Michael Rothschild | SafeNet
Whether you go to see your physician for a routine physical, or end up in the emergency room, many of your rights as a patient are quickly usurped. Your clothes are taken and you are given a gown that leaves little in the way of dignity. You entrust your care and indeed sometimes your life, to the EMTs, nurses and doctors that help chart your course in the chain of care.
There is however, something else rather substantial most people voluntarily give up often without thinking twice, and that is identity. I am not suggesting that we obtain a new persona. Rather before care is rendered, we surrender our personally identifiable information (PII) including our name, DOB, address, social security information (SSI), healthcare insurance information, medical history and much more. Along with this handover, we immediately are asked to sign HIPAA waivers so our information can be freely shared for treatment, billing, reporting and appropriate follow up. We hope that the clinic, doctor’s office, ambulance, hospital or other facility guards our identities, but are we ever really sure? In these waivers, we essentially sign our identities over to doctors, healthcare systems, insurance companies, postsecondary care facilities, the companies that supply our medicines and others; the full extent of which we may never really know—until our identity is stolen, our healthcare information is released and by then the damage is done.
The Security Factor
Whether we want to admit it or not, not all of society has the best of intentions. There are those that look to profit from nefarious activity including leveraging stolen credentials or reselling them on the black market. Healthcare records are of particular interest because for every record stolen, it can be sold three times; once for credit, once for identity, and once for health insurance information. If we had to rank the value of compromised records, healthcare information would rank high on the food chain and is extremely valuable to the hacker who has made a business from his illegal behavior. We entrust our records to the litany of healthcare professionals that are tasked to heal us. Are these healthcare professionals equally adept at protecting our records from the cyber criminals looking to take advantage of our records which are there for the taking?
The Compliance Factor
The Healthcare Insurance Portability and Accountability Act (HIPAA often erroneously termed HIPPA) was enacted in 1996 and was first architected to regulate certain elements of health insurance. Since then, additional compliance elements were added including privacy regulations, EDI, security rules, and much more. Much like the misspelled mnemonic, HIPAA is ill understood by the average health professional often citing copay regulations, billing practices and even the wait times in the office because of HIPAA regulations. There are many other regulations that also are relevant to healthcare organizations including for example PCI if the facility accepts credit cards as payment. Even experts have difficulties in navigating the maze of rules to gain 100% compliance of all regulations that may be relevant to the organization. Under the best of circumstances, can we expect doctors, nurses, allied health professional and your average employee at a pharmaceutical company to be fully cognizant and maintain full compliance in all areas while trying to treat a patient where life and death may be at stake?
Both the security and compliance landscape is constantly evolving. New hacking methods, social engineering and nefarious activity are constantly being released into the wild. Compliance regulations continue to be rolled out and interpretations based on the healthcare operating model also change over time. If we look back over the past 5-7 years, the healthcare operating environment has changed rather substantially. The distributed infrastructure of anything from private practice to a major hospital system has become spread over large geographic areas. With electronic medical records (EMR) initiatives, patient charts are digitized and usually sitting in the cloud. A large amount of users touch these records including doctors, nurses, therapists, residents, EMTs, billers, dieticians and more. Is it no wonder that more users, in more locations, accessing cloud based applications from a variety of managed and unmanaged endpoints have created more potential security and compliance issues than ever before.
It would be foolish and impractical to think that healthcare professionals would be able on their own to learn, become proficient in, and uphold all security and compliance directives which are highly dynamic; and at the same time continue on with their “day job”. The real question we need to ask is how we maintain security and compliance in today’s healthcare and healthcare-related organizations.
Resetting Your Mindset
The professionals tasked with upholding the security and compliance of organizationsare tasked with “figuring it out”. The good news is that with the right approach and right tools, the task does not have to be monumental or virtually impossible; and the first step is to consider your approach to security and compliance. Ask your colleagues at other organizations (hospitals, doctors offices, biotech and pharma companies) if they have been breached to date. If they are honest, greater than 50% have. The remaining percent are either lying, didn’t know about the breach, or will be breached because it is only a matter of time. Understanding that a breach will happen at some point even to the most secure and compliant organizations, is called breach acceptance. Your job is to “secure the breach”. This is a major change in mindset because in the past we secured the network perimeter; essentially keeping the bad guys on the outside and the good guys on our side of the wall. This scenario is no longer a possibility because with a distributed environment and a heterogeneous user environment accessing more cloud-based applications from more endpoint devices, it is impossible to secure the perimeter because the perimeter no longer exists. Your mindset will shift from protecting an attack vector (the perimeter) to protecting the target (the data).
Empower Those That Treat
There are several key steps you can take to make sure full security and compliance happens while allowing healthcare professionals to render care each within their defined role.
- Encrypt Data: Data is the target for all would be hackers. Those criminals may come from the outside or even be your own personnel. By encrypting the data, even if there is a breach or potential compliance violation, the data captured is useless to anyone lacking the appropriate credentials.
- Differentiate Access: Because so many different entities are accessing patient data, ensure that authorized personnel get access ONLY to the parts of the patient chart that they need to do their job. There should be few, if any, instances where someone has access to a complete chart. Access should be granular in nature and should be locked down through a strong, multi-factor authentication system which may include passwords, tokens, biometrics or other combinations. Management of keys should be managed in house for complete visibility and control across the entire distributed network.
- Lock Down Wireless Access: In most facilities wireless networks are necessary for the fast transmission of critical data. A quick network scan may show that a network that is not locked down, or perhaps that an unauthorized network has been set up by an employee at his or her workstation. A careful audit of these networks and access points should take place to ensure that only authorized personnel are on the network, and that the networks that are open are intended to be that way. On the open networks, Chinese wall separation is essential so no unauthorized personnel can go through them to gain access to information that is not intended for their use.
- Endpoint Compliance: Whether it is a toughbook in the ambulance, a doctor’s tablet, a wireless registration console or your engineering team’s laptops, every endpoint is a potential portal to the inner sanctum of your network. By employing basic security standards such as password protection, remote wipe, identity tagging, and firewall/AV compliance, you significantly reduce the chances of rogue devices or compromised devices from doing significant damage.
- Education is Power: Last but not least education of our personnel is essential. It’s often the case that the insider threat is accidental. Either they failed to follow procedure or were not equipped or trained to follow proper safety standards. Documented data breaches have resulted from simple mistakes such as emailing confidential information to another party, leaving a device in an unsecure location, saving data to an external drive, or failing to recognize a social engineering attack.
The healthcare industry has certainly benefitted from the mainstream adoption of technology; but it is not without risk. Employing the right tools can ensure security and compliance without the pain of implementation or pain that you many have experienced in the past. Speaking of pain….about that flu shot….