Protect your network! HIPAA isn't enough
At first glance, a look at the numbers from HIMSS Analytics' database would seem to offer some encouraging news about U.S. healthcare providers' privacy and security preparedness.
A survey of healthcare organizations nationwide finds that basic security technologies are pretty well-ensconced at most hospitals. Single sign-on authentication may still has some ground to make up – installed at 48.9 percent of providers, compared to 46.9 percent who don't have it – but it's gained a considerable foothold since 2009, when barely more than one quarter of facilities (26.3 percent) were making use of it.
[See also: Breach alert: Hackers swipe data of 4.5M]
As for other protections, such as firewalls and spam/spyware filters, majorities of hospitals have them in place: 89.3 percent and 85.2 percent, respectively.
Even encryption – which has long been underused in healthcare for such a relatively simple safeguard that's so commonplace in other industries – shows impressive, some might say surprising, uptake: 78.1 percent of hospitals use it, versus 20.5 percent who don't.
[See also: Privacy and security experts will share best practices Sept. 8-9]
That's as it should be, says Lisa Gallagher, vice president of technology solutions at HIMSS. Encryption, after all, "is really not that difficult to implement. So it should be implemented, and we've said that for years."
"It's a lot more user-friendly and seamless than before," adds Lee Kim, HIMSS' director of privacy and security. "As a result, it's being deployed more by providers. That's a positive trend."
So that's the good news. The bad? The breaches keep piling up, and the threats are multiplying, harder to get a handle on with every passing day.
As of June 30, more than 1,000 breaches affecting more than 500 patients each – a total of nearly 32,000,000 people! – have been reported to the Department of Health & Human Services.
Some 7.1 million patient records were breached in 2013, according to the most recent annual Redspin Breach Report, published this past February – a 137.7 percent increase since 2012.
Worse, the threat seems only to be getting more multi-tentacled. Once thought merely to be a problem of snooping employees or hapless business associates, an increasing number of breaches nowadays are coming from hackers and other cybercriminals, as they wise up to the monetary value of electronic patient records.
Just after this story went to press for the September 2014 print issue, news broke of the massive attack aimed at 206-hospital Community Health Systems -- the second-largest HIPAA breach ever reported -- in which Chinese hackers, over the course of several months, "used highly sophisticated malware and technology" to gain access to 4.5 million patient records.
Hackers took advantage of the infamous OpenSSL "Heartbleed" vulnerability. It's been a widely-publicized potential threat, with no shortage of tools to detect and protect against it; the fact that it was exploited in this case left many security experts shaking their heads.
Writing in the New England Journal of Medicine recently, Eric Perakslis, executive director of Harvard Medical School's Center for Biomedical Informatics, pointed out that 72 percent of cyberattacks have been aimed at hospitals, group practices and other provider organizations.
Healthcare "is being aggressively and specifically targeted," he wrote.
Perakslis makes the cast that an "active learning approach" – including real-time surveillance of emerging threats – is the right way to better prioritize protection strategies and prevention tactics.
"My biggest concern is that there are just so many more threats against our space," says Kim. "Hackers have been in the news, and all the various breeds of malware that have been cranked out, programs that can build customized malware to a specific target … the worry is that there are so many sources of threat intelligence that need to be scooped up from various sources."
Since "we can't just hermetically seal our information systems and computers and smartphones from the bad things that are trying to infiltrate them," she says, the best we can do is know as much as we can about what we're up against.
[See also: Massive data breach: Time for sports analogies?]
Not that it's easy, of course. It's "very, very trying" for healthcare organizations to vacuum up all the threat intelligence that's out there, "the best and freshest and most comprehensive," she says. "There is just so much out there. There needs to be a more systematic, easier way to do this."
Kim says providers are moving toward more of a "holistic, community-oriented approach" to threat intelligence. But still, constant vigilance at one's own organization, intimate knowledge of one's own network, is critical.
"You need to be on your toes, in terms of detecting what's going on with your network, knowing what's normal, knowing what's abnormal," she says.
Good staff is essential, she adds, key to "avoiding a situation where you have the best software and processes in the world that flag suspicious activity but there's a human on the other end that doesn't react quickly. That could spell disaster for millions of people through a data breach."
The tried-and-true principles of "people, process and technology" are the best defense, says Kim – even if the last of those three can be a huge help where the other two are hamstrung by humankind's essential fallibility.
Asked to point to some recent tactical success in this never-ending war against cyberthreats, Kim mentions some of "managed security solutions that cloud providers are offering. There's a demand for more automation, because there's so many potential incidents and potential threats."
Technology can "fill the gap where humans fail," she says. For instance, were an absent-minded clinicians to forward an email attachment with personal health information to their personal address, data loss prevention software might detect and prevent that.
Hosted security management that can conduct ongoing assessments and reporting can be a boon, says Kim.
"Providers are relying on it more because it's impossible for ordinary organization to be that vigilant and proactive," she says. "We leave that to specialists – outsourced providers that offer these special services.
"You might not notice that your system has been compromised. You might notice that your system has slowed, but if you're not noticing that network traffic is going in large amounts to a certain IP address that it shouldn't, how would you ever know? It's like an invisible breach."
"We need to get better at detecting anomalies and detecting breaches," says Gallagher. "We just aren't very good at that."
Unfortunately, that's where we are today. Being secure requires constant vigilance, even skill. Simply checking the boxes of a single risk-assessment is nowhere near enough.
As Perakslis notes in NEJM, HIPAA privacy rules have "raised awareness of the importance of protecting personal health information and have provided a regulatory framework to encourage compliance -- but compliance does not necessarily translate into security."
"HIPAA requires you to do ongoing risk management," says Gallagher. "That's the core of the HIPAA security rule."
That's the right approach, she says. "Trying to set any minimal standards for security control would just be disastrous and not helpful."
So what does risk management mean? Gallagher likens it to a loop that needs to be closed: "Once you deal with the current breach and remediation, then you really need to go back and understand the threat and the threat motivator, and you need to factor those things into the adjustments you make to your controls. That would include contingency plans and resiliency as well."
"HIPAA does address the need for contingency plans, in case things go wrong," says Kim. "But it really doesn't spell out the whole complement of what I think most folks in the information security industry would generally think of to do when they try to plan."
When it comes to cyber security, "it's unfortunately a matter of time whether you have an incident," she says. "As to whether it breaches your system, that's another thing. That's why you need to keep on your toes."
All the compliance in the world "does not mean that at some point you won't have an attack and not have a breach," says Gallagher. "That's just the situation we're in with cybersecurity. It has nothing to do with HIPAA. It has to do with the changing threat factor."