The Seven Layers of Security in Health Care Computing
By Chris Bowen
From ancient wars to the modern battlefield, one of the most time-honored military strategies is the concept of "defense in depth," which takes a multilayered approach to repelling a determined enemy. Implementing a layered approach—think of a castle with a moat, towers, inner and outer walls, and a series of chambers—gives the defenders time to identify the breach, delay attackers, and ultimately repel the attack in order to keep their most valuable assets safe.
This multilayered approach has now become necessary for health care organizations due to the high value cyber criminals place on patients' protected health information (PHI). PHI, including names, birth dates, social security numbers, policy numbers, and billing information, is 10 times more valuable to cyber criminals than credit card numbers. It can be used to open multiple credit lines, create fake IDs, purchase medical equipment or pharmaceuticals that can be resold at a profit, and defraud insurance companies, among other issues. And unlike credit card fraud, which usually shows up within days and is shut down quickly, PHI theft can go undetected for years.
Stolen PHI Is Growing
Cyber theft of PHI increased 100% between 2010 and 2013, according to a survey by the Ponemon Institute. Why the sudden upsurge? It's simple: Many health care organizations are easy targets. They often lag behind retail and financial organizations in creating hardened, multilayered approaches to security. In fact, many health care organizations are behind in upgrading security systems. With budgets tighter than ever as the health care industry transforms from a fee-for-service to pay-for-performance orientation, money is limited. If the decision comes down to upgrading a firewall or purchasing a new MRI machine, the MRI machine wins nearly every time.
The issue is further exacerbated by lack of internal resources as HIT departments are focused on implementing, upgrading, or maintaining their EHR system; attesting to meaningful use; and converting to ICD-10 codes. A lack of budget coupled with a lack of internal resources makes it extremely difficult to keep up with the cyber criminals—especially when the criminals are focused 24/7 on breaching the walls.
The Seven Layers of Defense in Depth
Creating a proper defense in depth requires hardening security at the following seven distinct layers:
1. Physical: Data storage in top-tier data centers, 24/7 perimeter sensor-monitoring, and badged or biometric entry into secure areas. This is an area that is often underprotected within hospitals and health systems.
2. Network: Enterprise-grade hardware, advanced firewall configuration, SSL VPN security, intrusion detection and prevention, and threat management response. This layer is generally present, but often out of date in one or more areas if managed internally.
3. Application: Data encryption (at rest and in transit), antivirus protection, patching, two-factor authentication, malware protection, and log management. This layer can easily fall behind if patches and upgrades are frequent and internal resources have more pressing tasks.
4. Server: File integrity monitoring, patching, role-based access controls, and security information event management (SIEM). This is another area that can fall behind without dedicated internal resources.
5. Data: Backup, at-rest and in-transit encryption, retention, destruction, archiving, SIEM, and lifecycle management. This layer often is the primary focus of internal security efforts even though security at all layers is important.
6. Devices: Mobile and medical devices, as well as bring your own device (BYOD) concerns. This is often the Achilles' heel for internal security because many devices are outside IT's control.
7. User: Two-factor authentication, social engineering/hacking, policies related to passwords and BYOD, corporate policy, continuous education, and ethical hacking. This layer is the most difficult to manage because it requires changing behaviors rather than simply upgrading technology.
It's rare that a health care organization can build this layered defense internally—and then maintain it as cyber criminals shift their method of attack on a daily basis. Fortunately, there is another option.
Shifting PHI to the Cloud
Rather than trying to build and manage the security of PHI internally, many health care organizations are beginning to see the value in moving their data to a cloud provider that specializes in health care. Working with a cloud provider not only eliminates the need to purchase and maintain hardware and software at each of the seven layers, it also eliminates the need to hire internal cybersecurity experts who will keep up on the latest developments.
Traditionally, one of the arguments against moving to the cloud was a desire to protect and maintain control over the data. CIOs simply felt safer when the data were managed in an internal data center. Yet in today's world, it is becoming clear that the opposite is true.
HIPAA-compliant cloud providers that specialize in health care already have the multilayered approach required to protect PHI, which CIOs can inspect and test before making a commitment. They also have the capabilities to secure PHI at rest and in transit, with availability that is as good as or better than keeping the data in house.
Not If, but When
It's really not a question of whether a health care organization will be targeted by cybercriminals, or if those criminals will be successful in exploiting a weakness in the security. It's a question of when and how much damage will be done—clinically, financially, and to the organization's reputation.
— Chris Bowen is chief privacy officer for ClearDATA, which provides HITRUST CSF-certified HIPAA-compliant cloud computing. He has dual certifications as a Certified Information Privacy Professional in the United States and Certified Information Privacy Technologist from the International Association of Privacy Professionals.