Is a Data Breach at Your Health Care Organization Inevitable?
By Chris Bowen
If 2014 was the year of massive retail breaches, 2015 is turning out to be the year of health care data breaches. Astonishing in their scope and size, the roll call of offenders—as evidenced by the Office of Civil Rights' infamous "Wall of Shame" list—continues to grow seemingly daily. In fact, a quick review of this list brings up an obvious question: If cybercriminals can hack their way into the networks of health care giants such as Beacon, CareFirst, and Anthem, who can stop them?
Given the rising frequency of such breaches, it's a logical query. But the surprising reality is that many health care data breaches follow a familiar pattern—which means they can be prevented. Consider the 2014 breach at Community Health Systems that affected 4.5 million people. In this event, the attacker managed to bypass security measures and implement malware to copy and transfer data outside the company. The means weren't particularly sophisticated or even new; hackers infiltrated a compromised Juniper device via the Heartbleed virus, for which patches and other security measures had been available for some time.
While we can't definitively state why Community Health Systems didn't apply them, we can certainly take a look at today's HIT environment for broader answers on why basic security measures are getting overlooked even by the largest organizations.
An Industry Unprepared
As stewards of large volumes of valuable patient records, health care organizations know they make particularly attractive targets. Yet despite this, HIT security spending has not kept up with the pace of hackers intent on breaking and entering into health care networks. Until recently, most of the focus was on implementing EHRs, with security and threat prevention put on the backburner. Prior to the HITECH Act, many providers and practices weren't even encrypting health care data. Further, many are working with aging and fragmented legacy IT infrastructure—a recipe for a breach that can go undetected for months or longer. According to initial reports about the Beacon breach, for example, hackers began their attack in 2013 through phishing e-mails.
Overworked Staff, Overlooked Security Measures
HIT professionals are in great demand across the health care enterprise—and there aren't enough of them to upgrade an EHR, prepare for ICD-10, manage the network and a growing collection of workstations and mobile devices, collect data for multiple department reports, or handle a host of other ongoing duties, all while keeping a continuous eye on a multitude of system alerts and log files for a breach attempt.
And so, the hacker pounces on the unprepared.
For example, an active monitoring program at Community Health Systems, could have helped mitigate the loss once the attackers gained access to the core infrastructure. A System Information and Event Monitoring solution, properly configured, could have triggered an alert once an anomaly was detected. For that matter, the Heartbleed bug, once identified, should have been patched as soon as Juniper released a patch.
But what should have been might very well have been almost impossible if staff were stretched thin. For many health care organizations today, there just aren't enough employee hours available for the constant security effort required to keep at bay the hackers who are continuously seeking an entry point into their networks.
Best Practices and Cloud Options
Mindful of these and other challenges facing HIT today, industry groups such as The Advisory Board recommend a multipronged approach that includes audits, upgrades, and the use of cloud services from organizations that specialize in robust—and, more importantly, continuous—security. It's also critical to prepare for a breach in advance. A crisis team should be comprised of a multidisciplinary group including executive leadership, legal/compliance/privacy, IT, communications, and customer relations. Initial steps should be to end the compromise or remedy the risk control deficiency, restore the affected system, and determine the cause of the incident and the appropriate mitigation and protection to be utilized.
For greater security options, it may be wise to consider a long-term cloud storage solution that is not only HIPAA compliant, but is also with a health care-exclusive vendor. With cloud technology, organizations store their data in a location where security patches, updates, and other measures can be applied using robust deployment tools while maintaining sound change management processes across all apps and data. This all takes place in an environment with many additional layers of security, ranging from data encryption and vulnerability scanning to an array of managed threat protection services.
Choose Your Cloud Vendor Wisely
As more health care organizations look to move their protected health information out of internal data centers into a cloud computing environment, look for a cloud partner with a health care focus. The vendor must be able to combine unrelenting security and compliance with scale, sound operations, and rapid innovation, and be willing to share the risk along the way. This ensures that you are partnering with a provider who is serious about keeping your organization off the Wall of Shame.
— Chris Bowen is founder and chief privacy and security officer at ClearDATA, which provides HITRUST CSF-certified HIPAA-compliant cloud computing. He is a Certified Information Privacy Professional, Certified Information Systems Security Professional, and Certified Information Privacy Technologist.