How to Better Understand IT Security Risks at Healthcare Organizations
In the past few months, recent research has revealed that healthcare organizations have been extremely prone to hacks and data breaches, now more than ever before. For one, the Michigan-based Ponemon Institute, which has released its annual patient privacy and security study, found that 90 percent of respondents have had at least one data breach over the past two years, while 38 percent have had more than five data breaches in the same time period. The survey also found that for the first time providers reported that the No. 1 root cause of their data breaches was criminal and malicious attacks, surpassing mistakes and employee negligence.
What’s more, a new survey from New York City-based KPMG that polled 223 CIOs, chief technology officers, chief security officers and chief compliance officers at healthcare provider organizations and health plans, found that 81 percent of healthcare executives say that their organizations have been compromised by at least one malware, botnet, or other cyber attack during the past two years, and only half feel that they are adequately prepared in preventing attacks. More concerning, 16 percent of healthcare organizations said they cannot detect in real-time if their systems are compromised.
Certainly, data security is as hot an issue in healthcare as it ever has been. As such, Alexander Grijalva, head of information security risk management at the New York City-based NYU Langone Medical Center recently spoke with HCI Senior Editor Rajiv Leventhal about his role at NYU Langone, the growing problem of data security in healthcare, and what organizations need to do to better protect their data. Below are excerpts of Part 1 of that two-part interview.
What is your role at NYU Langone when it comes to IT security?
I am NYU Langone's medical IT security risk manager, reporting to its chief information security officer (CISO). I help coordinate and execute the medical center’s IT regulatory risk assessments. As an organization regulated by HIPAA/HITECH, PCI DSS, FERPA, and FISMA, it is important for us to continuously ensure our compliance with those regulations. That requires close collaboration with the various IT groups, compliance, legal, and internal audit.
With each passing day, security in healthcare seems to be a bigger problem. Why do you think this is?
Phishing campaigns have become much more proficient and effective. We have moved away from the poor English grammar [attacks] to much more sophisticated campaigns, and the moment you have those credentials you can do a lot of damage with that. In the hospital space, even with education, with the volume of emails that you get and all of the activity that you have to do in terms of responding to everything, people aren’t spending time to really see how legitimate something is Something like ‘you have exceeded your email quota’ and your organization doesn’t even have a quota has become nonsense. At another organization I know of, there was a phishing campaign that was sophisticated and nothing seemed unusual. It involved an information security project that the institution was working on and that employees were educated on. The attack used the logo of the medical center as well. No one thought anything of it at first. Nothing seemed unusual. Phishing has become very difficult to protect against, and no one has really understood how to address that. And you have to deal with all your vendors too. They might have 24/7 access to your environment. How do you monitor against that?
What must healthcare organizations understand most to better protect their data?
You need to first understand what’s going on in the hospital environment and what’s going on in healthcare overall that makes it challenging. Compared with other industries, healthcare is in a different position. With healthcare, mandates are steered towards making information more accessible. So you’re not trying to limit or shield off information, but you’re aggregating more and making it more available across all aspects of workflow from hospitals to insurance carriers to health information exchanges. In a way, it’s a reverse direction from other industries, and that makes it more difficult since the risk level is increased.
If at any point you comprise the integrity of a health record, you are polluting the entire system. That misinformation is being propagated across the entire workflow. That high level of risk can come from an insider, and that’s where my focus has been these days more so than cyber threats. My conversations with peers tells me that information is so accessible, it’s harder to monitor, and it takes you longer to identify when someone has done something malicious, or even accidental. Clinicians now have access to every patient record in the organization, and you cannot segregate what he or she can see in case of an emergency. That physician needs immediate access to the information, but it’s hard to catch when someone is looking at records he or she shouldn’t be looking at. That also makes the job of security much more difficult compared with securing the perimeter or trying to secure against malware.
Both insiders and external actors know this information and use healthcare’s clinical and operational workflows against it. In particular, over the last two years, there has been extensive media coverage and discussions by security experts about the weaknesses in academic IT infrastructure (and other industries). If you consider APT kill-chains, I would argue that in the healthcare’s effort to combat cyber-crime and –attacks through public discussions, information sharing, and breach analysis, we’ve helped make the seven levels more efficient and effective. (The seven levels are reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on target.) It is a situation where you are damned if you do, damned if you don’t.
Stay tuned for Part 2 of this interview coming soon, which will examine the costs associated with data breaches, strategies that could work to prevent them, and when healthcare organizations will get to the level of preparedness that’s needed.
Learn more about data security at the iHT2 Health IT Summit in New York later this month. The entire conference agenda can be seen here.