Paul Calatayud, Chief Information Security Officer, Surescripts
Matt Goche, Consulting Director, SunGard Availability Services
Most health organizations fully understand that they are at great risk in terms of cyber attacks, but few possess the proper perspective in terms of developing an effective cyber attack defense plan. Paul Calatayud, Chief Information Security Officer, Surescripts, perhaps puts it best when he says, “Preparing for a cyber attack is like preparing for a bear attack. You don’t train to fight the bear. You prepare to be faster than the guy standing next to you.”
While it may sound rather ominous, Calatayud’s statements provide a very reasonable context for creating a plan to secure your facility and its very valuable assets.
Know what’s at stake
The full economic value of the records held within a single healthcare organization is almost beyond measure. When trying to calculate the combined value of the personal information of patients, the potential fines incurred for data breach violations and the loss of reputation within the industry and general public due to a cyber attack, one can quickly become overwhelmed by the numbers.
“Outside of malpractice, I can’t think of a more damaging force to a hospital’s reputation than a data breach,” says Calatayud. “In time, you may be able to lose the stigma, but in all honesty, I think in the future, it will cause some organizations to close their doors forever.”
It could be argued that no matter the skill level of its staff nor the sophistication of its equipment, a bad reputation in terms of patient data safety could doom a hospital’s standing in the community. That’s not to say that administrators should use reputation as their incentive to develop a plan against data breaches because, like their physicians, their chief goal should be to do no harm to their patients.
“If you look at a standard healthcare organization, there are massive amounts of electronic protected health information (EPHI),” says Matt Goche, Consulting Director, SunGard Availabilty Services. “It contains personal information such as social security numbers and credit card data that can easily create false or stolen identities. Don’t forget that hospitals often have gift shops, cafeterias and payment operations. So there’s a lot of personal information within a hospital network. If a ‘bad guy’ is able to get access to a single stream of this data, there is some type of market for it.”
Given that it occurs millions of times a year, we have all either heard, or even experienced firsthand, the traumas caused by stolen identities. In terms of criminal opportunities, the theft or misrepresentation of one’s identity will become only more attractive as more of our daily lives become part of the digital world. As previously mentioned, these threats are not unique to medical environments, so rather than looking at their situation in a vacuum, healthcare organizations ought to seek out best practices from other industries, and none has had to deal with as many cyber attacks as the financial field.
“Going back to the 1980s, many banking systems at the time felt as though they may be able to get rid of their branches and put all of their business operations online. Obviously that didn’t happen, but with that philosophy behind their security practices and policies, they have developed more robust, more mature data security systems than those often found in healthcare,” says Calatayud.
In many ways, banks are currently the fastest people facing the possible “bear attack” of a cyber crime, so there is a great deal to learn from their defensive strategies. However, it is important to keep in mind that the act of stealing from a healthcare organization is not like robbing a bank. The information, and money, within a bank is similar in nature to EPHI in a hospital because electronic data is just that, electronic data, but there are key differences with the data that must be considered.
“If somebody steals from a bank, the bank knows exactly what’s been taken. Whereas with a cyber attack upon a healthcare facility, you may not even know that it happened. There are instances where an organization finds out that, for years, people were illegally accessing information from their networks. This activity went unnoticed because no information was stolen. It was copied,” says Goche.
In other words, it does not matter if your social security card is locked in a safe. As long as I know the nine digits on the card, you can keep it, and I can go about my business stealing your identity.
Calatayud continues, “In the case of money, it can be electronically replaced, or there is insurance and other ways to recover that loss. The same things apply in retail with the theft of a credit card. The immediate response in that situation is to change your credit card number and seek to indemnify future required payments. A unique, or interesting, aspect with healthcare data is the perpetuation of that data. By that I mean, when you lose your healthcare records, you really can’t replace that information. Once it’s lost, it can be regenerated but, in the wrong hands, it can result in the perpetuation of identity theft and the prolonged abuse of that information. It can be misused for insurance claims, taxes, etc. That information becomes very critical because it’s associated with a human being versus being associated with a financial institution.”
As painful as a stolen credit card can be, it is most often a terminal event that can be mitigated rather easily. However, if I steal certain healthcare information, I can open up a credit card on your behalf and you may not even know it happened. The damage can run deeper and longer because by the time you are aware of my thievery, it’s usually when creditors are looking for you, calling you to let you know about my activity, or when you try to open another line of credit and you see that your credit score has been taking a hit. Many times, it is too late to repair the damage.
In addition to being mindful of protecting patients’ financial futures, healthcare administrators must also appreciate the financial damages cyber attacks can have upon their facilities as well. The Department of Health and Human Services (HHS) has enacted extensive modifications to the Health Insurance Portability and Accountability Act (HIPAA), known as the HIPAA Omnibus rule. Written into the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, this rule created stronger privacy provisions in terms of protected health information (PHI). It also created severe penalties for data breaches ranging up to $1.5 million per incident.
When one considers the enormous weight of these potential fines, the possible long-term damages to patients and the inevitable loss of an organization’s reputation, it’s no wonder C-level executives are becoming more proactive in the planning and execution of cyber attack defense strategies. Too often, however, these efforts are incomplete simply because a thorough examination of a facility’s physical and virtual layout is never conducted.
Know your environment
While a tremendous amount of money and effort is spent to protect themselves from hackers and other criminals, make no mistake, hospitals are prime targets for cyber attacks because they are easy targets. Even though regulations such as HIPAA/HITECH are starting to force the industry to address some exposed areas, there are still some gaps among healthcare organizations that require individualized protection mechanisms to cover their data, their operations and their business functions. One area often overlooked involves access.
“There are lots of ways to enter a hospital’s environment because it can have many points of entry; dealing with multiple payers, multiple types of customers, sometimes over multiple operations sites,” says Goche.
Although many organizations aggressively monitor these access points, they sometimes forget to double their efforts in special areas where critical information resides.
Calatayud says, “Awareness and understanding of risk starts with the data. A key first step is identifying where your data lives and having strategies to protect that data. In some cases, part of that strategy of protecting patient data is reducing where that data lives.”
To diminish risk, administrators need to develop schematics that map out where their data lives within their ecosystem. After that schematic is created, special attention should be made in determining whether or not certain zones contain data redundancies or unnecessary exposures. With this map in hand, administrators can then establish strict credentialing policies and processes for each area containing data and then monitor the behavior within these credentialed locations. To stop at this point, however, leaves your organization vulnerable to one of the most common catalysts for cyber attacks: credential theft.
“Many times if you look at the anatomy of the breach or attack,” Calatayud says, “it’s happened with credential theft, therefore, a lot of organizations focus upon the protection of credentials. That’s a reasonable approach, but to assume from the beginning that a credential is going to get stolen is a more complete line of thought. Facilities can mitigate the risks early on by asking, ‘If a credential at one of our access points is stolen, how do we restrict its usage on our network?’”
Credentials should be developed in such a manner that they can be monitored in real time so that inappropriate activity can be quickly and easily identified.
“Monitoring the activity of credentialed users is vital,” says Calatayud. “Having a good handle on the monitoring of users can create opportunities to detect a potential breach. A lot of this is considered a normalization where you can detect or create patterns around users’ behaviors on your network or on your databases and systems. So if a doctor generally logs in from 9 am until 5 pm and looks at certain records and you see abnormal behaviors, such as a spike in the user logging in during ‘off hours,’ or the level of access that they are using is changing, or the amount of records they are accessing seems abnormal, then you would be able to detect that for further research.”
In terms of protecting against a cyber attack, an accurate map of your users’ behavior within your network is just as critical as an accurate map of your access points and their credentialing standards. To create a more complete defense plan, however, facilities must also develop stronger understandings of the various states in which their data exists.
Calatayud says, “In looking at your ecosystem, you have to understand how data is being handled. It gets back to understanding where your data lives and how it gets accessed. Once you have a good understanding of your data at rest, you can develop your data life-cycle management strategy, which encompasses how the data got there. With data entry, file transfer services, the applications themselves and where the data moves, that’s the data-in-motion side of it; the transit side. That tends to be where people generally have a good focus in terms of security, more on the transit where you hear a lot about encryption. Where people tend to fall short is at understanding data at rest, but it is equally important.”
Many cyber attacks have been no more elaborate in nature than someone walking away with an employee’s thumb drive. Without the proper security measures in place, this type of data at rest is an easy target for nefarious individuals looking for a low-tech opportunity.
Conclusions
While some of the biggest names in business have been exposed as being vulnerable to data theft, most healthcare organizations have been spared the indignity and the painful setbacks caused by cyber attacks. This will not, however, be the case for much longer as it is only a matter time before the crime becomes commonplace in the industry. It is vital that organizations develop accurate maps of the points of access, develop and monitor the credentialing processes, and understand where and how their data lives and moves within individual ecosystems. Without these fundamental considerations in place, a facility’s defense is incomplete at best.