December 2015

Cybersecurity: Locking the Vault
By Jack Plotkin
For The Record
Vol. 27 No. 12 P. 30

The nexus of medical information and data security has never been more pressing or relevant. For example, the data breaches at Anthem and the UCLA Health System alone compromised the health and personal information of millions of consumers. As health care organizations across the country scramble to update IT infrastructures and patch vulnerabilities, many are discovering that the challenge is remarkably complex and far-reaching.

A New Paradigm
Traditional HIT systems were designed and built in a world where the digital theft of EMRs was incredibly rare. For many years, electronic health information was decentralized across hundreds of disparate EMRs installed locally on tens of thousands of computers across thousands of medical offices. Many of these computers were not connected to the Internet. As a result, these systems represented air-gapped machines with proprietary formats and a limited universe of data across small subpopulations of patients. They were hard targets with limited upside for would-be attackers.

When the health data flowed from medical offices to health insurance companies, they were traditionally transmitted in the form of physical or faxed documents. Even when digitized, these documents resided on insurance company systems in the form of scans or images, making it incredibly time-consuming for cybercriminals to index, sort, and extract useful information from the datasets.

Over the last several years, the landscape of health care data has changed dramatically. Most medical offices have moved to a handful of market-leading EMRs; more than 90% of US hospitals use one of the 10 leading EMR solutions. Some EMRs, in turn, moved to the cloud, making it imperative that medical office computers be connected to the Internet, thus providing a source for consistent, broad-based datasets across large populations. At the same time, health insurance companies automated their processes through the use of such tools as electronic data interchange for medical service claims and created enormous enterprise data warehouses binding every bit of personal, demographic, and health data pertaining to all plan members.

A High-Value Target
These recent shifts in technology have dramatically enhanced the ability of health care providers and coordinators to improve care. However, they also have resulted in electronic health data being more centralized, more complete, more available, and more searchable than ever before, making the information significantly more vulnerable to cybersecurity threats.

Of course, vulnerability alone is not sufficient. For example, a lemonade stand is significantly more vulnerable to a physical attack than a bank. Yet robbers tend to target banks far more frequently than lemonade stands. It's the combination of vulnerability and value that makes health data such an attractive target.

In this context, what matters is not the data's value to the owner but rather to the thief. For example, an old family photograph can be precious to its owner but hold little value to a robber. As it turns out, health data hold enormous worth to potential thieves. Health data have direct monetary value in that they can be used in financial fraud involving insurance companies and lenders. Health data also have indirect monetary value in that they can be sold to criminal enterprises or semilegitimate organizations wishing to obtain leverage over individuals via their medical diagnoses and behavioral impairments. Finally, health data are persistent; unlike credit card numbers or bank accounts, they cannot simply be changed when a breach has been discovered.

Health care organizations must understand unequivocally that they are targets, and that if they don't implement cybersecurity best practices, it's a matter of when, not if, a breach will occur. Health care organizations also must understand that no set of policies and protocols is foolproof. Zero-day exploits, which represent never-before-diagnosed vulnerabilities, are discovered daily. Therefore, the practical goal is a best-practices level of cybersecurity.

A Smarter Approach
By way of illustration, consider an upscale neighborhood with five homes identical in every way except that four of the homes have nothing but door locks for security while the fifth supplements its door locks with an electric fence, motion sensors, guard dogs, cameras, and a state-of-the-art alarm system. When burglars visit the neighborhood, which home are they most likely to avoid? And if the criminals do target the fifth home, how likely are they to succeed?

The challenge in health care is that most organizations rely on a patchwork of legacy information systems and inconsistent security protocols. To properly address the cybersecurity challenge, health care organizations must take the following three-pronged approach:

• Accept that updating the infrastructure to support an appropriate level of security will carry a material and ongoing cost. Banks don't install vaults and state-of-the-art alarm systems because they are cheap; they install them because they are less costly than the alternative.

• Develop a consistent set of cybersecurity standards and a workable implementation plan that emphasizes near-term results. An attacker is not going to wait until mid-2017 for an organization to get its perfect cybersecurity plan into place.

• Be proactive about identifying and mitigating vulnerabilities. A moat with alligators may have worked great against axe-wielding foot soldiers, but it may be a bit less effective against gun-toting paratroopers. As attackers' offensive arsenals evolve, organizational cybersecurity defenses must evolve with them.

To achieve the first two steps, organizations must put in place the requisite expertise and financial backing to develop a comprehensive cybersecurity policy and a realistic implementation plan. At a minimum, the policy must address user access and audit trails, data management and encryption, electronic security and intrusion detection, physical security and credentials management, communications and incident reporting, business continuity and disaster recovery, personnel training and policy evolution, and security assessments for both internal and external applications. The implementation plan must be intelligently phased, properly resourced, and practically targeted in the context of the organization's existing infrastructure and constraints.

Following the establishment of a set of cybersecurity policies and protocols, health care organizations should strongly consider employing the services of a security firm with specific expertise in the areas of network security assessments and penetration testing. Such firms use both technical and social engineering to probe vulnerabilities and expose weaknesses. By shoring up defenses identified by such "fake" attacks, health care organizations can significantly improve their ability to thwart real attacks in the future.

The Bottom Line
Compared with physical records, electronic versions are far easier to transport, sell, and mine for information. Yet, the same organizations that keep paper medical records under lock and key in guarded offices with keycard entry and state-of-the-art alarm systems turn around and place their EMR into the cyber equivalent of a high school locker. The results are self-evident.

The paradigm shift needed in the industry is not about recognizing the problem—most organizations have had no choice but to recognize the importance of cybersecurity—but about properly addressing the threat. Those organizations that make the requisite level of investment today are all but guaranteed to reap significant benefits relative to their competitors in the not-too-distant future.

— Jack Plotkin is chief technology officer at Virtual Health.