Finding Holes in IT Security — Your Own People May Be the Biggest Risk
By Leslie Feldman
Vol. 12 No. 8 P. 28
With healthcare organizations increasingly moving to electronic means of storing records and images containing protected health information (PHI), securing that data becomes a much more important task. Adding to the complexity is the rapidly growing number of diverse technologies used for processing and storing electronic PHI (ePHI). Each platform has its own format for recording specific activities, making it difficult for organizations to easily discover nefarious behavior.
Since HIPAA’s enactment in April 2003, Health and Human Services’ Office of Civil Rights (OCR) has investigated and resolved more than 11,000 HIPAA violations. Since enactment of the Interim Final Breach Notification Rule in September 2009, nearly 7 million patients have been affected by data breaches. Privacy and security experts say healthcare providers need to conduct detailed policy and implementation reviews to make sure they are HIPAA compliant. Once holes are identified, they need to work quickly to remediate the situation before it leads to much larger problems down the road.
Finding those holes, however, is not always easy.
Mike Spinney, a senior privacy analyst with the Ponemon Institute, a research organization dedicated to advancing responsible information and privacy management practices in business and government, says one of the biggest security hurdles facing healthcare organizations is transitioning from paper-based medical records to a digital system.
“We’re already seeing these struggles play out with cases of improper management and security. And with increased penalties and enforcement under the HITECH Act, the costs of failure are steep,” he says.
Spinney says healthcare organizations must approach the move toward a digital health information network from more than a technology perspective. They should also consider it to be a strategic initiative that includes a review of policies and processes for securing and managing information.
“The old way of doing things is no longer sufficient in an age when so many have access to highly sensitive information,” he notes.
Insiders pose a substantial security threat by virtue of their knowledge of and access to their employers’ systems and/or critical assets, says Randy Trzeciak, technical team lead for the Insider Threat Outreach and Transition group at Carnegie Mellon University’s Software Engineering Institute CERT program.
“Insiders can bypass existing physical and electronic security measures through legitimate measures,” Trzeciak says. “The majority of insider incidents are set up or carried out by employees, contractors, or other trusted business partners with authorized access performing authorized actions but with malicious intent. The difficulty facing most organizations is determining malicious intent. Most technical solutions applied to the insider threat problem are not able to efficiently differentiate between anomalous activity and ‘normal’ activity.”
The Insider Threat Center at CERT works with organizations to protect critical infrastructure and assets from insider threats. “We provide guidance on how organizations can be better prepared to prevent, detect, and respond to malicious insider activity. We do this by offering insider threat vulnerability assessments, providing training, and producing publications,” Trzeciak says.
Mac McMillan, chairman and CEO of CynergisTek and chair of the Health Information and Management Systems Society (HIMSS) Privacy and Security Steering Committee, believes the biggest problem with data security is a lack of appreciation or understanding for what it takes to actually do it correctly, which unfortunately translates all too often to a lack of focus and resources.
“The HIMSS annual security survey confirmed this once again for the third year in a row: Healthcare organizations routinely spend less than half of what other regulated industries spend on information security,” he says. “The second biggest problem, which relates to the first, is the lack of qualified staff managing or handling security responsibilities. Data security is a specialized field in IT and requires training and experience to be proficient just like any other profession. Many security staff in healthcare today are new to their positions and don’t have the training necessary to make them successful. The last challenge is associated with the assumption that some have that data security in complex environments can be accomplished without investing in technology. This puts many organizations at greater risk than they know.”
He adds that organizations need to treat IT security with the priority it deserves. “Take a step back, conduct an objective risk assessment, develop a meaningful and integrated plan for remediation, and resource it properly,” McMillan suggests. “The money spent on doing it right up front will be far less than the potential negative outcomes, including the cost of doing it wrong. Recent OCR fines demonstrate this point.”
E-Mail Encryption — A Safe Harbor
Effective healthcare delivery typically involves collaboration and information sharing. E-mail remains the only ubiquitous network that’s well understood and efficient for the electronic exchange of healthcare information. The issue with e-mail is the fact that it’s inherently insecure.
These two factors have caused health plans and healthcare providers to turn to companies such as Zix Corporation (ZixCorp) in an effort to make their e-mail operations more secure. By enlisting these services, providers can help address the security of patient privacy, the protection of business partners, and compliance with healthcare regulations. For example, ZixCorp secures sensitive information in e-mail while in transit and ensures that hackers cannot access sensitive information on the Internet.
“Prior to HIPAA 2.0 and the HITECH Act, some healthcare organizations chose to implement paper-based policies and employee training as a means of satisfying their regulatory requirements,” says Rick Spurr, ZixCorp’s chairman and CEO. “After the updates and the changes ushered in via the HITECH Act, healthcare organizations no longer feel the same comfort with manual procedures. The problem with this approach is twofold. First, it is subject to human error, and secondly, it restricts the usage of e-mail, a great, well-understood vehicle for effective and efficient communication. They realize they need an automated solution to enforce their policies.”
He adds that healthcare organizations must increase their awareness of protecting patient privacy and are looking to e-mail encryption as a safe harbor for ensuring that sensitive information gets transmitted only to its intended recipients.
“An audit of your outbound e-mail traffic can offer a glimpse into the gravity of the problem. Even if a healthcare organization is sending PHI in only 1% of its overall outbound e-mail, about 100 of 10,000 e-mails per day will contain sensitive information,” Spurr says. “It takes only one e-mail containing information on 500 patients to land your healthcare organization on the OCR list, in the news, and on the minds of concerned patients.”
Spurr explains that a policy-based e-mail encryption solution automatically scans the e-mail subject line, content, and attachments and then encrypts as appropriate. “Other non–policy-based approaches can result in complicated security measures that often frustrate patients, physicians, nurses, staff, and business partners,” he says.
Eric Knight, senior knowledge engineer at LogRhythm, which provides healthcare organizations with the means to proactively protect ePHI as well as the tools to identify the individuals who perpetuate data breaches, says healthcare organizations need to collect, securely store, and provide ready access to all ePHI-related log data for internal and external auditing and compliance.
LogRhythm collects audit, security, and operations logs from systems in the ePHI environment to create an official record of events. During the collection process, the tool identifies key events that signal a cause for action, such as breaches, system failures, or inappropriate usage. Using correlation, it can check for suspicious or hostile activities by looking for violations of pattern in specific IT activities. LogRhythm provides this capability in real time and can notify administrators directly of activities that can threaten the privacy and security of ePHI.
“Accomplishing this with high volumes of data from a multitude of device types and formats is overly resource and infrastructure intensive for most organizations,” Knight says. “Tracking individual user behavior and understanding the relevant context of that activity has historically been a time-consuming and manual process—assuming that the organization knows where to look in the first place. Organizations that experience an ePHI data breach are required to provide accurate forensic data containing all relevant details about the incident in a timely fashion. However, most IT groups are ill equipped to comply with such mandates, exposing their organizations to hefty fines and additional risks.”
Knight adds that hospitals can put strict processes in place for defining what constitutes appropriate access and can implement solutions such as log and event management designed to audit and report on activity that violates these policies in a secure, real-time fashion.
Part of the challenge facing healthcare organizations is how to effectively limit staff access to EHRs. It’s difficult, to say the least.
“Traditional approaches to detecting inappropriate access to electronic health records requires dedicated IT staff and burdens privacy and compliance officers with huge volumes of activity logs to investigate,” explains Alan Norquist, CEO of Veriphyr, which uses an on-demand service model to detect unauthorized personnel accessing patient files.
The rules governing access can get cumbersome because they change as the patient moves throughout the organization.
“The problem lies in static rules and scenarios that yield too many false-positives and false-negatives,” Norquist says. “For example, they cannot differentiate between appropriate access by a nurse looking at the records of a current patient and inappropriate access when the same nurse looks at the records of the same patient after the patient has been transferred to a different unit where the patient is under the care of a different nurse. Only a combination of privacy training and a reliable medical snooping detection capability will deter unauthorized access by employees.”
— Leslie Feldman is a freelance healthcare writer and marketing communications consultant in Philadelphia.