There’s little doubt the healthcare industry’s perception of security and compliance has changed to a serious one within the past few years. While regulatory demands and business needs are certainly strong drivers, what should healthcare organizations be focusing on as cybersecurity threats grow in stature?
Eric Cowperthwaite of Core Security and former CISO for Providence Health discussed with HealthITSecurity.com how identifying risks early on can help reduce exposures. The days of organizations that put effort into IT security being only large hospital systems and other organizations that had some sort of significant problem are certainly over. According to Cowperthwaite, there are a few indicators within the past 12-18 months that leads him to believe healthcare organizations, large and small, across the country are focusing on information security.
“First is the amount of information security leaders hiring that’s being done,” he said. “And the second piece of it is the number of organizations that are sending their people to [security] conferences and training to help them interact with products and services providers.”
Many of these changes have been driven by regulatory compliance, such as HIPAA, HITECH and Meaningful Use, but Cowperthwaite said there are other regulatory considerations, such as any hospital system being a tier 1 PCI merchant. Beyond compliance, the reality these days is that these organizations have a lot of data and there a lot of “bad actors” out there who like to steal data. There are main areas of focus that organizations should be beginning to worry about. First, Cowperthwaite said, though everyone is concerned about PHI disclosures because of bad publicity and potential fines, the other side of PHI disclosures is medical insurance fraud.
“We need to realize that healthcare organizations are repositories for just about any identifiable information about a single person that you would ever need,” he said. “Some other countries are interested in using their cyber warfare capabilities to steal commercially-important data that they can provide to [criminals].”
Another area of real interest is medical research. If a criminal can monetize treatment for heart disease, for example, that may be pretty lucrative. When Cowperthwaite was the Providence Health CISO and in meetings with the FBI and Secret Service, they informed him as to how big of an issue this will be and Providence began looking at how well protected its research data was at the time. “When we look at the landscape of Chinese government cyber warfare and the fact that they are highly-interested in corporate intellectual property, organizations that do medical research should look at the potential financial losses,” he said.
Retail lessons learned
Most consumers are aware that retail has been heavily targeted by credit card cyber criminals, as a number of data breaches have been well-publicized. But the way Cowperthwaite sees it, as retail fixes its problems, those criminals are going to shift their focuses elsewhere and begin looking at healthcare because it’s another large repository of credit card data and insiders are aware of healthcare’s security weaknesses. Target was likely breached through one of their HVAC vendors and better awareness in working with business associates (BAs) can help mitigate risks, he said.
The lesson to be learned for healthcare providers that are linked to BAs, such as EMR providers, through private networks is to know who these entities are. Next, they need to vet them properly and ensure that they have good security. Lastly, you need to limit their access to just what they need to have. Given the fact that the typical hospital system has dozens of other organizations that it’s connected to network-wise, this is going to be a big issue in healthcare.
Cowperthwaite added that other big lesson is that the breached retail organizations had all the information they needed to show they were being breached and to stop it before it became a problem. But they didn’t have a way to make sense of the data and make it actionable.