Overview of Big Data breach risks

April 24, 2014

Big Data breaches: Are you at risk?

Health Management Technology asked nearly a dozen IT executives for clues on how to determine if an organization’s Big Data system operations may be at risk to an attack or breach and how to minimize, if not prevent, such incidents.

What are some key overt and covert signs a healthcare organization’s IT system is vulnerable to an attack?

  • When organizations lack the proper physical and electronic security measures and real-time monitoring.

  • When organizations make patients’ personal health information (PHI) available to their engineering resources (development and QA) without any kind of access control security mechanisms in place.

  • When data is stored outside of the production environment.

  • When an organization outsources business internationally without setting up the proper network security features, access control and data encryption.

– Ahmad Kasmieh, Chief Technology Officer, Alere Analytics

  • There is little to no use of encryption for the most vulnerable data devices; laptops, mobile devices, USB keys and back-up tapes.

  • If there is a Wi-Fi network validating it is secure, encrypted and hidden so that its network name or “Service Set Identifier” (SSID) can’t be picked up by the public. Also, be sure a password is required for access.

  • Unregulated use of “unknown” USB keys. Often the USB key you picked up at a user conference, and then later use to move files from server to server, has never been scanned for viruses.

  • Unauthorized applications on provider/payer networks. We all sometimes need to do our online banking, bill paying, shopping and maybe even instant messaging from work. The problem is by doing these from the company’s network, these applications create a substantial risk for data loss, data theft and infection from malicious sites.

  • No audit or follow-up process for third-party log-in access. Most hospitals have many third parties accessing their IT systems. Logins are provided to these third parties to perform legitimate tasks. However, once the login has been established, there is no follow-up activity to turn off access or revalidate whether access is needed.

– Steve Matheson, Vice President, Product Management, BridgeHead Software

  • No Chief Information Security Officer.

  • The CISO has responsibility but no authority (i.e., CISO buried under three layers of IT management).

  • Poor or no governance for security that includes CISO, Legal/Compliance and “the business.” In other words, poor, or no, risk management process.

  • No process requiring a risk analysis when bringing in a business partner. New business partners may mean possible increased risk.

  • The same issues showing up repeatedly through internal and external audits/reviews, so previously identified broken things aren’t getting fixed.

– Frank Negro, Practice Leader, Global Healthcare Consulting, Dell Services

Since many organizations recently conducted a fairly exhaustive assessment of security and privacy related to Meaningful Use, they typically have a good understanding of which systems and silos of data need to be protected. Some of the primary areas of vulnerability which they are disclosing are around physical data center security, data encryption and having a single identity provisioning system for authentication. These things are all out in the open due to Meaningful Use and are being addressed incrementally.

What is more elusive to organizations is how to handle some really big challenges around:

  • Establishing proper information rights management or the prevention of leakage of PHI and other confidential information through file sharing and email using policy.

  • Enabling trusted access for mobility and having a solution in place for adaptive authentication which handles the critical balance between access management and usability.

  • Having a data governance, risk and compliance solution in place which enables a balance between data protection and liquidity.

All of these require a systems view beyond the walls of the organization. They are challenges that are sometimes cloaked by a lack of clarity on who produces and consumes data outside of the traditional stakeholders of IT. As we get deeper into hybrid clouds and virtualization of data due to ACOs, PCMH and population health management, we will see these challenges more clearly.

– David Dimond, Chief Technology Officer, EMC Global Healthcare Business

From the perspective of a Chief Medical Officer, I would say that an overt sign of a healthcare organization’s IT system vulnerability has to start with physical security of mobile devices (i.e., mobile devices that have the potential of containing protected health information should be password/pin protected and encrypted). We’ve all read about data breaches involving misplaced or stolen laptops. Encryption of these devices will limit exposure.

Moreover, passwords for information systems should not be shared across users, whether it’s a physician office or hospital unit, to reinforce the notion that only specific authorized users should have access to the minimum information required to perform their duties. Finally, another sign would be the lack of any third-party audits on the health IT systems. The best way to detect or diagnose vulnerabilities is to have security companies attempt to identify all the holes in the security system for the health system IT professionals to address them as needed. For example, Explorys performs third-party audits regularly to ensure that our platforms meet minimum standards set by HIPAA and other regulatory provisions.

– Anil Jain, M.D., FACP, Chief Medical Officer, Explorys Inc.

  • A history of data breaches – one constitutes a history.

  • Limited HIPAA training/lack of understanding.

  • An inability to concisely articulate a security strategy.

  • A lack of basic change control.

  • A self-professed lack of understanding around the Big Data space.

– Jason Williams, Vice President, Business Analytics, McKesson

Many signs and vulnerabilities are similar to those experienced in other verticals with Big Data, and they all involve “People, Process and Technology”:

  • When data moves from internal secure sources to a managed service or into the cloud, costs are reduced, but this can create risk. These organizations can lose control of who has access to those systems and data.

  • When organizations forget about the internal threat from the employee and monitor (or provide governance to) internal issues, additional vulnerabilities become a threat, including lack of process, practice and continual improvement.

  • When data moves for system or technology changes, mergers, acquisitions, government reviews, backup and storage needs, it can be at risk.

Dennis Syrmis, Director, IT Operations, SCIO Health Analytics

  • Weak passwords are a common high-risk topic.

  • Unmonitored network routers are another sign of a facility that can be exploited and never know it.

  • Workstations running old operating systems or not maintaining security patches.

  • Facilities that do not isolate networks based on department. Monitoring the network can be the best alert to a potential attack.

– Steve Deaton, Vice President, Sales, Viztek

The healthcare industry spent a long time trying to figure out how to protect access to data from the outside world, but healthcare organizations remain most vulnerable to internal threats. Employees need to have access to data in order to do their jobs well and be efficient, so we need to figure out how to build smart systems with advanced algorithms on top of tracking “views” in order to assess internal threats. As part of that, organizations need mobile device security management systems that can monitor for suspicious employee activity proactively.

–Chris Schremser, Chief Technology Officer, ZirMed

What are some of the necessary steps they should take to fix these challenges right away?

  • Always encrypt healthcare data and use obfuscation techniques.

  • Minimize development and QA’s access to PHI whenever possible. When absolutely necessary, use patient data to solve technical issues, but have defined secure protocols for handling that data.

  • Always store data in your protected environment, and again, limit the individuals who have access to it.

  • Delegate responsibility for data security to executives and teams. Make measurable goals around data security.

– Kasmieh

  • If providing employees access to external systems is a benefit that a provider wants to offer, then treat it as one. Spend the time and money to set up an external access point and device for employees to use for personal activity that cannot be connected to while simultaneously connected to the internal network. You have two choices: allow no access and have unhappy employees but a secure internal network, or provide external access that is distinct from all internal network activity.
  • Use encryption. If a provider is going to enable, intentionally or unintentionally, people to use personal devices (phones, tablets, etc.) to access provider data (business or clinical), implement encryption for these devices, and then train employees in its use.
  • Regularly audit access of each login. Many sites have implemented automated, regular password changes, but the problem is the current user of the login is the one who simply changes the password to be in compliance. Instead, review “who” has access via the login and, if not known, shut off access, and then see who complains.

– Matheson

  • Make sure there is someone responsible and accountable, and high enough in the organization, to get things done.

  • Review the governance model and make sure it includes Legal/Compliance and “the business” – for best practice, link in the CMIO.

  • Governance, governance – agendas, meeting minutes, action items, strategic and tactical activities – track and document everything.

Negro

  • Organizations need to better prepare to manage and to respond to advanced threats by having a platform to manage a large number of log events with full network packet capture and customizable dashboards for viewing threat and vulnerability information. It also delivers a real-time and scalable network forensics platform with session replay, signature-free analytics, automated advanced threat and zero-day malware analysis.
  • Organizations should also better position themselves to identify, prioritize and respond to attacks by being able to handle internal and external threat intelligence with the industry’s broadest multi-language forensic and investigation capabilities. Organizations can leverage integration with major security intelligence feeds and foundational enterprise security products, such as SIEM, IDS and next-gen firewalls.
  • They should focus on increased coordination with visibility and reporting across the extended enterprise by embracing solutions which are designed to support both IT and business aspects of managing advanced threats, including identifying key critical assets, managing crisis plans, internal and external communication, and tracking of response activities.

– Dimond

The first step should be a security audit to identify the challenges or gaps in the security. The second step should be to put a risk-based plan in place to mitigate the exposure. Finally, performing another audit to ensure that the plan has addressed the gaps is critical.

– Jain

  • Partner with a trusted provider that is adept at the challenges and requirements around HIPAA regulations.

  • Education – know the risks and the threats associated with running an IT system.

  • Monitor usage of the data. This monitoring needs to reside outside of the IT organization.

– Williams

Most challenges can be fixed by instituting a framework of process, practices and governance. With the fast pace of technology demands, changes and competition, there are a plethora of systems, models and rules to follow. A few baseline items to consider are:

  • Choose one model.

  • Invest.

  • Establish success factors.

  • Monitor for performance.

– Syrmis

Similar to 20 years ago, today’s technologies may require companies to be quick and agile in order to track situations that threaten the security of their data.

  • Deploy network monitoring tools, or outsource that task to a company that specializes in it.

  • Force good password policy adoption from the top down in an organization. Often, doctors are the worst offenders, so C-level support is required to support a change there.

– Deaton

We need a fundamental culture shift in healthcare organizations to move beyond “I have to be compliant” to “I have to be secure.” On the black market, a stolen credit card number is worth about 50 cents, because it has a limited life. On the other hand, according to recent reports, a personal health record is valued at between $30 and $50. As an industry, we need to make the investment in the people and technologies that will allow for true security of our data.

– Schremser

Sponsored Recommendations

ASK THE EXPERT: ServiceNow’s Erin Smithouser on what C-suite healthcare executives need to know about artificial intelligence

Generative artificial intelligence, also known as GenAI, learns from vast amounts of existing data and large language models to help healthcare organizations improve hospital ...

TEST: Ask the Expert: Is Your Patients' Understanding Putting You at Risk?

Effective health literacy in healthcare is essential for ensuring informed consent, reducing medical malpractice risks, and enhancing patient-provider communication. Unfortunately...

From Strategy to Action: The Power of Enterprise Value-Based Care

Ever wonder why your meticulously planned value-based care model hasn't moved beyond the concept stage? You're not alone! Transition from theory to practice with enterprise value...

State of the Market: Transforming Healthcare; Strategies for Building a Resilient and Adaptive Workforce

The U.S. healthcare system is facing critical challenges, including workforce shortages, high turnover, and regulatory pressures. This guide highlights the vital role of technology...