It would be hard to argue that 2014 wasn’t a year of healthcare data breaches. According to an Identity Theft Resource report, of the 761 reported data breaches, 322 of them (42.3 percent) came from the healthcare industry. The total number of records exposed totaled more than 83 million, with approximately 8.25 million coming from healthcare, approximately 9.9 percent of the total records breached, the report found.
What’s more, a recent IDC Health Insights report predicted, “By 2015, half of healthcare organizations will have experienced between one and five cyber attacks in the previous 12 months—with a third of those attacks successful. This will necessitate investments in "a multi-prong security strategy to avoid disruptions to normal operations and incurring fines and notification costs."
Certainly, the proliferation of digitized protected health information (PHI), lack of comprehensive risk mitigation strategies, omnibus rulings and increased audits all served to create a hotbed for breaches in 2014. As a result, focus will not only be on compliance but on IT risk management and process, including auditing and working with vendors to design and outline end to end security standards, expectations and responsibilities.
According to Reid Stephan, director, IT security, at the Boise, Idaho-based St. Luke's Health System, the high number of healthcare breaches in 2014 should come as a surprise to no one. “People that have been in this industry have read the tea leaves. This is not something that should catch anyone off guard,” he says. Stephan further says that it’s something that will likely continue over the next few years as well. “We will see a shift in the attack focus by organized crime syndicates, where they recognize that healthcare is an easier target. There is a lot of low-hanging fruit due to the lack of security investment in security capabilities and controls. We are, in a sense, newcomers to the digital battlefront, so it’s a cat-and-mouse game. Healthcare is behind the curve in terms of defenders and protectors of attacks,” says Stephan.
Stephan will be part of a panel discussion on Jan. 21 at the Institute for Health Technology Transformation’s (iHT2) Health IT Summit in San Diego. The panel, titled, "Privacy & Security: Strategies to Secure Patient Data," will aim to identify risk assessment strategies, discuss strategies for securing mobile devices, discuss accountability and Health Insurance Portability and Accountability Act (HIPAA) regulations, and more. Click here to register for the San Diego Health IT Summit to see Stephan and plenty of others. (iHT2 is a sister organization with Healthcare Informatics under the corporate umbrella of the Vendome Group).
Stephan goes on to note that while he wouldn’t quite say that the healthcare industry cannot defend itself when it comes to cyber attacks, there is evidence that it is lags behind other sectors in terms of investment of security staff and controls. “My philosophy is that you have to develop an assumption of compromise,” he says. “The reality is that a skilled, determined hacker will find a way in. It’s not a matter of if, but when. So at that point you have to make sure that you have good controls in place to detect and mitigate what they do when they’re in.”
It also doesn’t help that healthcare has become an attractive target when it comes to its data; the industry possesses some of the same data that we might see in the banking and finance sectors. Payment information of patients, coupled with very valuable medical information is ripe for fraud or other financial gain for criminals, Stephan says. “As such, there is a high motivation for threat actors to attack the healthcare environment. So that, in addition to the lack of mature security defenses that are in place, means you have a recipe for breaches,” he says.
St. Luke’s Defense
Stephan says that one of the keys to preventing breaches at St. Luke’s is to look at what is avoidable. “If you look at the Department of Health and Human Services (HHS)’ ‘wall of shame,’ [affecting 500 or more individuals], more than 90 percent of those breaches are a result of a lost or stolen device that are not encrypted. That is completely defensible. So we take steps to make sure that we close those gaps so we can [better] defend,” he says.
To that end, St. Luke’s encrypts all of endpoint devices so in the event of loss or theft, the health system doesn’t have to declare a breach, Stephan notes. And regarding mobile devices, the health system allows an employee to use a personally-owned device to access potentially sensitive or clinical data only if it meets the organization’s security policy. “We have the ability to remotely wipe [the device] or remotely reset the password and lock it. If it doesn’t meet that baseline check, the device won’t be allowed to access any of our systems that have our data,” says Stephan.
It is also important to understand that there really is no perimeter in this day and age with the consumerization of IT, as there are so many entry points to your data and network, he continues. “You can’t defend everything at all times, but you can identify where your sensitive data is, and understand where it’s created, transmitted, and stored. Accepting our premise of the assumption of compromise, we can accept that we might get breached, so our approach is that if and when it happens, we want to detect as quickly as possible and then take reactive steps to mitigate that impact,” he says. “If you look at the Target, Home Depot, Sony, or Morgan Stanley [breaches], attackers might have had access for months. If you can narrow that exposure window to hours or days, you will have a much less impactful incident.”
St. Luke’s also takes an approach where every employee in the health system is a defender, Stephan notes. “We spend a lot of effort and energy on the notion that St. Luke’s is protected by you, the employee,” he says. “One employee, maliciously or inadvertently, can bypass a million dollars worth of security and capability that you have in place. That’s step one, the understanding and constant awareness and training,” he says. The health system also invests in a staff that does proactive risk assessment to identify potential exposure points. Additionally, an operations team monitors network traffic, and security operational tools are in place to try to detect and protect against ongoing attacks in the moment, Stephan notes.
While the benchmark in healthcare for IT resources spent on security is about 6 percent, St. Luke’s is not quite there yet. However, under the watch of Stephan, the organization has quadrupled the amount it has spent in that department. The other benchmark used is dedicated head count that St. Luke’s has focused on security. For every 1,000 employees, the goal is to have one dedicated IT person, Stephan says. “When I started here four years ago, there was no formal security program. In that time, we have made a significant investment in hiring additional people focused solely on security. Our ratio now is probably 1,800:1, so we’re slowly getting there. I think we will get there in two or three years,” he says.
Going forward, Stephan acknowledges that the healthcare industry might not ever be “safe” from breaches, and there probably won’t be a demarcation point in which people can say that they figured it out. “It’s the reality of doing business,” he says. “As we increase the pace of digitization of healthcare records, and push for the sharing of information and interoperability, the risk will increase actually. You will be worrying about not only what you will defend at your network, but also the security of those organizations you’re partnering and exchanging data with. So I don’t think we’ll get to a position where healthcare could breathe a sigh of relief,” he says.
However, one thing organizations can do is to not view security as an end into itself, Stephan notes. “You can’t describe yourself as an IT professional in healthcare, but rather as a healthcare professional who happens to do IT security,” he says. According to Stephan, the difference is important because there has to be an understanding that the business of what you’re doing is enabling and supporting the organization’s mission and objectives. “That’s a conversation I have had with business partners and executives. There are bad actors out there and they want to steal what we have,” he says. We want to prevent that, but also make it difficult, and if it does happen, mitigate the scope and extent. St. Luke’s hasn’t had a breach since I have been here, but I’m not patting myself on the back yet. This stuff keeps cyber security professionals awake all night.”
To learn more about strategies to better secure patient data, please check out the Health IT Summit in San Diego, Jan. 20-21, 2014 sponsored by the Institute for Health Technology Transformation.