June 2017

HIT Happenings: How to Adopt a Security Culture
By Lance Hayden, PhD
For The Record
Vol. 29 No. 6 P. 30

If you're reading this, you're vulnerable. Each and every person's digital life has security vulnerabilities, and the same applies to organizations across all industries. For health systems and hospitals, computers hold a massive amount of personal data that providers and clinicians pull from to improve care in new, exciting ways. Unfortunately for health care, protected health information (PHI) is valuable on the black market, meaning that cyber threats are a constant, ongoing event for hospitals, health systems, and providers alike.

Health systems and other health care organizations are a prime target for cybercriminals, which means security must be a critical priority. By adopting a culture of security that starts with a proper, thorough security risk assessment, health systems can push an organizational transformation that prioritizes protecting patient data by closing many of the vulnerabilities cybercriminals exploit in their tireless effort to break defenses and find a way into computer systems.

The First Step
It's worth repeating: Every organization has security vulnerabilities. It may be a sobering thought, but the fact is no security program can eliminate all vulnerabilities, especially considering that new ones emerge every day. A security program starts with managing vulnerabilities, including properly assessing the risk of each. It's a game of numbers, wherein the impossibility of a perfect defense means a risk assessment must prioritize imperfections based on the threat they pose. That being the case, when conducting a security risk assessment, the first question should be: "What are the consequences should someone take advantage of this?"

The subjectivity of this equation makes security risk assessment as much of an art as it is a science, which is why it's important to understand what's most vital for your organization to protect. For health care, that means patient data stored in EHR systems. Losing these data not only carries with it HIPAA fines and public shaming from Health and Human Services but also exposes the lives of patients in a way that can be criminally leveraged to steal their identity and exploit them financially.

As such, a risk assessment should look to vulnerabilities that can lead to PHI being compromised, stolen, or hijacked and held for ransom. Prioritize those vulnerabilities based on how likely they are to be exploited and what cybercriminals may gain should they access EHR data. Furthermore, health care organizations must ensure they're fixing vulnerabilities that have an available remedy.

Vulnerabilities: Not Beyond Your Control
Vulnerabilities are all of the weaknesses that can be exploited by a threat actor. They are everywhere; there are probably a plethora of vulnerabilities embedded right now in software just waiting to be found. The good news is, in every case, organizations have more control over vulnerabilities than threats.

Cybersecurity is often discussed as a challenge of people, process, and technology. Vulnerabilities can exist in all three, spread out over what security experts call the "attack surface" of an organization—or all of the ways an attacker may attempt to steal protected data. Unfortunately, security has historically prioritized technology vulnerabilities over those created through people and processes. However, as threat actors take advantage of problems created by the latter two, this is changing.

The "2015 Verizon Data Breach Investigations Report" found that 70% of attackers succeeded in taking advantage of a known vulnerability where a solution or a patch was readily available from a vendor. In some cases, the vulnerabilities in question were more than a decade old, with patches ready and waiting to be installed to fix a potential exploit.

Health care is notoriously behind the curve in terms of technology adoption. In the not-so-distant past, many hospitals still operated with paper procedures. At present, it's still not unusual to find environments running on Windows XP, with tech teams concerned about the care disruptions that upgrading software could potentially cause. For patches and fixes, the same holds true—they often aren't installed due to a fear of disrupting care processes.

It's at this point that the lines between the vulnerabilities in technology, processes, and people begin to blur. In the above scenarios, the technology is what's vulnerable, but the reason the problem hasn't been fixed is because of people and processes.

Solving the People Problem
The business disruption that occurs when hospital systems are taken hostage by a ransomware attack or destroyed by malicious software is likely to outweigh the concerns and costs associated with patching and upgrading software.

No technology is as effective as a well-functioning "human firewall," whereby people make good, smart decisions regarding security and then act upon those decisions. All of the technology in the world is only as effective as the people who use it. If an organization exists in a space where upgrades and patches are neglected out of fear of a business disruption, a cultural change needs to take place in an effort to convince staff to embrace security initiatives.

Unfortunately, security training and awareness programs are underfunded in many health care organizations, which results in staff being uneducated about potential threats and unable to balance security with business operations in a way that satisfies both. To solve this, hospitals and health care organizations must focus on building a culture of security in the same manner they encourage patient safety and quality care.

Like any other culture change, it isn't as simple as education courses or staff training (which actually may not be so simple). Training staff to follow a process is an attempt to change behaviors. However, as instructions clash with day-to-day operations, it turns out the problem will be solved only temporarily. Staff members can be taught how to patch a system and the processes demanded by a security program can be demonstrated. That's helpful, but unless staff members understand why doing so is important, any changes won't be long-lasting.

"Culture building" that focuses on behavior as opposed to changing what people believe and how they think about security won't have an actual impact. A truly effective security culture is born when staff buys into the importance of protecting information assets. At the same time, administration must realize that security cannot feel bureaucratic and burdensome.

Regular meetings should be held not only to educate staff on the importance of security but also to ensure security isn't interrupting workflow. Only by approaching security from a place of paramount importance, and by taking into consideration the needs and desires of staff members who have a job to do, can real change begin to manifest. At that point, security can become another uniform goal of an organization, not simply an extra chore or something that would be nice to have.

Decreasing Vulnerability Starts With Understanding
Improving the quality of care isn't achieved by demanding best practices; instead, it's best accomplished through organic adoption, whereby staff members change their behavior because the outcome betters the lives of patients.
Security is no different.

After a risk assessment, changing security behaviors to shore up vulnerabilities can be realized only when staff understand the true risk of stolen PHI and the level of disruption that would occur should a breach take place. With that knowledge, a security culture will begin to take form and the organization will find itself less vulnerable to attack.

— Lance Hayden, PhD, is the chief privacy and security officer at ePatientFinder, where he is responsible for information governance and data security.