Data protection concerns abound for health care professionals. Getting a sound handle on steps to address these is key, reports Illena Armstrong.Few can argue 2011 has been a banner year for frequent and massive data breaches, and health care organizations have carried their share of the burden.
Compromises encountered by the likes of Sony, Citibank and others may have seen the exposure of between hundreds of thousands to some 100 million critical records. However, various hospitals, insurance and health care providers, clinics and others have experienced a staggering number of data violations. Whether the personally identifiable information (PII) was stored on networks or backup tapes, was lost on mobile devices or mistakenly posted to websites, incidents in the health care space have been common this year.
Yet, breaches are unsurprising to many in the space. At an SC Magazine Health Care Roundtable held late last year, attendees spoke frankly about their challenges. Understanding just how far their confidential data extends, addressing more highly targeted vectors of attack, like mobile devices or cloud computing, ensuring business partners have adequate security, and getting the support they need from equipment vendors whose tools now are networked to wider corporate infrastructures, were only a few worries they voiced.
“The problem is that in health care, all data is sensitive – whether its PII or protected health information,” says Larry Whiteside, CISO of the Visiting Nurse Service of New York, who attended the event, which was sponsored by IT security solutions provider Arcsight, now an HP company.
In reiterating a point he made at the Roundtable, Whiteside adds that keeping track of this data is the most critical duty for health care security pros – and the most confounding.
“All I can say is due diligence,” he explains. “Health care and every other vertical should ensure they are continuing to do the things they know they should in order to protect patients and their electronic information.”
One top concern for Roundtable attendees is insider threats. Not only do they have to worry about the typical security vulnerabilities other types of companies face, like the provisioning (and de-provisioning) of internal applications, or too many shared accounts, but they must also deal with what Roundtable participants referred to as “neighbor snooping.”
To address this problem, some pros who attended the Roundtable are in the midst of rolling out dual-factor authentication solutions. Among other technologies, they're also relying on encryption, security incident and event management (SIEM) solutions, awareness training, and identity management (IDM) to help with end-user provisioning and the deletion of shared accounts.
The problem with many of these solutions, though, is that they are based on policy, says Ryan Kalember, director of product marketing for Arcsight. And this means that organizations have to do some work up front to understand the extent of their user base. For example, with IDM, a company often turns to business units for details about users and what they should have access to, but they don't always know what that should be.
“We've seen that most of our customers who are really serious about user monitoring and need an authoritative source of data turn to [Microsoft's] Active Directory, because the information in there is better than what is in their IDM,” Kalembar says. “So, that's scary.”
The data that business partners have access to only complicates the problem more, says Jon Gossels, president and CEO of consultancy SystemExperts.
“Once that initial data is used for something else, all bets are off,” says Gossels. “That's the nightmare in health care right now. It's not the initial collection. It's all the uses after that.”
If data security needs like these are met, then compliance with the Health Insurance Portability and Accountability Act (HIPAA) should come naturally. However, security funding still seems to stem from higher-ups' concerns about meeting mandates, as opposed to safeguarding the data. This may be one reason why many health care organizations end up failing to take a comprehensive look at their overall security management plans, says Bryan Cline, VP for Common Security Framework (CSF) development and implementation at the Health Information Trust Alliance (HITRUST).
A “firefighting exercise” up until now, robust security and risk management plans in the health care space must be built firmly on standards, such as ISO 27001, guidance from the National Institute of Standards and Technology (NIST), HITRUST's CSF or others, Cline adds, reinforcing a point he made while at the SC Roundtable last year, when he was CISO at Catholic Health East.
Organizations need to adopt a standard prescribing reasonable and appropriate security practices in order to do a valid gap analysis as part of their risk assessment, he says.
Yet, it's not just a question of privacy. It's also one of authenticity of the data, says Dov Yoran, co-founder of MetroSITE Group, an information security consultancy that provides services to technology companies. Organizations, must ensure data is not tampered with or changed, and that it remains authentic, safe and available system-wide, he adds.
Standards come in handy when undertaking this process, says HITECH's Cline. By looking to industry guidance and best practice, and then conducting an analysis of where security gaps are, organizations can establish and maintain an overarching governance, risk and compliance management plan that considers the entire corporate infrastructure.
“[HIPAA] helps and hinders,” Cline says. “It helps because it got security some attention, so people were able to do some things they wanted to do after they got the money for them. It hinders because they end up focusing on compliance, and compliance doesn't equal security.”
With Office of Civil Rights audits coming, Cline believes 2013 will be a watershed year for health care security. After audits show that some still are clinging to ineffectual risk management plans, the industry is bound to witness action against them, he predicts.
“2013 will be the first year organizations will be looking at security through the right lens, so there should be a lot of improvements,” says Cline.