- The American Hospital Association’s Hospital & Health Networks (H&HN) Most Wired rankings showed that more organizations are finding successful ways to balance innovation and healthcare data security.
St. Luke’s University Health Network was one of the healthcare institutions on that list, and has been working to embrace new technologies to prioritize patient care, but also ensures that patient data remains secure.
Employees at all levels need to understand how the entire organization is approaching data security and privacy measures, according to St. Luke’s Director of Information Security David Finkelstein.
Finkelstein is responsible for oversight into the overall information security strategy, tactical strategy, with the major responsibility and accountability for integrity of all of the organization’s confidential data. This includes patient, employee, financial data, as well as any proprietary information, he told HealthITSecurity.com.
He is also responsible for access control, both internally with St. Luke’s employees and externally with non-employees, vendors, and contractors. Finkelstein added that he has responsibilities with security awareness and education, as well as just ensuring that users, employees, and contractors are all doing the right thing when it comes to day-to-day operational security and the use of the network as a whole.
He has a law degree, which is partly why he was brought on board to St. Luke’s, Finkelstein explained.
“My law background, as well as the IT background and understanding security – just being able to understand HIPAA – were key reasons I was brought here,” he said. “I am able to talk to attorneys about those type of strategies and can implement the technical requirements we need to make the organization safe.”
Utilizing a comprehensive data security approach
St. Luke’s has a single sign-on platform that lets it offer its critical applications in a very controlled, safe environment, Finkelstein explained.
“It obviously requires authentication, both internal and external, and then it really allows us to control who's allowed to have access to it and why,” he said. “There's a pretty arduous onboarding process that starts at HR and goes all the way through to my access control team.”
“We evaluate requests that come through,” Finkelstein continued. “We get anywhere from 75 to 100 requests a day requesting access to various aspects of the organization.
St. Luke’s IT, payroll, HR, and finance departments have two-factor authentication attached to the platform, which ensures an extra layer of security to those areas that have access to most of the sensitive information across the organization.
“We've also got what's called data loss prevention, which is a really big, useful piece of software or application that ensures that data that leaves the organization leaves appropriately and to the appropriate individual,” he noted. “If an employee is trying to send patient information to an insurance carrier, or some other approved or contractive organization, we send it encrypted and where it's free of any malicious software. But then also we evaluate that.”
Finkelstein added that the DLP system will ensure the person who is sending the data has the authorization to send it. This helps ensure that what is being sent does not constitute a breach or a security incident.
From there, the system does a check to make sure the information is encrypted if the person is authorized to send the data out.
“It also makes sure that if a malicious individual would try to do that, such as an internal employee trying to email something to himself through his St. Luke's email and then try to access that remotely, the data loss prevention system acts upon that as well,” he said.
St. Luke’s also utilizes a web content filtering system that ensures that individuals in the organization only go to appropriate websites that have been authorized and approved. These sites are free from malicious software and malicious content that would potentially impact the business, Finkelstein stated.
“We've got a few threat defense-type applications or systems, Proofpoint being one of them, that ensures that our email is safe,” he reported. “If we get a phishing email, then we can detonate that in a sandbox, see what it's doing, and then block that malicious URL or malicious link.”
Additionally, St. Luke’s things in its web content filter that even if an individual clicks on the link while they're inside, the system blocks that external traffic from even being able to come in.
“This protects users to make sure if they do make a mistake – they are human – that we're adding that extra layer of defense onto those individuals,” he pointed out.
The health system’s firewalls have also been upgraded recently, allowing St. Luke’s to ensure that any external traffic coming in is approved and safe. It also lets vendors to come into the organization based upon an authenticated process.
“We have a vendor access SOP that ensures any of our vendors that don't need to have access on a continual basis only get in when they need to,” Finkelstein explained. “It really helps with our privacy of our network as well as our data. We make sure that we control who comes in, we control who comes out.”
“We really require that all of our vendors either authenticate with us – so they use two-factor authentication as well – as well as our contractors, consultants, etc. that are accessing our network remotely more often than they would be internally.”
Finally, St. Luke’s has advanced threat protection, which is a system that alerts the organization if a threat is coming in. It also let’s St. Luke’s be proactive with combatting that potential threat.
“It's on all of our end devices and it really allows us to see a threat before it actually comes in,” Finkelstein recalled. “It allows us to make sure that any of the applications, any of the documents, any of the data that that user has would in fact be safe from that threat. We can see it before it even causes the infection.”
Focusing on employee training for security, compliance
Users need a comprehensive education on compliance, and also need to understand the technology perspective, Finkelstein explained.
St. Luke’s has a “break the glass” approach, to prevent employees from accessing data beyond where they are allowed to do so.
“If you're going to go beyond what you're supposed to see, we warn you three or four times,” he said. “And if you do go past that, our compliance team, as well as my team, does audits on that on a monthly basis to make sure those were valid or authorized moves beyond what you're originally allowed to have access to.”
The organization has stepped up its employee education over the past 18 months, Finkelstein added. On a quarterly basis, St. Luke’s sends out a scenario-based presentation that employees go through.
These presentations focus on numerous data security areas, including phishing, malware, and URL defense to help people understand that these are things they need to look for and pay attention to.
“Back in March we did a full-fledged phishing attack to see how people were doing,” Finkelstein recalled. “The nice thing for us is that we had less than 9 percent of our organization click the link. An organization our size of over 12,000 – not to include all the non-affiliated providers, contractors, consultants – that's a significant win.”
“We still had people that clicked on it, so we're focusing on those individuals to help them understand what to do and what not to do,” he continued. “But, the other 11,000 to 11,500 individuals are definitely understanding what they're looking at.”
The WannaCry ransomware and NotPetya attacks have also been significant teaching points, Finkelstein noted.
“We've used those as significant examples to really drive the point home that you have to pay attention to what you're doing in the organization,” he said. “This is especially true when it comes to email because that is really the top way that a lot of these viruses and a lot of these systems are getting infected.”
Key privacy, security focus areas for the industry
The current state of healthcare cybersecurity brings forth numerous pain points for providers. Finkelstein though highlighted vendor risk management and bio-medical risk management as key focus areas.
“There are so many different applications and systems out there that provide some type of niche or fully fledged service for the smallest practice all the way to the largest healthcare organization in the country,” he explained. “All of them provide some level of service, but what I've seen over the last couple of years is that the vendors really aren't pushed by the healthcare entities to be secure and to have the level of security that they need. Even the baseline level of security.”
Additionally, authentication and access control are critical for comprehensive healthcare data security.
HIPAA regulations maintain that there must be an accounting of every individual that comes into a network, but Finkelstein stressed that entities really do need to understand this aspect.
“A lot of times what will happen is the vendors, because either they're too big or maybe even they're too small, they push the covered entity around,” he stated. “They might say, ‘Look, if you want this service, this is the way we have to do it.’ You really have to push back and say, ‘No, this is the way we need to do it. We need to make sure that we authenticate anyone who's coming in and out of the network.’”
Finally, patch management and vulnerability management need to be considered by healthcare organizations of all sizes.
“Patching is the baseline security feature,” Finkelstein maintained. “It's not even level one. It's like level point five. If you patch your systems, it's been proven that a large, large percentage of the cyber attacks that have occurred over the last six months would never have occurred if the healthcare entities were patching within at least 30 days of the patch being released. Entities must also have a policy and process in place for zero day attacks.”
Every single user in an organization needs to be effectively and efficiently approaching privacy and security, he concluded. Individuals need to understand what they can and cannot do.
“Any good cybersecurity intelligence person will tell you the number one threat to any organization is the person who worked for the organization,” Finkelstein stressed. “That’s because it takes one little mistake to cause a catastrophic failure. You really have to be persistent and you really have to be passionate about figuring out the way to get to the last person.”