- Surveys and published healthcare statistics are a double-edged sword. In one sense, they can validate or negate a hypothesis. On the other hand, they are often generated from a limited point of view within a particular industry or function, and must be read with a healthy dose of skepticism. However, when multiple surveys and studies all point to the same conclusion, these findings warrant some attention.
People are usually the most important asset of any organization, but they can also be one of the biggest liabilities. Such is the case with data security in healthcare, where the evidence points to humans (or “insiders” in security parlance) as a major factor in the success or failure of a security program. In a report from the Ponemon Institute, more than 78 percent of respondents say negligent or malicious employees or other insiders have been responsible for at least one data breach within their organizations over the past two years. This finding is borne out again in a HIMSS survey published in 2014, which polled 283 IT and security professionals, and concluded that the greatest “threat motivator” was that of employees accessing or snooping in the electronic protected health information (ePHI) of others, due to inappropriate access to the data.
You may think your organization’s network perimeter controls and measures are your strongest assets for meeting security and compliance measures, but internal controls to ensure appropriate employee access are equally important. Unfortunately, healthcare IT departments historically receive 2 or 3 percent of an organization’s budget compared to more than 20 percent in the retail and financial industries. The lack of adequate funding to address security only increases the challenges faced by the healthcare industry. The lack of budget, coupled with IT requirements such as HIPAA compliance, ICD-10 and electronic health records (EHR) implementations, enhance vulnerability to security threats. At the same time, IT departments may neglect to conduct basic assessments such as penetration tests and vulnerability scans; and for this reason, may be less secure than their counterparts in the banking and finance industries.
It’s true that hospital IT departments have significant challenges. BYOD (Bring Your Own Device) trends, big data initiatives surrounding health information exchanges and Accountable Care Organizations, and Meaningful Use compliance make it difficult to invest in comprehensive security. But there are several simple, effective measures that can go a long way toward safeguarding electronic health information data. Just as simple measures such as hand washing enforcement have been shown to greatly reduce the risk of hospital-acquired infections, simple data security measures can reduce the risk of a breach.
Implementing prevention measures such as access governance, endpoint security management (including full-disk encryption), security information and event management (SIEM) and security intelligence can reduce the human factor risk in security. Beyond these automated tools, staff training is essential. All employees should be trained to notice suspicious behavior and report it in a timely manner. Breaking security rules should invoke sanctions that are spelled out clearly and often. Frequent reinforcement and education are crucial adjuncts to automated and service-based security measures.
In addition to security training and a robust monitoring plan (knowing what traffic is moving between servers and all devices and endpoints), identity and access management, intrusion detection and prevention, and incident response are all imperative aspects of a security program. Although poor employee security habits due to insufficient training are a primary factor in insider threats, malicious intent is an even larger problem. A 2010 study from the US Secret Service concluded that malicious attacks from insiders were more often successful and caused more than three times the financial damage as outside malicious actors despite their smaller numbers. Healthcare information is extremely lucrative on the black market, fetching even more than social security numbers and credit card data, in many cases more than $50 per record, which can then be used to commit fraud or identity theft. Some employees may be tempted by the financial rewards, especially if your controls are not strict and visible.
The HIMSS survey mentioned earlier found that while 92 percent of respondents had conducted a risk analysis (a primary requirement for Meaningful Use attestation), and 74 percent annually tested the security response plan, a full 19 percent had experienced a data breach in the previous 12 months. These findings indicate that having a response plan, automated tools and conducting a risk analysis are all necessary, but not sufficient to maintain security and protect from insider threats. To truly secure the organization, the following steps are necessary to address the human element of risk:
• Train employees on good security habits and emphasize the threat posed by lax security.
• Frequently reinforce security behaviors you want and make sure employees understand the sanctions for breaking security rules. Remind employees to avoid bad habits such as group passwords and “sticky note passwords” at work stations.
• Require employees to change passwords frequently and have controls to enforce the requirement.
• Use a single-sign on solution that protects user sessions as they log on and off from various workspaces.
• Systematically examine logs to identify phishing attempts and train employees to recognize these attempts and respond appropriately.
• Eliminate default passwords (a recent study concluded that relatively few of the popular passwords were responsible for half of malicious insider attacks). Have standards to ensure strong passwords that are not easily compromised.
Although security can be a complex and challenging beast, the 80/20 rule (80 percent of problems stem from 20 percent of the risk factors) applies here: many breaches and cyber-attacks stem from factors that can be controlled relatively easily by managing the human element of security through regular training, monitoring, reinforcement, planning and identity/access management.
Cliff Bleustein, M.D., M.B.A., is executive director, chief medical officer, and global head of healthcare consulting for Dell Services. Dr. Bleustein helps customers by providing an in-depth understanding of the current problems facing healthcare executives and recommends innovative solutions to prepare for future business needs.