Strapped for cybersecurity resources, small and medium-size health care providers should outsource electronic medical record (EMR) maintenance, Payment Card Industry (PCI) compliance and threat intelligence gathering to third-party service providers, but risk assessment must still be handled internally, according to Mitchell Parker, CISO at Indiana University Health.
Lamenting the recent scourge of ransomware and data breach attacks against health care organizations, along with what he believes is lack of specific cybersecurity guidance and an overabundance of “snake oil” infosec companies that provide expensive risk assessments “while not delivering anything of value,” Parker presented a series of recommendations for smaller medical providers in a presentation at the 2020 virtual Black Hat conference.
Complexity and cost were the primarily two factors why Parker advised against modestly sized health organizations managing their own EMR systems.
“Let me be very clear: If you are hosting an EMR and you’re a small organization – don’t,” said Parker. “There’s a reason why the largest EMR companies offer [a] remote-hosted option: That’s the way of the future because doing it on your own is an incredibly complex task.”
Instead, said Parker, a bigger health system operator or large service bureau “can do this for you and do it better,” while also providing additional helpful tools including privacy and diversion monitoring.
PCI compliance is another area that smaller health-care providers will want to avoid handling themselves, due to the heavy risk involved in recording, processing and storing sensitive payment data, said Parker. “You also don’t want to be in a position where you’re writing down credit card numbers or recording them on voicemails – both of which affect your PCI compliance status,” because an unscrupulous individual with access to that information might steal those numbers, he explained.
“Realistically, I believe that risk transference by paying for a PCI-compliant vendor is the best move that an organization can make,” the CISO concluded. “There’s a lot of companies out there that do great work. They’ll do it for you at a reasonable price and provide you something reasonably decent for PCI compliance.”
Partner recommended contracting a revenue cycle vendor to supply a patient payment portal, and advised reaching out to banks and vendors to get the latest P2PE (point-to-point encryption) devices. “Literally, they will give them to you,” said Parker, although the devices should be assessed and updated on a quarterly basis.
Threat intelligence gathering and reporting is another responsibility Parker believes should be delegated to a third party. The CISO said that organizations like the Healthcare Information Sharing and Advisory Center (H-ISAC) and the Health Sector Coordinating Council (HSCC) collectively offer quality content, mailing lists, guidance, recommendations, conferences and opportunities for coordination among industry members. “And we highly recommend that, more than spending money on threat intel software,” Parker opined.
Risk assessments, however, must remain an in-house responsibility, aided by some supplementary outside help as needed, Parker asserted. “The reason why is, you need to know your business well and know where your holes are.”
Most importantly, he said, health organizations must be honest about their compliance status as it pertains to HIPAA and other security/privacy regulations and standards (lest they want to find themselves in trouble with the Office for Civil Rights and insurance companies). But such candor may be harder to achieve when a third-party provider is asking questions.
“People think outsider, they think an auditor,” said Parker. “And if you bring in an outsider, people are going to clam up and not say anything. This is no knock on the big firms I’ve worked with – but outsiders don’t get answers; insiders do.”
Parker said Indiana University Health created a downloadable quantitative risk assessment tool using an Excel spreadsheet based on the Centers for Medicare & Medicaid Services’ Systems Readiness Assessment tool that assesses risks according to likelihood, impact, velocity, potential income loss and reputational impact.
Parker also addressed the risks of remote access technology – a trend that has exploded under the Covid-19 pandemic, but has also emerged as a significant attack vector.
“One of the most important lessons learned over the past year is that remote access is a huge target,” said Parker, who advised health care providers to avoid running Remote Desktop Protocol or outdated and unpatched VPNs that are not effective against modern threats.
Last May, the CyberPeace Institute and dozens of international leaders and dignitaries collectively urged the world’s governments in an open letter to help put an end to cyberattacks on hospitals and health care institutions that are already under the incredible strain of combatting the Covid-19 pandemic.