Thought Leader Q&A: Can Health Care Trust Its Security Practices?
By Lee DeOrio
For The Record
Vol. 29 No. 6 P. 10
What's a day in health care without news of another data breach? The crimes run the gamut from ransomware and medical identity theft to inadvertent exposures and plain old snooping. In all likelihood, it's going to take a concerted effort by all facets of the industry to keep data relatively safe and consumer confidence high.
To learn more about the situation and what can be done to help thwart nefarious behavior, For The Record (FTR) spoke with Saryu Nayyar, CEO of Gurucul, a provider of identity-based threat intelligence technology. Nayyar is a recognized expert in information security, identity and access management, and security risk management who, prior to establishing Gurucul, held leadership roles in product strategy at Oracle and Sun Microsystems. She also spent several years in senior positions at the IT security practice of Ernst & Young.
FTR: Is there a shortage of cyber security professionals? If so, where do health care organizations find qualified talent?
SN: Yes, there is a documented shortage of cyber security professionals; however, more people is not always the right answer—primarily because many health care security challenges cannot be addressed using manual approaches—for example, monitoring for unauthorized access and use of EMRs, a HIPAA requirement, by external attackers or malicious insiders. The sheer volume of access transactions makes manual security assessments impossible. Innovations like machine learning and security analytics can automate risk detection to reduce human workloads. Using new technologies that allow fewer security professionals to focus on high-risk incidents that require human investigation is a more realistic approach to the shortage of qualified experts.
FTR: When it comes to defending data, how can health care organizations help each other?
SN: Peer group sharing of suspicious activity and threats is a very effective way to detect emerging attacks, like ransomware, that are targeting health care organizations. In addition, information sharing through organizations like the National Health Information Sharing & Analysis Center [NH-ISAC] (www.nhisac.org) is an excellent way to learn industry best practices, including new approaches and mitigation strategies being implemented by early adopters.
FTR: Are attacks mostly preventable?
SN: If attacks were easy to prevent, then we would not see dwell times for undetected security breaches averaging over 229 days and a continuous flow of data theft incidents in the headlines. Achieving acceptable levels of prevention and detection has become even more difficult as network perimeters fade due to cloud and mobile computing, and attacks evade preventive defenses based on signatures, patterns, and rules. Health care IT environments are increasingly fragmented, with users, applications, and data being spread across many devices, locations, and networks.
People are not infallible. They will make mistakes, click on an attachment they shouldn't, or have their password stolen, or be phished, allowing for entry into the network. However, techniques like risk-based authentication and risk-based assessment of data transfers that use analytics can predict, prevent, deter, and detect attacks.
FTR: Is it possible to stay one step ahead of hackers?
SN: One way to stay ahead of attackers is to reduce the attack surface they can target and compromise, and use analytics for real-time monitoring of behaviors to detect anomalies. This includes traditional practices like vulnerability assessment and patching flaws in software, endpoints, and servers.
Recently, a new approach has emerged that focuses on protecting identities using machine-learning techniques. The idea is to remove excess access privileges to reduce the surface area that is open to phishing and social engineering attacks that are often used to hijack accounts and get a toehold inside a health care network. In some cases, machine learning models can be used to risk score entitlements and activity in order to detect privileged access or anomalous use of access that may be unnecessary and should be revoked. Cleaning up access is a proactive way to stay one step ahead of hackers combined with continuous monitoring of anomalous activity.
FTR: How do hackers decide which facilities to attack?
SN: It depends on the nature of the attacker and their goals. In the case of financial attacks, like ransomware, organizations in a specific industry like health care are targeted through phishing e-mails and other social engineering techniques. More targeted attacks can occur if a specific organization is the intended victim. In this case, the attacker may perform reconnaissance over days, weeks, or months to identify weaknesses within the IT infrastructure that can be exploited to compromise the network security perimeter or flaws in external-facing web applications that can be used to steal data from the outside.
FTR: Is technology or people the best defense?
SN: The answer is a combination of people, process, and technology. A good analogy is the smartphone, which uses maps and GPS data to help the user avoid congestion and accidents, voice recognition, and alerts of many kinds. Human decision making is being assisted by smarter, frictionless technology that is improving in intelligence year over year. Security is just starting on this journey and in many ways is behind other disciplines in the use of machine learning and analytics.
FTR: What's your advice to organizations that become victims of ransomware?
SN: In a perfect world with an adequate IT budget, frequent data backups protected from external access are the best protection. However, once an organization has been compromised by ransomware, the cost to reproduce the data vs the cost of paying the ransom becomes a business risk decision. Every situation is unique, and the decision to pay the ransom depends on many variables. The company should have a plan in place to keep operations running while responding to a ransomware attack. They should also have a plan in place, before an attack, on how they will respond to customers and the press.
FTR: What can health care learn from other industries?
SN: For years, financial organizations have been prime targets for hackers due to the fact that a successful data breach can be easily monetized. However, health care data have now become even more valuable for committing financially motivated attacks. The precursor to NH-ISAC was the Financial Services Information Sharing & Analysis Center [FS-ISAC] (www.fsisac.com). FS-ISAC pioneered the use of virtually all the common security measures and best practices available today. Assuming that they are constantly under attack, like financial services organizations, is a good lesson for health care to learn from and act upon.
FTR: How does the industry allay patient fears that data are extremely vulnerable?
SN: Health care organizations in the United States were mandated to move to EHRs, yet little thought was given to implementing appropriate data protection and access management measures. The only way to allay patient concerns over data vulnerability is to stem the tide of data breaches and disclosures. Investing in new technologies that use machine learning and analytics to accomplish what humans cannot, and information sharing, are two steps in the right direction.
Attackers have been using tools, automation, and collaboration to stay one step ahead of security measures for years; health care must do the same. Being able to predict, detect, and prevent attacks earlier will help mitigate fears. No business or CEO wants to be featured in the press due to a major theft of data.
— Lee DeOrio is editor of For The Record.