I. NAVIGATING HEALTHCARE SECURITY CHALLENGES
The Complex Regulatory Environment
Securing healthcare environments presents immense challenges, especially in the United States, where healthcare is among the most highly regulated industries. From HIPAA to Medicare/ Medicaid requirements, the list of statutes healthcare organizations must comply with is extensive and continually growing.
Some of the key regulations include HIPAA, HITECH, the Emergency Medical Treatment and Labor Act, the False Claims Act, Stark Law, OSHA standards, nuclear medicine regulations, and ethics requirements stemming from the Affordable Care Act. Further complicating matters are payment card processing mandates under PCI DSS.
With new regulations added regularly, simply maintaining compliance across this complex web strains resources for healthcare organizations. The scope and interdependencies make it extremely difficult to remain fully compliant at all times.
Protecting Regulated Data
In specific industries, regulations call out data that must be protected. That’s typically referred to as “regulated data.” Compared to industries such as manufacturing and banking, healthcare environments have a much higher volume of regulated data. Intuitively that makes sense because hospitals have millions of patients, and for each patient they may have complete profiles including name, address, contact information, social security number, driver’s license number, treatment and diagnosis information about their health and even financial information used to pay for services.
Aside from the sheer volume of data, healthcare environments have a large percentage of their workforce with access to sensitive information. This is driven by the fact that both patients and hospital workers (doctors, nurses, medical assistants, registration clerks, etc.) are transient – patients come in as needed, and staff may be working shifts 24 hours/day, or working across different locations on different days. You never know what patient will show up in the emergency room on any given day, and you never know exactly which doctors, nurses and support staff will be working at that time, so access to medical records is purposely broad to avoid any delays in patient care. These three items together – large volume of regulated data, large percentage of workers with access to regulated data, and purposefully broad access to patient data – make it difficult to manage the privacy and security of patient records.
According to the American Hospital Association, the vast majority of hospitals across the U.S. are community hospitals, and of those, over 58% of them are not-for-profit. As a not-for-profit health system, your mission is to provide the best medical services to your community. Not-for-profit health systems tend to operate on very low margins, and where large capital investment is needed, it makes sense that those funds are directed toward medical capabilities such as new urgent care facilities, new MRI or CT machines, and other services that directly tie to improving health outcomes in the community. Though not always the case, organizations often retain core technology as long as it maintains compliance and has useful life, and may not fully comprehend the increases in support cost and security risk associated with running systems past their vendor-supported life span. Funding for improvements in information technology and security can require extensive business case development and sometimes difficult conversations with executive leadership.
With budget constraints and security teams purposefully lean, finding and retaining strong talent becomes even more necessary in healthcare. Salaries at hospitals and health systems are lower than other industries, and tools which are used to retain good talent such as educational reimbursement and training, are the first items on the chopping block when budget cuts are necessary.
Delays in hiring and training new security staff can increase risk for the organization. Lean staffing causes strict prioritization of critical tasks and organizations tend to increase their risk appetite to match the level of available technologies and support staff. Though organizations must always remain compliant, healthcare organizations with limited staff are more likely to deviate from well-established control practices, and implement less optimal controls which take less manual effort.
In 2023, technological advancements are moving at lightning speed, and it’s a challenge for any organization to maintain their staff competency in emerging technologies. Lean staffing models can exacerbate this situation, so training, education and retention are even more critical. Organizations operating with lean security staffing must work hard to retain funding necessary for staff competency training, and work with human resources on talent retention activities to reduce potential risk related to staff turnover.
II. ENABLERS TO EFFECTIVE SECURITY FOR IT TEAMS
Enablers to Effective Healthcare Security
At every organization, there are core security program capabilities necessary to maintain effective information security. Healthcare environments have similar needs to other industries, but have unique aspects specific to the challenges of patient care.
As they say, you can only protect what you know about. To adequately protect an environment, security teams need strong visibility to everything in the environment. In healthcare, that not only means all the users and computers in the environment, but also anything that happens to be on the network or providing services, including medical devices, patient monitoring devices, critical cloud systems or hosting platforms, credit card processing devices and the like. Good visibility also requires accurate inventories of both systems and software in order to recognize and address unapproved devices and software.
Data Inventory and Data Flows
Adequately protecting sensitive data and maintaining the privacy of patient data requires maintaining an accurate inventory of patient data. To maintain an accurate inventory, data flows must be documented to understand what data is coming into, and out of, the organization, and where that data is being stored. Hospitals send and receive large amounts of data every day as they work with healthcare insurance providers, clinical and IT service providers, state health departments, health information exchanges, laboratories, other hospitals, etc. HIPAA prohibits unauthorized access to patient records, and security and privacy teams need to understand where sensitive patient data is stored so that access can be appropriately monitored.
Vulnerability Identification and Patch Management
Arguably one of the most important aspects of a strong security program is the processes surrounding vulnerability identification and patch management. Systems must be routinely scanned for configuration compliance, misconfigurations, and software vulnerabilities so that an organization can be adequately prepared for potential cyber-attacks. In a healthcare environment, this can be challenging as cloud tools may be different from on-premise tools, and there are devices in the environment (such as medical devices) which are managed by third-parties. As mentioned earlier, legacy devices can also be a challenge when software cannot be upgraded or removed from the environment due to its clinical criticality.
Identity and Access Control (users, systems, APIs, etc.)
Echoing the HIPAA requirement prohibiting unauthorized access to patient information, identity management and access control are foundational elements in maintaining appropriate permissions across the organization. Strong verification processes, multi-factor authentication, expiration dates on accounts, and regular access reviews are all critical elements of good identity and access control practices. In healthcare, however, inappropriate access cannot be determined by permissions alone. Access tends to be very broad, so monitoring activities need to be in place to verify that workforce members are not accessing patient records they do not have a business reason to access. Even though a worker may have permission to access specific patient records, that does not mean they have a legitimate business reason to do so, and accessing records inappropriately can lead to employment or contract termination, and potentially criminal prosecution.
Known and Anomaly-Based Threat Detection
Strong attack detection has been a need since the topic of security began. But in the past five years or so, machine learning attack detection has rapidly surpassed human ability to detect attacks, and the statistical methods used by security software are rooted in anomaly detection. Security tools need to be able to identify specific malware, but their true power lies in their ability to detect anomalous behavior, which can then be automatically or manually triaged to determine whether a significant threat exists.
Detection and Response Processes
Detecting and responding to attacks is a critical function for security teams. Criminals are intelligent so they will apply techniques and tactics to evade detection, or will attack during nights and weekends to maximize their time before detection. Most security teams don’t have the luxury of staffing teams 24x7x365 so there is a time lapse where systems are not actively monitored by staff. Because of this, systems that can monitor and alert to potential incident activity 24x7x365 are critical to cover the time gap when staff are not actively working.
In terms of responding to potential incident activity, organizations need processes that are tried and true and not ad-hoc or based on gut instinct. During an incident stress levels are high, and without strong process documentation, people revert to their instincts which may or may not lead to the desired end result. You never want to leave incident response to chance, so it’s important to have well documented processes and where possible, step-by-step instructions to help staff respond to incidents.
Equally important is to have an educated workforce who are aware of the dominant types of attacks used today. Users should be trained in identifying suspicious activity, identifying phishing emails, practicing good security, and quickly contacting the help desk or security team when they suspect a potential security incident. Aside from end user awareness, the security team also needs to be educated. Security teams need to stay abreast of industry threats as well as best practices in applying security controls to reduce risk, and they need to be educated in the tools necessary to manage and monitor organizational assets, whether they are on premise, in the cloud, or in someone’s home. Security staff need continuous education to adapt to technological change and the change in attack methods used by cyber criminals.
Another challenge in healthcare is the amount of third-parties that are used to deliver services, and the sensitivity of the data they can access. Health systems may leverage third-party physician or anesthesia staff, third-party software providers, third-party coding and billing providers, thirdparty medical device manufacturers, third-party ambulance services and many, many others. A large number of these service providers have access to, and even maintain, patient information on behalf of the health system. Healthcare organizations need strong processes to engage, evaluate, implement, and monitor services provided by third-parties to ensure appropriate security controls are being leveraged to manage risk to an acceptable level for the organization.
Engage Outside the Security Department
With lean teams and tight budgets, healthcare security teams need to be creative in reducing security risk for the organization. One way to do that is by engaging “security champions” in the different areas of the business. Every department likely has one or more staff who are keen on technology or security and can provide value as a distributed supporter for the security team. These department champions can help in explaining security risks and concepts, can help implement those changes across different groups, and can improve adoption with their security advocacy. Often, these champions improve incident response time as they know business applications better than the security team. In essence, these department champions become part of an extended security team and provide additional manpower for the information security program.
IV. ENABLERS TO DEMONSTRATING COMPLIANCE
Maintaining a compliant security program in the healthcare industry can be complex, but demonstrating that compliance to external auditors or government regulators can demand a significant amount of time – putting additional pressure on an already lean team. Through Blumira’s comprehensive reporting platform, evidence can be provided to demonstrate compliance with multiple requirements, thus reducing the administrative burden on security staff. This allows healthcare staff to focus their attention on higher-value risk reduction activities for the organization.
Blumira’s security platform supports many administrative, physical and technical safeguards contained in the HIPAA Omnibus rule (45 CFR Parts 160, 162, and 164). The table below describes how Blumira supports specific HIPAA controls for healthcare organizations.
As you can see, having tools that provide consolidation, orchestration, and strong reporting can make a significant impact on the effectiveness of an information security program, especially for those in healthcare. The right security platforms can save time, money, provide 24×7 coverage and increase the overall resiliency and information assurance of the organization.
For more information on how Blumira helps healthcare organizations with security and compliance, we encourage you to visit blumira.com/industry/healthcare. Blumira’s Free edition is available for unlimited users and data, no additional licenses required. For more information and to sign up free for Blumira’s self-service cloud SIEM, visit www.blumira.com/free.