Keep up with the latest on information governance as this key strategy emerges for addressing a myriad of information management challenges in healthcare. This blog will highlight the trends and opportunities IG presents for ensuring information is treated as an organizational asset.
By Seamus Hartmann, Sr. Systems Engineer, Symantec
The healthcare industry is a lucrative target for cyber criminals. Whether they sell stolen data on the black market, leverage stolen data for further attacks, steal victims’ identities, or find other ways of cashing in, the criminals are reaping significant returns while the organizations they attack are losing millions. And the losses are coming from both directions—the actual cost of losing information, as well as the fines imposed by governments through laws and regulations.
According to a recent study by the Ponemon Institute, in 2017 each stolen healthcare record cost the victim organization $380, surpassing the global average of $141 per record. Recently, the US Department of Health and Human Services fined Fresenius Medical Care Holdings, Inc., a supplier of medical equipment, $3.5 million for five separate data breaches that took place in 2012.
The financial impact, coupled with brand damage and loss of patients’ trust, should make healthcare organizations rethink how they are protecting their valuable data, particularly their electronic protected health information (ePHI). As technology environments become more complex with the proliferation of medical devices and the migration of health data to the cloud, organizations must ensure they’re protecting information at the data level. This will require investment and a focus on security at the business level, but a new study by Symantec and HIMSS Analytics revealed that while providers are starting to prioritize risk assessment, their security spend has remained flat for the last three years.
Organizations are beginning to see the true value of their information and as a result are working their way through the stages of an Information Governance (IG) program. Keeping the information private, protected and secured is a critical aspect of IG—especially as cyber threats continue to be on the rise. When building information protection programs, organizations should consider the following threats and vulnerabilities:
- Insider Theft: Insider threats come in several different types.
- Non-malicious employees who do not practice good cyber hygiene and therefore put the organization at risk.
- Malicious insiders who want to cause harm to the organization
- Compromised insiders whose accounts have been infiltrated by an external attacker that’s masquerading as the legitimate user.
Insider theft is committed by malicious insiders, employees or contractors who are on an organization’s network, have privileges to access valuable ePHI or other information that could be damaging if leaked, and want to cause harm. According to an analyst firm, Forrester, insiders are responsible for more than half of companies’ data breaches, which affirms the pervasiveness of the malicious insider problem.
- Careless mistakes: Non-malicious employees, who do not follow security policies nor adopt good overall cyber hygiene, fall into this category. A common example is the influence organizations’ best surgeons or researchers have over the organization. Oftentimes these leaders get leeway to do risky things that go against policy. For example, a surgeon may copy a patient’s file to a USB drive and hand it to a technician to put it on a screen for a meeting. However, that technician is not authorized to access that kind of information. While the behavior is innocent (the surgeon is just trying to do his job), it could lead to a data leak or at a minimum is a policy violation. People with leeway tend to skirt policies, which can cause an unintended breach.
- Oversharing: Many people overshare on cloud applications. For example, users will put sensitive data on Dropbox or Box, giving access to many different employees. What if one of those employees accidentally made the data public? They could accidentally create a public-facing link. Or, what if they shared the data with someone externally who is not authorized to see it? Oversharing on cloud applications is an easy yet easily avoidable way of getting breached.
- Phishing: Spear phishing and phishing are the most common cyberattack methods I have seen successfully hit healthcare organizations. Phishing is when a bad actor, who’s typically on the outside, sends an email to groups of people within an organization, persuading them to click on a malicious link or open a malicious attachment. Once they do, their computers are infected with malware giving the criminal(s) access to everything on that machine and the organization’s network—for example, that may include installing ransomware. Spear phishing is more targeted. Healthcare organizations are typically concerned about being sued, so general counsels are a common target of spear phishers. Criminals may follow them for months, learning who they typically speak to, what information they access, their daily agendas, etc. They then pose as someone who the victim chats with regularly, sending them an email with a link requesting that the victim clicks on it. Again, the link is malicious, and the victim’s machine is infected.
- Third party vendor risk: Healthcare organizations, particularly hospitals, oftentimes move data between multiple locations. If a patient needs to transfer from one hospital to another, their personal file must move, too. Third party vendors may oversee making that transfer, or the data could be sent through an email account that’s run by a vendor. Not only is it tough to get full visibility into how third party vendors are securing their customers’ sensitive data, but it’s also easy to slip up and accidentally send private data to a contractor that’s not authorized to get it. For organizations that work with thousands of vendors at once, this issue is highly possible.
- Employee error: Like the example above, an employee may pick up a file with sensitive data on it, and put it in the wrong mailbox, or hand it to the wrong person. A patient may spell their name “Hartman” with one “n,” while another patient at that same office spells their name “Hartmann” with two “n’s”. It’s easy to get the files mixed up if an employee is not paying full attention. All it takes is just one patient file to accidentally end up in the wrong hands for it to potentially be considered a data breach.
All of these threats and vulnerabilities significantly elevate the risk of a cyber breach or attack. So, what should organizations be doing to prevent them from happening?
- Appoint a cyber leader: Most successful information protection programs have someone who is solely dedicated to lead them. The person should understand the risk appetite of the organization and build their security programs based on acceptable and unacceptable risk.
- Use analytics: Many healthcare organizations struggle with limited resources and cyber expertise. Analytics enables organizations to make the most out of those limited resources. For example, user and entity behavior analytics (UEBA) integrated with existing tools like Data Loss Prevention (DLP), enables organizations to detect, prioritize, and mitigate the insider and external threats that, if successful, would cause the most harm to the business. With analytics, cyber teams are not overwhelmed by an avalanche of alerts and understand which actions they need to take each day to reduce risk the most.
- Create strong policies and procedures: Organizations should implement cyber policies and conduct regular security awareness training so that employees remain cognizant of what they can and cannot do from a security perspective. Training should be concise and focused. For example, let’s say a DLP tool alerted analysts to an employee who continuously sends ePHI to their home email address, so they can work from home. Immediately after violating the policy, that person should be required to attend a short (about 10 minutes) training about how they violated the policy, why it’s risky, and what they should do instead.
- Implement a single place to store a chain of evidence: Organizations need cyber tools that store events so that if a person is under investigation for potentially causing a data breach, there is a chain of evidence to back up the accusations. DLP tools store information in a way that is unalterable so it’s admissible as evidence in a court of law.
- Cloud security is key: Cloud migration has taken organizations by storm. In fact, the Symantec and HIMSS Analytics study found that three of four providers are already using the cloud in some way, but the majority (71 percent) of respondents are unsure of the cloud and how to secure it. Organizations should implement technology that enables them to see when data goes into the cloud and take action if the data is not supposed to be there. UEBA should also be extended to cloud endpoints so organizations can see how people are interacting with data in the cloud and if any actions are abnormal and dangerous.
- Use multi-factor authentication for administrative tasks and remote access: Two-factor authentication is not a required mandate for healthcare organizations so many don’t use it. However, for some roles, such as remote workers and vendors, and employees performing administrative tasks, that’s a mistake. Multi-factor authentication, which is even better than two-factor, allows companies to make sure that the person reading a document is the person who is supposed to read it, and is especially beneficial for high-privileged users like system administrators. Integrating multi-factor authentication with encryption, DLP, and UEBA strengthens security even more.
- Tag data: Classifying data is an essential part of good cyber security. Organizations need to understand which data is the most sensitive and put the tightest controls around that data. For example, ePHI should be classified as “Classified” so that security tools like DLP can flag and block when that data is leaving the organization.
The healthcare industry will continue to face varied cyber threats that grow in sophistication and volume. Providers can’t afford—either financially or from a patient safety standpoint—to not take an aggressive and proactive action to protect their systems and data. The privacy and security of all enterprise-wide information falls under the overall “IG umbrella” and is necessary to reduce risks and avoid future cyberattacks. Fortunately, organizations can make big strides in improving their security postures by taking the steps outlined above to mitigate their risk.