Rethinking Health Care Data Security From the Inside Out
By Ali Solehdin
There was a time when protecting electronic health care data focused on network controls to monitor and control incoming and outgoing network traffic. IT teams put up walls with controlled access points, and with each shift in technology, new walls were raised. The rise in mobility, the cloud, and the Internet of Things have challenged this perimeter-based security mentality. With data now spread across millions of access points that extend beyond the network, the walled approach to data security is crumbling down. Health care organizations, responsible for 67% of all breached data in 2015,1 need to rethink security from the inside out in order to stop the hemorrhaging from all the gaps in data protection this approach has created.
Despite strict regulatory standards under HIPAA, health care organizations continue to be plagued by data security incidents. The health care industry sees 340% more security incidents and attacks than the average industry, due in part to the value cybercriminals can command for this information.2 Sophisticated health care networks, often comprising thousands of providers, contractors, and vendors, are now complicated by the use of cloud storage and mobile devices across the board. With the growing number of EHRs being accessed by a highly dispersed and mobile workforce, health care now faces the challenge of protecting an enormous attack surface.
Right now, malicious outsiders account for most of the reported health care data breaches, and yet the root causes remain more complicated. "Malicious outsiders" implies a brute force attack against a network, while the reality is much more complex. For example, a phishing attack or a lost device may provide an initial entry point, which is used to gain access to the network to execute a cyberattack. One report suggests that 80% of health care breaches can be tied back to poor data hygiene such as authentication, encryption, or the storage of information on endpoint devices.3
Some health care organizations have attempted to reduce the attack surface introduced through mobility by putting up "walls" on endpoint devices, installing encryption or antivirus software. Others have left endpoint devices completely open. For example, 88% of health care organizations allow the use of personal devices, yet 40% take no steps to secure those devices.4 Last year, 78% of breached health care records were attributed to lost or stolen endpoints—many of which were unencrypted.5
The current approach to health care security is not working. When the focus is only on the perimeter, adding walls to the network or the endpoint, data breaches will continue to occur. Health care organizations must rethink the premise of data security, which focuses on protection. The objective of a data-centric security posture is to protect data from the inside out, a scalable approach that enables new technologies to emerge without compromising the foundation of data security.
How to Implement Data-Centric Security
• Define your data. Knowledge of what data you have and where they reside is the first step in protecting that information. Use solutions that continually monitor data on the network and on endpoints to ensure constant protection.
• Limit access to data. Access controls can help limit who has access to protected electronic health information, with further controls on whether those data can be saved or stored on other devices. Ensure that credentials cannot be easily exploited if lost or compromised through social engineering.
• Layer technologies that protect data. A layered security approach will provide redundancies in the event one layer is compromised. By supporting data-centric technology solutions, organizations are able to select solutions that transcend the traditional network vs endpoint security silos. For example, encryption is often cited as a base security standard. But deploying encryption is only the first step. Ideally an additional security layer would be implemented to monitor the status of encryption, allowing IT to prove it was properly installed and working at the time of a security incident to confirm data are protected. This is key to satisfying HIPAA compliance requirements.
• Set up automated monitoring and controls. Know what data are being accessed, and by whom, with automated alerts for suspicious data activity, failures in security tools, or unusual endpoint activity, including location. Have systems in place to remotely freeze or disable at-risk devices with further options to delete data and prove compliance.
• Have a data breach response plan in place. Integrate processes and tools to take effective control of a security incident. For example, knowing a device is missing is meaningless unless you have a reliable two-way connection to the device so you can validate status and (if required) invoke security commands such as deleting sensitive data remotely or disabling a device to prevent access.
• Automate patching and upgrades. Prioritize the testing of new patches and upgrades. Then automate the broader deployment of these fixes to maintain system integrity.
The health care industry faces some of the steepest data security challenges, with networks that contain many systems and new devices going online every day. Changing the focus from perimeter security to data-centric security will allow organizations to scale technology solutions more effectively without impeding the advancement that EHRs and new medical technologies bring to the table.
— Ali Solehdin is senior product manager for Absolute Software Corporation.
1. Identity Theft Resource Center. 2015 data breach category summary. http://www.idtheftcenter.org/images/breach/ITRCBreachStatsReportSummary2015.pdf. Published January 4, 2016.
2. 2015 industry drill-down report — healthcare. Forcepoint website. https://www.websense.com/content/2015-healthcare-industry-drilldown.aspx?cmpid=pr
3. Blumenthal D, McGraw D. Keeping personal health information safe: the importance of good data hygiene. JAMA. 2015;313(14):1424.
4. Ponemon Institute. Fourth annual benchmark study on patient privacy & data security. http://lpa.idexpertscorp.com/acton/attachment/6200/f-012c/1/-/-/-/-/ID%20Experts%204th%20
report%20here. Published March 2014.
5. Forrester Research. Brief: stolen and lost devices are putting personal healthcare information at risk. https://www.forrester.com/Brief+Stolen+And+Lost+Devices+Are+Putting+Personal
+Healthcare+Information+At+Risk/fulltext/-/E-RES117248. Published September 4, 2014.