Cybersecurity: Playing by the rules and defending your network
Football season is over, but that doesn’t mean healthcare IT security can’t take a page from the NFL playbook. As the threat landscape evolves and health information becomes more accessible through a variety of networks and mobile devices, healthcare IT finds itself with one goal: Create a comprehensive security strategy that can effectively block and tackle the opposing team – in this case, cyber attackers – before they access critical data.
Healthcare providers possess large volumes of valuable and marketable data, which is spread across cloud, mobile, and on-premise environments. Unfortunately, many organizations lack the structures and resources to secure that data. As compliance requirements increase and healthcare organizations continue to incorporate more technology into the business, IT executives must ensure they are implementing a security strategy that will effectively defend their data against cyber threats and attacks.
Here are some security best practices – “rules of the game,” if you will – that will help healthcare organizations block their opponents from scoring major data off the network.
Information governance
The first rule of the game is implementing information governance. Information governance is the process of implementing policies and procedures to manage information to help healthcare organizations identify data owners, the type of data on their network, and how old that data is to determine if it should be archived or deleted. Like any important asset, information requires high-level oversight for organizations to use it for decision-making, performance improvement, cost management, and risk management. Healthcare IT executives must understand that information governance is about analyzing the information itself, not the technology. If healthcare organizations only look at the technology, they lose sight of the information entrusted to them, giving the opposing team – the hackers – the perfect opening to swoop in and score a major data touchdown.
Successfully implementing information governance ensures that information is trustworthy, that it can be used to align with organizational strategy and to engage leadership and stakeholders across the enterprise. Information governance enables organizations to rid the network of unnecessary data, allowing them to produce high-quality data and better capacity to share that information. However, not implementing information governance could result in major IT fumbles, such as:
- Incomplete medical records;
- Inability to access and use information, or enabling the wrong people to gain access;
- Increased breaches;
- Challenges in exchanging information beyond their own organization; and
- Inability to document/verify appropriate access.
To avoid these outcomes, healthcare IT needs stakeholders – or a team of coaches – who will determine strategy, create policy, review procedures, and make sure everything is enforced. These stakeholders will look at the personnel, technology, policies, and procedures necessary to ensure the preservation, availability, security, confidentiality, usability, and disposal of the company’s data. Above all, the most important thing that governance must accomplish is creating a culture of compliance around information – who uses it, who it can be shared with, and how users access data.
Information access
Once healthcare organizations implement governance to protect their information, they must address information access as well as access management processes, which determine who authorizes users to specific systems or locations. As with governance, healthcare organizations need tools to monitor and define the processes that are used to determine who accesses what information, how that information is accessed, and who authorizes that access. Information access enables healthcare organizations to manage:
- Access management principles and policies;
- Roles and responsibilities, accountability, and digital trust; and
- Identity management, authentication, and activity review at the operations level.
Healthcare IT must also enable information access from the inside out – across devices owned by patients, doctors, other employees, or the hospital, without impacting workflows or productivity. With an increasing number of mobile devices continuing to access healthcare networks, IT must be able to monitor and gain insight into the information coming into and out of a device down to the application level. IT must then encrypt that data to make it more difficult for opponents to access – protecting patient information and other critical data.
Information protection
Now healthcare organizations must consider how to build up a defense using information protection. Information protection refers to classifying data and determining ownership of that data. While patients rightfully own their data, there must be a designated owner responsible for making decisions about that data while it is in the organization’s possession. And to properly protect data, organizations must do more than just designate everything to the IT department. Healthcare providers can’t place all of the responsibility on one member of the team. Rather, those who are using the patient’s data at the time should take on ownership and accountability, ensuring that data remains in the hands of those who are collecting, maintaining, and using it.
However, information protection is not only about protecting data and designating ownership of that data. It’s also about understanding data and its usage. Healthcare organizations must have a full understanding of where data comes from, who is authorized to access it, and how fast it is growing on the network. Without this knowledge, healthcare organizations lack the ability to protect that data and could potentially be protecting data that isn’t important – or worse, neglecting data that requires protection.
The most difficult part of implementing information protection is people. Security is ultimately a “people problem,” not a technology issue. Technology doesn’t open phishing emails or leave a screen up for anyone to view confidential information – people do. People do not always understand the value of the healthcare data they access, but healthcare organizations can remedy this issue by educating and training the people who collect, use, store, and share that information. In doing this, healthcare IT can ensure that employees are aware of the value of their data, and therefore more inclined to take the extra steps to protect that data and ensure adversaries are not able to intercept it.
Infrastructure management
Infrastructure management is next and consists of healthcare IT executives doing the basic blocking and tackling of managing the technology infrastructure – ensuring the system is up to date and includes all of the resources organizations need to defend against threats. In the healthcare space, not putting the right resources – such as lifecycle management, policies, patches, and maintenance – on infrastructure management is a larger and more dangerous problem than other sectors of IT. If a system is not monitored or kept up to date, the risk of system failure is greater, resulting in more opportunities for hackers to extract organizational data.
The solution for healthcare organizations is to take inventory and track assets – hardware and software. IT professionals must ensure that all data is stored on up-to-date hardware and software to continue providing secure access for the appropriate users. This process also involves change management – IT departments don’t want to upgrade or replace systems without planning for those changes. IT departments must implement policies around this type of maintenance to ensure they are monitoring “mean time between failures,” or the amount of time that passes between failures of the system during maintenance. Think about it this way – if a team doesn’t monitor the whole field during a play, an opponent can easily slip in and score a touchdown.
Remember that security is ultimately a people problem. Just as it is important for people to understand the value of their data, they must understand the value of the devices and software on which that data is stored. Training is crucial. Organizations must know what they have, where it is, and who is using it, otherwise they are at risk of losing track of their most valuable asset – the data.
Infrastructure security and protection
This brings us to our last point: Healthcare organizations must focus on infrastructure security and protection. This includes threat intelligence and security analytics – the tools healthcare organizations need to continuously monitor all of the security data in their environment for threat patterns and cyberattacks. These tools allow healthcare organizations to identify, protect, detect, respond to, and recover confidential data wherever it is stored and used: across endpoints, mobile devices, network, and storage systems – even in the cloud.
The most important thing to remember about infrastructure security and protection is that if these practices are not implemented in a healthcare organization, that organization will cease to exist. Though they’re clearly not playing by the rules, attackers will score major data if it goes unprotected. Healthcare flows at the speed of trust; once an attacker wins the game, patients no longer look to healthcare organizations for protection.
The threat landscape in the cyber world is only getting worse, and healthcare organizations are struggling to keep up with security. In 2014, targeted attacks increased by 40 percent over the previous year1 and in 2015, criminal attacks became the No. 1 root cause of data breaches in healthcare.2 Highly skilled, well-funded, organized cybercriminals who freely deploy an array of ever-changing tools and tactics are gradually making their way in to score organizational data. The hard truth is that it is not a matter of if, but when, a healthcare organization will experience an attack. With this in mind, it is crucial that IT executives are equipped to quickly respond to advanced threats, stopping them immediately and remediating them so an attack never happens again. Healthcare organizations must master the rules of the game and implement a strategy that will block hackers and defend critical data.
References
- http://www.symantec.com/security_response/publications/threatreport.jsp
- The Ponemon Institute. “What Was the Root Cause of the Healthcare Organizations’ Data Breach.” Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data. May 2015.