking at a snapshot in time of that user. But when we look at both user and entity behavioral analytics tools on top of that, you can start to connect the dots. You can see for example, if an employee is using an application and if he or she is starting to send out emails of internal information with attachments to an outside party,” she says.
Mookencherry, who heads up Impact’s cybersecurity and IT security practice, says she actually encourages organizations to take one more step past two-factor authentication, such as having a password tied with a one-time verification code and then also a fingerprint. “So then it’s three or more [authentications], and that can be cumbersome for users who will hate it because it’s not convenient and it slows them down. But from the security perspective it’s important that those measures are in place,” she says.
Shefali Mookencherry
On the identity side, like most organizations, Kissinger notes that Banner Health has historically had an in-house developed system or that it was done manually. But Kissinger, who has been in his role at Banner for less than a year, says his team is now looking at things from an efficiency and customer service perspective, getting to day-one birthright automated access for all workforce members. “And that access is tracked and governed within the platform such that on a quarterly basis we’re re certifying the access with the workforce member’s manager,” he says.
What’s more, for privileged access, Banner is using a tool to vault privileged passwords and system and privileged accounts in a safe vaulting technology such that database administrators and other privileged users need to go into the vault and check out an encrypted password to be able to escalade privileges from a normal user to an escalated user, Kissinger explains.
And lastly on the identity management front, Kissinger’s team is getting ready to implement a single sign-on tool that allows clinicians to be able to tap their badges on a badge reader—say in an exam room or the ED, or wherever they need to access health record technology—which then single signs them in to all of the applications they need for their job. “It probably saves each clinician five to six hours a week that he or she would normally need to do to manually type in log-ins and passwords to different systems throughout the day. So it’s a security feature but an efficiency one, too,” Kissinger contends.
Could New Strategies Reverse the Trend?
It’s not uncommon to hear in healthcare circles that cybersecurity will “get worse before it gets better,” or that bigger data breaches are on the way, sooner than later. But there is a feeling among the sources interviewed for this article that by investing more energy and effort into behavioral monitoring and identity and access management strategies, the tide could start to shift some.
Indeed, CynergisTek’s McMillan notes that there are “a tremendous number of breaches that occur as a result of insiders doing things they aren’t supposed to, and that’s not going away.” Meanwhile, Kissinger, when speaking about the “human factor,” says simply that “machines, computer and technology don’t make mistakes. Most ransomware is the result of unpatched systems and most systems can’t patch themselves—they require human intervention. He adds, “Humans are the ones who click on phishing emails, upload credentials and download malicious software.”
That said, McMillan attests that investing in behavioral monitoring and identity and access management strategies “can absolutely contribute to a much better environment.” He says that when he has seen healthcare organizations implement these tools and good programs for monitoring, they have experienced a reduction in the number of incidents that occur. “Once users understand that the organization is monitoring proactively and has the ability to accurately identify when they are doing something they shouldn’t be doing, a large majority of folks who did things in the past out of curiosity, or because they thought they could get away with it, will begin to conform to the proper behavior. So you do see a drop in the number of internal issues,” he says.
McMillan and others also make the key point that a shift in how healthcare board leaders think about investing in cybersecurity will be required. He says, “The only way to effectively do a better job of reducing that is spending money on the technology that will allow you to proactively understand what users are doing in real time in the environment.”
Meanwhile, KPMG’s Ebert notes that with organizations spending up to a $500 million on Epic or Cerner EHR (electronic health record) implementations, in addition to new technology for medical treatments, and physical plant investments for the hospital, there often is “not much money left for security.” He adds that “The investment in security has lagged for so long that [organizations] are bolting it on rather than building it in. And it costs so much more to bolt it on—almost two-fold if not three-fold more,” he says.
In the end, Banner Health’s Kissinger says that while these new strategies will make a difference, healthcare is simply an industry in which threats will continue to evolve over time “There’s no limit to the creativity of organized crime or nation state actors to be able to try and get to sensitive information and resources,” he says.
Kissinger adds, “The old analogy of the Golden Gate Bridge applies; you start to paint it on one end and by the time you get to the other end you have to start back at the beginning. We are constantly painting this bridge. You always have your foundational technologies in place, and a lot of us in healthcare are still putting foundational security safeguards in place. Once that’s in place, it becomes what we need to do from a refresh perspective or an emerging technology perspective to keep up with how the threats are evolving.”
