- PHI cyber theft is on the rise.
Ponemon Institute Reports in its Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data, that nearly 90 percent of all healthcare organizations have suffered at least one data breach in the last two years.
This phenomenon results from a confluence of trends. In addition to the increasing sophistication of cyber attackers, many healthcare organizations lag behind retail and financial organizations when it comes to creating hardened, multilayered security defenses.
These companies are held back by three industry trends. First, tight budgets, driven by the shift from a fee-for-service payment model to a pay-for-performance model, result in organizations stretching to meet all of their cyber security needs.
Next, healthcare and insurance providers are encouraging consumers to access information and file claims electronically. Healthcare providers are increasingly moving to computerized physician order entry (CPOE) systems, potentially placing even more information at risk.
Finally, healthcare IT teams are often consumed with ensuring the ongoing performance of advanced healthcare equipment as well as the ongoing move to EHRs, reducing the resources available to focus on cybersecurity.
Further aggravating this situation is the fact that unlike credit card fraud, which victims typically discover within a matter of hours or days, PHI theft can go undetected for years.
What are the effects of healthcare data breaches?
The costs of healthcare breaches are both obvious and subtle.
The obvious ones are documented regularly; the subtle ones are much less covered, but can be equally pernicious.
One is the time associated with investigations that can require large amounts of data, policy, and procedure requests that pull resources away from routine monitoring, detection and mitigation of new threats.
Another is time and budget spent on retaining third-party experts to identify where and how breaches occurred.
The healthcare industry faces challenges beyond those impacting most industries since so much information is shared across many different users, providers, and devices. When patient, healthcare devices that are equipped with sensors to manage performance and reliability, and operations sharing data across multiple entities, the integrity of that data is only as strong as the weakest link.
As people and devices create and share an increasing amount of healthcare information, the threat only becomes greater. Current laws have not kept up with the rapidly evolving security needs of the healthcare industry.
What regulations are currently in place?
HIPAA, enacted in 1996, and HITECH, enacted in 2009, are the two critical laws governing healthcare industry information.
The HIPAA Privacy Rule and Security Rule protect the privacy and security of certain health information.
The Privacy Rule sets national standards for protection of “individually identifiable” health information. The Security Rule creates a set of security standards for protecting certain health information that is held or transferred electronically. It addresses technical and non-technical safeguards that organizations classified as “covered entities’ must implement to secure ePHI.
The HITECH Tech Act was a component of President Barack Obama’s stimulus package. Due to the expansion of healthcare-related information shared electronically, it expands the scope of the Privacy and Security Rules and increases the potential legal liability for non-compliance.
Most recently, President Obama issued Executive Order 136346, “Improving Critical Infrastructure Cyber Security.”
As a result, the National Institute for Standards and Technology (NIST) has created a Cybersecurity Framework composed of best practices from multiple standards bodies that have proven to be successful in the past. The Framework includes four components: Profile, Implementation Tiers and Core.
The Profile enables organizations to measure their existing cybersecurity initiatives against recommended practices in the Framework Core. These include processes, procedures, and technologies, such as asset management, alignment with business strategy, risk assessment, access control, employee training, data security, event logging, and analysis and incident response plans.
Implementation tiers allow organizations to utilize the profile completed to rank themselves based on four tiers of cybersecurity maturity.
These range from Tier 1, where risk management is ad hoc with limited awareness of risks; up through Tier 4, where risk management processes and programs are based on lessons learned, embedded in the culture and proactive collaboration both within and outside the organization are in place.
The Framework Core defines standardized cybersecurity activities and is organized by five continuous activities: identify, protect, detect, respond, and recover. It represents an ongoing cycle that when executed well, represents effective cyber security.
In addition, the Framework encourages effective collaboration among organizations that share data. A recent PwC study found that 82 percent of companies with high-performing security practices collaborate with others to achieve these goals.
Some healthcare organizations are recognizing the benefits of moving data to cloud providers that focus on healthcare. This move reduces the need to purchase, maintain and upgrade information security infrastructure through the organization’s adaptive defense architecture, it also minimizes the need to hire either internal staff or third-party experts to keep security update to date.
HIPAA-compliant cloud providers focusing on healthcare often have already invested in an attack prevention strategy that includes firewalls, intrusion detection, intrusion prevention, sandboxes and other solutions that protect data by analyzing and mitigating threats.
Why HIPAA compliance doesn’t guarantee data security
As with every industry, the question has shifted from if an organization in the healthcare ecosystem will be exploited to when and how severe will the breach be.
As healthcare organizations address these challenges, they often fall into one or more common traps that can deflect their attention and resources away from actual cyber security threats.
The first is mistaking compliance for security and risk management.
Just because an organization is in compliance with HIPAA, HITECH and other regulations, doesn’t necessarily mean the organization is secure.
The broader healthcare ecosystem of companies includes significant IT complexity and legacy systems that were never designed, coded or tested against security best practices.
Layering new systems on top of these to support ePHI and other initiatives may in many cases only add to complexities and increased vulnerabilities.
Focusing on the healthcare facility versus the healthcare ecosystem is another trap.
The potential attack opportunities for hackers grow exponentially with the number of data handlers involved in the ecosystem.
While all of these organizations have responsibility to meet regulatory requirements, gaps can occur when these organizations then share data beyond their networks and security infrastructure.
Tushar Kothari is chief executive officer of Attivo Networks, a provider of deception solutions for cyber security defense.