- Employees and human error often top the list as the healthcare sector’s biggest threat. Considering they are the catalyst for clicking malicious links, engaging with targeted phishing campaigns and mistakenly sending emails to the wrong recipient, it’s easy to place the blame on human error.
In fact, the Protenus Breach Barometer from the third-quarter found 23 percent of breaches were caused by insider incidents, accounting for 2.9 million breached patient records.
To Mark Bower, Chief Revenue Officer and Data Security Expert for Egress Software, it’s about supporting employees to meet security best practices and using technology to simplify the process.
“Healthcare is not a user-centric environment,” said Bower. “But security is about patient health and that how to drive different behavior.”
Where’s Your Perimeter?
Just 10 years ago, healthcare organizations took security as the need to wrap some kind of security around the perimeter.
“In today’s world with cloud, mobility and the need for rapid sharing — where is your perimeter now?” Bower noted. “When you think about a particular piece of data, it’s not in a convenient perimeter. And there isn’t really a perimeter anymore. It’s really where the user is accessing the data.”
“Ultimately, to reduce that kind of risk and enable business agility, an organization needs to protect the data and do it at the level of the user,” he continued. “You need to be able to identify the user, allow them access and enable the user to correspond using secure communication.”
To Bower, the user is “absolutely not the last line of defense, but the first place that risk starts and where the data originates.”
Users need to be wrapped in powerful tools, he explained. “We know human behavior. If they have a roadblock, they’ll find a way around it if they need to get something done.”
Margarita Gonzalez Georgia Tech Research Institute shared similar thoughts at the HIMSS Security Forum in October.
“It’s not human-centered security — it’s human-centered everything,” Gonzalez said. “Everything you have in a healthcare setting is supposed to be used by people. A lot of the talk is that humans are the weakest link. But the reality is that the human is actually an asset to the organization.”
“So how do we design security interventions — so not just technology, but a holistic approach to policies, procedures, operations — that are human-centered? So together, with technology, you now have human-centered security,” she added.
“The user is absolutely not the last line of defense, but the first place that risk starts and where the data originates.”
Data Sharing Best Practices
Data like reports, clinical results, diagnostics, and other sensitive data require built-in security, Bower explained.
“Unfortunately, the way healthcare organizations share data today is with more clunky, complex tools,” he said. “And most tools for information protection and sharing are difficult to use, as they’re centered around tech-users.”
“The way to look at it is: How do we ensure employees meet best practices in securing personal data, especially in healthcare?” Bower added.
HIPAA and HITECH Act are helpful as they require organizations to think about how to label the data as sensitive, and “ultimately manage that so the end users don’t have to make risk decisions themselves,” he explained.
Bower noted that to get there, organizations need to think about the user as the perimeter of the business, as they’re processing and handing information.
“The first step is to classify information: essentially tagging the information so that it can be treated according to the risk it contains, like HIPAA patient data,” said Bower. “You can’t expect users to make that decision themselves. You need automation tools to guide users though that process.”
“Organizations not only benefit from those tools, but also user has the learning process to go through,” he continued. “It creates awareness for the user and relationship with data, while the tools and technology should be able to handle the processing of that information and how it’s classified.”
Next, organizations should embrace and evaluate some of the more innovative technologies designed to protect sensitive data, explained Bower. However, encryption can truly shore up some of these serious vulnerabilities, given that many organizations don’t have processes to eradicate emails after they’ve been sent.
“It’s not human-centered security: It’s human-centered everything.”
As a result, plenty of this data remains dormant in email accounts. As seen in several recent breaches caused by phishing attacks, leaving patient data in emails is a serious risk.
“Most organizations today have built security strategies on more traditional techniques,” said Bower. “And what that leads to is a lot of exposure of information in things like email systems, inside the organization, or cloud providers — because they have many spreadsheets with patient information.”
Just this year, an employee tried to share data and accidentally sent a spreadsheet containing patient data to the wrong recipient, he explained. The only way to eradicate that is with sophisticated technology. Tech that can keep data encrypted at motion or in rest does really nail down the problem.
“The consequences of these incidents are obvious: fines, remediation, having auditors crawling all over business,” said Bower. “The good news is that those exact scenarios can be eliminated by embracing new technology to predict when these scenarios may happen to users and give warnings that can avoid inappropriate sharing of information.”
When sharing sensitive information, it’s important to educate the user on how to go about it in the most appropriate way, Bower explained. And it’s not just about compliance.
“It’s also for making it easier for a business to engage: patients to engage with providers and shared with counterparts and so on,” said Bower. “In today’s environment that may be substantial in size — you have to think about enabling organizations to quickly and effectively collaborate on data without reverting to old style of sharing like discs.”
“Organizations need to be able to bring tools that enable very simple and seamless sharing — without making users make decisions themselves. It’s a good best practice,” he continued. “What will it take to avoid users from trying to solve this problem on their own and taking that risk?”
It boils down to empowering users with user-centric tools, he explained. “They can get on with business without increasing risk and obviously staying compliant.”
“...Tools that enable very simple and seamless sharing, without making users make decisions themselves: It’s a good best practice.”
Those tools that bolster security around data sharing are crucial to streamlining data that proves and organization is meeting regulations, as it make it simple to report with snapshots on where the sensitive data has gone, who has accessed it, how sensitive data has been retracted and whether that access was appropriate, he explained.
“Organizations need to be able to share that information and bring it under one umbrella for compliance purposes,” Bower said. “It’s also a cost benefit, as organizations can avoid going to multiple places to collect that data, which can be disrupted.”
“If you can just click a button, it’s a huge win for the organization,” he added.
Employees are the first line of defense, explained David Finn, Executive Vice President of Strategic Innovation for CynergisTek. “But we’re not educating and training end users to take care of themselves, and expand that to patients.”
For example, one organization has their chief privacy officer hold a monthly call for patients, Finn noted. Patients can call in and ask questions about how security can be handled at home, how privacy can be protected and things of that nature. The patient doesn’t need to ask about the hospital to participate.
“Tech is tech, and we have to have it,” said Finn. “At the end of the day, security is a people issue. Use tools to see what they do and how they can improve and that includes patients. We need to build security, not into the technology, but people and processes.”
“It’s getting back to basics, by pushing the basics out further from the great continuum of data,” he added.