Category: Industries

10 Future-Proof Cybersecurity Tips for Healthcare

The threat of cybercrime can be felt most strongly where its impact is most acute. Although threats are very real to all industries – including critical infrastructure, government, financial services and others –healthcare has the biggest target on its back today. These threats have been steadily rising for many years and last year was no exception. See the 15 largest health data breaches of 2018. What can you do to bolster stay safe in 2019? Here are 10 future-proof cybersecurity tips for your healthcare organization.
Individual Impact
The impact of data breaches on organizations is significant, with healthcare data breach costs ranking the highest of any industry at $408 per breached record. But what about the impact to a patient? What happens when patient data is used in medical identity theft for years, only discovered when the collections agency comes calling? Or worse, when a patient receives incorrect medical care because the medical record is compromised by false updates? What happens to the patient who enters the hospital for care only to find all hospital systems shut down by ransomware? What happens to the patient if his pacemaker or MRI machine is hacked?
Risky Technology
Healthcare technology is continually advancing with the goal of improving patient outcomes, and yet many technologies are being deployed before security concerns can catch up. We trust that we’ll receive the best care possible from our doctors, but we’ve only just begun to feel the impact of cybersecurity threats on patient care. So, what can healthcare organizations do to improve this escalating situation?

Review all contracts — Healthcare organizations today are large and complex systems, with many ‘smaller’ entry points through partner systems or vendors. Security standards must be reviewed regularly and a process put in place to promptly report data breaches by all partners and vendors. Organizations should make sure that they have the contractual rights to insist on security standards for vendors.
Formalize breach notification process — Include both detection and response capabilities and consider purchasing special insurance. Under GDPR requirements, organizations must report a data breach within 72 hours. Read: 5 Tips for Compliance Officers Dealing with GDPR.
Rehearse your data breach plans — Make sure your organization can report on the consequences of a breach in a timely manner.
Maintain endpoint visibility — Ensure firmware and software can be updated against vulnerabilities and alerts can be issued if a device goes missing, misses an update or shows signs of tampering.
Protect legacy technology — The reality of limited budgets in healthcare means that many legacy systems remain unsupported and that could place the entire network at risk. Isolating these systems or building protections around legacy systems can serve as a temporary safeguard until systems can be modernized.
Automate detection and response capabilities — A recent Ponemon study found that traditional endpoint security approaches are costing enterprises more than $6 million in poor detection, slow response and wasted time. Security solutions should be automated to detect and contain threats with minimal human input or intervention.
Add resiliency to security solutions — How can you ensure that your current security controls cannot be tampered with by malicious or insider activity? This resiliency is available through Absolute’s persistence technology.
Help the C-suite understand — Appoint a CISO or Data Protection Officer to be responsible for data security and ensuring data security is a regular topic by the Board, a key differentiator in reducing security gaps.
Educate staff — Train them on the importance of data security to mitigate the insider threat. Have a well communicated policy on how and when to report lost devices or suspicious texts or emails and enforceable repercussions for infractions.
Conduct regular compliance reviews — GDPR lays out stringent data protection requirements, as does HIPAA and HITRUST. Be proactive in identifying and rectifying issues. Read: HIPAA Compliance Checklist for 2019

Patient medical records are now the #1 target for cyber criminals. And healthcare organizations are legally required to protect their PHI, even as it leaves their systems and goes to other covered entities.
For more on how you can prevent data breaches, read about actionable strategies in the whitepaper, Data Breach Prevention for Healthcare: A Best Practice Guide.

Why Data Privacy in Healthcare Matters

Data privacy in healthcare is much more than a regulation checkbox. It directly correlates to a sustainable, successful global healthcare system. In the continuous battle for better patient care and a business model that makes healthcare more affordable, information is king.
The Rising Cost of Healthcare
According to a study published by the Journal of American Medical Association (JAMA), the rising cost of healthcare is due to five primary factors:

Population growth
Population aging
Chronic disease prevalence
Use of medical services
Service price and intensity (i.e. pharmaceutical drug prices)

These factors drive healthcare spending – which is skyrocketing. By 2022, global healthcare spending is expected to reach to just over $10 trillion annually worldwide. In the U.S. alone, healthcare spending rose nearly a trillion dollars over the past ten years.
The rising costs hurt consumers of course (as anyone who has been to the doctor lately can tell you), but they are also a painful reality for healthcare organizations. Administrators must determine how to deliver the best possible patient care, while remaining in the black.
Data is the New Healthcare Currency
In the search for a more sustainable business model to meet these competing demands, many geographies, the U.S. included, are now seeing an industry shift from the volume-based, fee-for-service model to a more patient-centric, value-based approach. The rationale behind it is that a sick person is already an expense; whereas to focus on wellness, prevention and early intervention is a mutually-beneficial partnership that reduces costs over the long-term.

To deliver on value, healthcare organizations must rely heavily on digital technologies, clinical innovations, virtual care and plenty of patient information. At this intersection, we find the increasingly-common phrase, ‘data is the new healthcare currency.’ For this reason, data privacy belongs at the center of any conversation about the business of health care.
Patients expect it. Regulators require it. Your reputation depends on it.
Valuable Data in a Growing Attack Vector
Beyond the value healthcare providers assign data for the purpose of patient care, cybercriminals also find great value in healthcare data records. One report says electronic healthcare records (EHR) are valued at $250 per record on the black market compared to the next highest priced record – a credit card – at just $5.40. With that kind of money in play, healthcare is a particularly attractive target for most hackers. It makes sense, then, that healthcare organizations see an average of 32,000 intrusion attacks per day, per organization as compared to 14,300 attacks per organization in other industries.
And the possibilities for cybercriminals to attack are growing as healthcare organizations’ threat surface expands. Caregivers and employees are more mobile, partnerships with third parties are more common, and medical devices are increasingly complex with new IoT technology.
Read: Are Hacked Medical IoT Devices Ransomware’s Next Target?
Cost of a Data Breach
An attempt at your data is likely, and once breached, it will be costly. In their Annual Cost of a Data Breach Study 2018, the Ponemon Institute identified breach resolution costs (including detection and escalation, notification, post data breach response and lost business) to be highest for the healthcare out of any industry by far at $408 per record. The industry ranked second is financial services at a considerably lower price point of $206 per record.
These numbers don’t include regulatory fines that inevitably result with a confirmed breach. How non-compliance is handled is unique county-to-country but none of the fines come cheap. As regulations continually evolve and penalties multiply, it’s clear that data privacy needs to remain a top priority.
To learn more about how to avoid a costly breach and embrace the digital healthcare revolution, download the whitepaper: The Cost of a Data Breach in Healthcare.
 

Healthcare Cybersecurity and Data Security in 2019

Healthcare has rapidly evolved from a traditionally paper-based industry to one that has embraced digital in almost every way. The growth of technology and patient care has subsequently thrust the industry into the spotlight when it comes to protecting sensitive information.  Healthcare cybersecurity and data security in 2019 is one of the top issues facing the healthcare industry.
State of Cybersecurity in the Healthcare Industry
The amount of endpoints on healthcare networks is growing exponentially, especially with the popularity of both personal and corporately-owned mobile devices. Add in a host of IoT devices such as printers and smart appliances, and the potential for trouble is significant. The good intention motivating these devices is improved productivity. However, when you combine the device proliferation with healthcare organizations’ legacy systems and inadequate security budgets, it becomes a pervasive interoperability problem.
To make matters worse, employees who lose devices or see them stolen, click on a phishing link or inadvertently send Personal Health Information (PHI) across insecure channels only exacerbate the issue. You’re left with a recipe for embarrassing, costly leaks of sensitive data — not to mention the likelihood of hefty fines from HIPAA and HITECH regulations.
The need for better endpoint visibility and control has never been greater.
Why is Data Security the Biggest IT Concern for Healthcare Organizations?
While there are countless complex challenges facing healthcare IT professionals, it’s almost unanimous that security is at the top.
By widely adopting electronic information systems, any organization that does business in the healthcare industry has increased its risks regarding sensitive patient data protection. This is not lost on hackers, who have adapted their methods and tactics to monetize their attacks by seizing control over healthcare data, encrypting data and asking for ransom. This attack, known as ransomware, hits the healthcare industry particularly hard.
The pervasive vulnerabilities that threaten our ability to protect confidential data is a huge concern for healthcare decision makers. The numbers explain why.
The Protenus Breach Barometer for the third quarter of 2018 reports a total of 4.4 million patient records compromised in 117 health data breaches, with the number of affected patient records increasing in each quarter.
According to the Cost of a Data Breach Report conducted by the Ponemon Institute and IBM, the average healthcare data breach costs $408 per record — the highest of any industry for eight straight years. At almost triple the cross-industry average of $148 per record, it is obvious that cyber and data security is one of the most critical concerns for the industry.
Perhaps the biggest concern, however, is this: as organizations place more medical devices onto their networks, those IoT devices are also vulnerable to attack, and can even endanger the lives of their patients.
Most Common Cybersecurity Threats in Healthcare
The number of threats facing the healthcare industry is only going up. We’ve touched upon a few of the main threats already, but it’s a good idea to categorize them into four main groups — all of which can jeopardize PHI or ePHI, the cornerstone of healthcare data.
Ransomware
We discussed ransomware in the previous section, and because it dwarfs all other types of cyber-attacks facing healthcare companies, we’re listing it first.
Security experts agree that phishing emails, the primary method for launching a ransomware attack, will persist and prey on the healthcare sector.
Insider Threats
This one may not seem as obvious, but the threat is real.
So real, in fact, that a Verizon 2018 Protected Health Information Data Breach Report by Verizon found healthcare to be the only industry in which internal actors represent the biggest risk to an organization. The study also reports 58% of all healthcare data breaches and security threats are caused by insiders, anyone with access to healthcare resources and important data. 
IoT Healthcare Attacks
As Internet-connected medical devices are adopted on a much grander scale each year, IoT is going to be a huge issue for healthcare. On the one hand, hospitals and other providers benefit from IoT’s medical advancements and infrastructure improvements. On the other hand, most IoT devices are not built with cybersecurity as a default.
In fact, hacked medical IoT devices may be used to launch ransomware attacks.
Due to the severity of risks involved, IoT security mustn’t be overlooked.
Supply Chain Attacks
You may have the best security in your organization or network, but what about your suppliers, service providers, partners, or business associates who have access to your data? Those networks or systems may not be as secure. Hackers can and will focus on these weaker networks.
A supply chain attack is when a hacker exposes one of the weak links in your supply chain and leverages it as a form of indirect access into your network. Hackers are always looking for backdoors, and the supply chain is often their way in, either through insecure networks, software or hardware.
Interesting fact: in a recent CrowdStrike survey, 84 percent of healthcare respondents agree that “software supply chain attacks have the potential to become one of the biggest cyber threats to their industry.”

3 Ways to Improve Healthcare Data Security
Maintaining control over critical PHI or other sensitive data isn’t easy, but if healthcare organizations make a concerted effort to follow these three approaches they should be ahead of the game.
1. Take Back Control Of Your Endpoints
When endpoints go missing or show cause for concern, you need to act fast and smart. Failing to act quickly puts you at risk of exposing your organization to ransomware attacks and security breaches.
The fact is, laptops at a healthcare organization often go missing for months before the loss is detected in a yearly IT audit. Your efforts need to be focused on reshaping this critical flaw in oversight. When a device misses an update, goes missing or shows signs of tampering, you need to make sure red flags go up immediately so you can deal with it ASAP.
2. Strengthen Your Security Posture
Organizations should consider investing in endpoint controls and applications to protect their most critical assets. In doing so, you ensure your applications are running smoothly and have not been tampered with. Critical applications such as VPN, antivirus, encryption, device management and other controls are too easily compromised by malware, corruption or negligent users and often leave IT and security pros flying blind.
Improving visibility and control to the endpoint can help patch these holes in a healthcare security environment that might otherwise render existing and new security layers ineffective.
3. Get Real About Real-Time Evaluation and Response
Your organization should be able to evaluate its security posture in real time to ensure all devices are patched for known vulnerabilities, whether on or off the network. When new vulnerabilities crop up (and they will), your IT team should be in a position to proactively address these emerging threats with data controls and/or patch distribution.
According to a Ponemon study, 425 hours are wasted each week by IT teams chasing false negatives and false positives. By following these approaches, it’s estimated organizations can save an average of $2.1 million annually in time saving. Even better, they’ll have a greater chance of preventing a costly breach.
Finally, risk analysis should be an ongoing process that checks the following boxes for covered entities: regularly review records to track access to ePHI and detect security incidents; periodically evaluate the effectiveness of security measures put in place; and regularly re-evaluate potential risks to ePHI.
We hope you’ve found several takeaways here, and are in a better position to improve your healthcare cybersecurity posture. If you need more strategic tips, be sure to check out our HIPAA Compliance Checklist for 2019.

Avoid Security Breaches in Healthcare with Data Visibility

Security breaches in healthcare are rampant. Just one month into 2019 and the Office for Civil Rights (OCR) already has plenty of new Health Insurance Portability and Accountability Act (HIPAA) compliance violations to investigate. The well-known ‘wall of shame’ data breach portal shows that in January alone more than 350,000 individuals have had their protected health information (PHI) compromised by a data breach. The reported causes of these healthcare security breaches are:  hacking, theft of lost/stolen devices, unauthorized access/disclosure, and improper disposal.
The Cost of a Healthcare Data Breach
Healthcare IT security continues to be a growing issue. Not only has the number of victims increased, so has the cost to those involved. According to Ponemon Institute, healthcare data breach costs are the highest of any industry at $408 per record. In 2018, we saw the largest fine ever handed out by the OCR since they began enforcing HIPAA compliance when health insurer Anthem Inc. was ordered to pay $16 million in October.
Read The Cost of a Data Breach in Healthcare
Why is healthcare hit so hard? Healthcare is data and all of it – personal, familial and financial information – is highly valued by cyber criminals. Add to that the organizations themselves are typically large, distributed, and often encumbered by legacy systems and/or inadequate security budgets, making them an easy target in too many cases.

Faced with these and other challenges, it is increasingly important that healthcare organizations make the most of their security investments. But that doesn’t that mean layering on every new tool is the right answer —for strong security or for compliance. Many organizations wrongly assume that deploying a host of security technologies inevitably ensures compliance when, in reality, the safer bet is to start with the data and knowing where it resides.
The Burden of Proof for HIPAA Compliance
To be HIPAA compliant, the Department of Health and Human Services (HHS) requires that covered entities specify “technologies and methodologies that render PHI unusable, unreadable, or indecipherable to unauthorized individuals,” through either encryption and/or destruction. It falls to healthcare organizations to supply proof of data encryption or proof of destruction in order to avoid being liable for non-compliance.

The challenge is that you can’t secure (in this case encrypt) or validate for devices you can’t see. Visibility into the health and efficacy of your endpoints is a key element in remaining HIPAA compliant. Identifying all of your endpoints —even those that are inactive — also happens to be the starting point to a solid security program too.
Devices are re-imaged, users disable apps, registry files become corrupted, and devices leave the protection of the network. All of these ‘dark’ devices remain outside the control of IT, posing a significant threat to data security and HIPAA compliance. Moreover, in the event of a security incident, these devices may no longer have the technology needed to prevent the incident from escalating to a full-scale data breach.
Would you be able to validate your data security at the exact moment of an incident? Quantify the extent of your organization’s dark endpoint problem by starting with this free assessment. And, if you would like more information on effective steps to protect your healthcare data, watch this webinar with Absolute and SANS Institute, 7 Steps to Protecting Data in the Era of Digital Care.

What is HIPAA Compliance and Why is it Important to Healthcare Security?

If you are involved with the healthcare industry, you’ve probably heard of HIPAA, the Health Insurance Portability and Accountability Act. Regulations and best practices surrounding HIPAA can be confusing, but it’s critical that anyone connected to the healthcare industry understand at least the basics.
So we’re here to break things down for you.
First, and perhaps most important, is to answer one of the most commonly asked questions:
What is HIPAA compliance?
HIPPA Compliance Definition
Through ongoing regulations, HIPAA compliance is a living entity that health care organizations must implement into their business in order to protect the privacy, security, and integrity of protected health information. HIPAA compliance requirements are discussed near the end of this post.
Before we continue, three more acronyms need to be highlighted which figure prominently in the definition:

PHI = Protected Health Information
HHS = Department of Health and Human Services
OCR = Office for Civil Rights

HIPAA’s regulatory standards were created to establish the legal use and disclosure of protected health information (PHI). The Department of Health and Human Services (HHS) regulates compliance, and the Office for Civil Rights (OCR) enforces compliance.
The OCR also provides ongoing guidance on developments affecting health care and is responsible for investigating HIPAA violations.
Need a HIPAA compliance checklist? Absolute’s got you covered! 
Decoding PHI
While HHS and OCR are self-explanatory, PHI requires further explanation.
Protected Health Information (PHI) is the combination of one’s identifying information — such as your name or address) — and any health-related data collected from a healthcare practitioner or facility, such as your medical record, any conversations with providers, or billing/insurance information.
PHI is anything that contains both your Personally Identifiable Information (PII) and your health information.
For example, if we know that Sheldon Cooper is diagnosed with obsessive-compulsive disorder, that’s PHI. Why? Because it contains PII — Sheldon Cooper, and also health information — obsessive-compulsive disorder. Sheldon’s PHI would, therefore, be protected by HIPAA.
One more definition: ePHI, electronic protected health information, is when PHI is transmitted, stored, or accessed electronically. ePHI falls under the HIPAA Security Rule, a HIPAA regulation addendum which came into effect to address the rapid changes in medical technology and how health records are stored.
Why HIPAA is Important
There are countless reasons why HIPAA is important, but the key takeaways are these: it aims to ensure privacy and confidentiality; it allows patients access to their healthcare data; and also reduces fraudulent activity and improves data systems. It all boils down to data security.
For healthcare organizations, HIPAA provides a framework that safeguards who has access to and who can view specific health data while restricting to whom that information can be shared with. Any organization dealing with PHI must also have physical, network, and process security measures in place to be compliant.
Even subcontractors and any other related business associates must be compliant.
HIPAA is there to protect individuals and to ensure everyone has full access to a copy of their personal medical records. It is ultimately a civil rights issue. It mandates data protection for anyone who creates, stores, transmits or uses individually identifiable health information.
All healthcare entities and companies which handle, store, maintain, or transmit patient health information are expected to be in complete compliance with the regulations of the HIPAA law.
By adhering to HIPAA laws, providers can save millions of dollars annually just by properly managing security risks.
David Harlow, an attorney, and consultant specializing in healthcare data and digital health matters, states that HIPAA should be seen as the minimum standard regarding privacy and security standards and protections. “Simply complying with HIPAA is not enough,” he said. “There are more stringent state laws (which vary, state to state) and some industry best practices which are more protective of patient data.”
What are HIPAA Guidelines
With HIPAA, there’s a lot of information to digest when it comes to the guidelines providers must follow to be compliant. What’s most important — and what we will be focusing on — is to clarify what HIPAA violations are, as well as to define what it means to be HIPAA compliant.
For specific guidelines, we recommend the official HIPAA site — a useful resource from the U.S. Department of Health & Human Services.
HIPAA Violations
A HIPAA violation occurs when there is a breach of an organization’s compliance program in which the integrity of PHI or ePHI is compromised.
It’s important to note that data breaches are not the same as HIPAA violations. A data breach can also be a HIPAA violation, but only when that breach is caused by a breakdown in the HIPAA compliance program or by a specific violation of an organization’s HIPAA policies.
For example, a data breach would be if a laptop belonging to an organizations’ doctor is stolen and that laptop contains unencrypted access to medical records. If that organization did not have a policy which stated laptops couldn’t be taken offsite then it would also be a HIPAA violation.
According to Harlow, publisher of HealthBlawg, enforcement of violations is likely more limited to cases in which there has been a data breach. In his definition, a data breach is when PHI is released to or obtained by a third party without the patient’s authorization, other than for purposes of treatment, payment or healthcare operations.
“We can learn from cases where the OCR has entered into settlement agreements with Covered Entities (practitioners) or Business Associates (third parties) that have experienced data breaches,” he said. “The settlement agreements are made public, together with case summaries. From my perspective, it is critical that the regulated community understand and appreciate that the weakest link is the often the human link.”
One data breach we can all learn from is the Anthem Insurance Company hack, which relied on an unsuspecting employee clicking on a link in a phishing email.
“Staff must be trained and tested, and systems and failsafes must be put into place,” said Harlow. “Hundreds of millions of dollars of remediation costs, class action settlement payments and fines were paid out by Anthem as a result of that click.”
He advises that the government does not discriminate when enforcing the rules, as they will fine the small entities along with the large companies. Perhaps not in millions of dollars, but significant sums nonetheless.
To further break down the takeaways from healthcare security breaches, you’ll find some great lessons here from Josh Mayfield, Absolute’s Director of Security Strategy.
Finally, it’s critical to point out that if you’ve been breached, you need to report the breach in a timely manner. In 2017, OCR brought about its first HIPAA settlement for a violation of the Breach Notification Rule levying a $475,000 fine against Presence Health for failure to properly follow the rule.
Common HIPAA violations include:

Stolen smartphones, laptops or USB devices
Cyber hack or attack, including malware incidents and ransomware attacks
Business associate breach
Electronic health record (EHR) breach
Office break-in
Sending PHI to the wrong patient/contact
Discussing PHI outside of the office
Social media posts

HIPAA Compliance Requirements
This compliance list represents a baseline for processes that businesses should be following:

Self-Audits
Remediation Plans
Policies, Procedures, Employee Training
Documentation
Business Associate Management
Incident Management

While all of these are important, Harlow recommends focusing on the need to address the privacy and security of PHI holistically, through continuous review and improvement of systems, policies and procedures, training and implementation.
“This is not a ‘set it and forget it’ sort of compliance exercise,” he said. “I would also emphasize that the HIPAA rules are written as flexible standards that are to be implemented based on the size and nature of the covered entity or business associate.” For instance, Amazon’s compliance program for its HIPAA-compliant cloud services will not be the same as the compliance program implemented by a multi-specialty physician practice.
At the end of the day, complying with HIPAA regulations may seem tedious, but in today’s threat landscape we all need to practice proper security hygiene anyway to protect ourselves.
The ramifications of not doing so are too severe to ignore.
We’ve covered plenty of ground, but to learn even more about achieving HIPAA compliance and how Absolute can help your business, download our white paper here.

HIPAA Compliance Checklist for 2019

HIPAA was adopted in 1996 and since then, Covered Entities (CEs) have been required to protect individuals’ personal health information or face hefty fines for non-compliance. The U.S. Health and Human Services Office for Civil Rights (OCR) enforces HIPAA; the fines they have issued have grown exponentially in recent years.
Anthem, one of the nation’s largest health benefits companies, paid a record $16 million in 2018 for a data breach that exposed the electronic protected health information (ePHI) of 79 million individuals. The next largest settlement was $5.5 million paid by Memorial Healthcare Systems in 2017 for the inappropriate access of PHI of 115,143 individuals.
With increasingly severe HIPAA non-compliance fines on the line, healthcare organizations must exercise extreme diligence in the protection of PHI. But it isn’t an easy task. Compliance requires that CEs adhere to two primary rules: the HIPAA Privacy Rule, which details which data must be protected, and the HIPAA Security Rule which establishes how that data is protected.
The Privacy Rule defines identifiable health information as demographic data that relates to:

an individual’s past, present, or future physical or mental health or condition
the provision of healthcare to the individual
the past, present, or future payments for the provision of healthcare to the individual

The Security Rule outlines three categories of safeguards – administrative safeguards, physical safeguards and technical safeguards – to help you ensure data is protected and standards are followed accordingly.
Achieving and maintaining HIPAA compliance requires both thoughtful security and ongoing initiative. While there is some irony in providing a compliance checklist when we often hear ‘compliance is much more than checking a box,’ there are program elements that can – and should – be checked off. When marked complete, your level of confidence in your organization’s HIPAA adherence will increase.

The below 7 areas have been excerpted from the OCR’s recommended essential elements of an effective HIPAA compliance program.
Complete the following assessments / audits and be able to provide all appropriate documentation that they have been conducted for the past 6 years.
[ ] Security Risk Assessment
[ ] Privacy Assessment
[ ] HITECH Subtitle D Audit
[ ] Security Standards Audit
[ ] Asset and Device Audit
[ ] Physical Site Audit
Educate staff.
[ ] Have all staff members undergone annual HIPAA training, and do you have documentation to prove that they have completed annual training?
[ ] Is there a staff member designated as the HIPAA compliance, privacy and/or security officer?
[ ] Have all staff members received security awareness training and do you have documentation to prove they have completed it?
[ ] Do you provide periodic reminders to reinforce security awareness training?
Conduct risk analyses to assess whether encryption of electronic protected health information (ePHI) is appropriate and provide documentation on the decision-making process.
[ ] If encryption is not appropriate, have you implemented alternative and equivalent measures to ensure the confidentiality, integrity, and availability of ePHI?
[ ] Have you implemented controls to guard against unauthorized accessing of ePHI during electronic transmission?
Implement identity management and access controls.
[ ] Have you assigned unique usernames/numbers to all individuals who require access to ePHI?
[ ] Is access to ePHI restricted to individuals that require access to perform essential work duties?
[ ] Have you implemented policies and procedures for assessing whether employees’ access to ePHI is appropriate?
[ ] Have you developed policies and procedures for terminating access to ePHI and recovering all electronic devices when an employee leaves an organization or their role changes?
[ ] Does your system automatically logout a user after a period of inactivity?
Create and monitor ePHI access logs.
[ ] Routinely monitor logs to identify unauthorized accessing of ePHI.
[ ] Implement controls to ensure ePHI may not be altered or destroyed in an unauthorized manner.
Develop policies and procedures for the secure disposal of PHI.
[ ] Develop policies and procedures for rendering PHI unreadable, indecipherable and incapable of being reconstructed.
[ ] Develop policies and procedures for permanently erasing ePHI on electronic devices when they are no longer required.
[ ] Ensure all devices that store PHI are stored securely until they are disposed of in a secure fashion.
Define a clear process for security incidents and data breaches.
[ ] Ensure you have the ability to track and manage all incident investigations.
[ ] Be able to provide the required reporting of minor or meaningful breaches/incidents.
[ ] Implement a procedure by which employees may anonymously report a privacy/security incident or potential HIPAA violation.
Successfully completing this checklist does not guarantee your organization is HIPAA compliant – nor does it ensure that your organization will avoid potential data breaches. However, it will get you off to a very good start. For more information on implementing a successful program, download our whitepaper: Achieving HIPAA Compliance: Your Guide to Avoiding HIPAA and HITECH Penalties. 

3 Lessons Learned from Healthcare Security Breaches

While official numbers for 2018 haven’t yet been released, we know roughly 7 million healthcare records were involved in data breaches this past year. The reasons are tangled and varied, but we can find common themes that can help us learn how to prevent future data breaches.
For starters, the two most common causes for reporting a data breach to the U.S. Health and Human Services Office for Civil Rights (OCR) were: 1) deliberate hacking of IT systems and 2) unauthorized access or disclosure of protected health information (PHI). Though equal in number of incidents, deliberate IT hacking stands alone as the tactic with the greatest success, resulting in over 4 million records swiped.
Attackers didn’t show any deference to the well-resourced UnityPoint Health (1.4 million records stolen) or federal agencies, such as when the Centers for Medicare & Medicaid Services (CMS) reported unauthorized exposure to its own PHI in Healthcare.gov. In addition to these deliberate assaults, the largest single fine of 2018 was a $4.3 million expense levied on MD Anderson Cancer Center when the world-renown oncology research hospital was unable to prove that a stolen device was secure and encrypted.
Naturally, you may conclude that these kinds of incidents are bound to happen. After all, healthcare organizations are brimming with high value data that lures the worst cybercriminals armed with impressive tools and tactics. But under a different reckoning, you can see how every one of these breaches could have been halted.
Lesson 1: Visibility Rules
Whether you are monitoring the data flow between cloud clusters or the cyber hygiene of an endpoint population, keeping eyes on glass is the first step to finding your blind spots and seeing where your data resources are exposed. Think about it, how can you secure what you can’t see? Thankfully, IT asset management is stepping up to the plate and transitioning from being a keeper of inventories to a robust intelligence service feeding critical information to other groups and teams, enriching detection and response to uncover vulnerabilities.
Lesson 2: Configurations Count
We can see how an AWS Secure Storage Service (S3) can be calibrated to the exact specification to allow attackers in the door. We also know that such services come equipped with all the controls necessary to stave off the tragedy. So what’s going wrong?
Not only are newer technologies more complex than ever, but with the rise of DevOps and continuous iterations, the services and resources we use are in constant flux. Keeping tabs on the right configurations for the current build and maintaining your own security intent has never been more complicated. But just as we learned in Lesson 1, having an unobstructed view of the attack surface will help to identify where configurations are risky and what steps you can take to restore order. Never has this been more necessary than with endpoint cyber hygiene.

Devices are teeming with PHI and users need unimpeded access to critical information to, save lives. However, ability to lay hands on health data is also a focal point for attackers. When countless records are on endpoints, why go any further to penetrate a well-fortified data center or cloud storehouse when so much is waiting for you on a device? The trend in distributed data creates an incentive-rich environment that requires control over every device with maniacal precision. Orchestrating all those controls demands universal control across the endpoint population and endpoint data discovery to pinpoint where sensitive data is riskiest.
Lesson 3: Crowd Sourced Learning Reigns
Healthcare, in some ways, is in a privileged position. With so many federal guidelines and regulations for reporting, there is an ocean of incidents to learn from. Now that the entire industry is held to standard practices, when those protections are usurped, everyone gets to hear about it. If we aren’t learning from the failures around us — even within our peers and the industry leaders we respect — we will be flanked by a preventable hazard had we taken that knowledge and put it into action.
Take note of the breaches inside and outside of healthcare. Look for common patterns and themes. Crawl your own IT environment and see if similar conditions are ripe for exploit. Being smart is learning from your mistakes, but being wise comes when we also incorporate learning from others’ shortfalls.
To learn more about how to build and implement a sound cybersecurity strategy for your healthcare organization, download the whitepaper Data Breach Prevention for Healthcare: A Best Practices Guide.

The Great Crunch: IT’s Role in Healthcare Consolidation

I don’t possess the requisite wisdom and foresight of someone like Toby Cosgrove, MD and CEO of Cleveland Clinic, who predicts that by the year 2050, there will only be 50 healthcare providers in the United States. Still, when you scan the headlines, you can’t help but see a seemingly unending parade of mergers and acquisitions. Why?
For starters, during the 1980s there was an explosion of group benefits catering to the fee-for-service model. Health Management Organization (HMO) plans started to lose market position to Preferred Provider Organization (PPO) plans in the competition for wallet-share and as such, offered a wide range of reimbursable treatments without the need for referrals for specialists. Naturally, this led to an expanding empire of services, ancillary care facilities, instant elective surgeries, a reduced number of primary care providers, and strategically placed hospitals to rope in the greatest number of patients.
Then, we started to look at outcomes. Though there was an increase in patient choice and preferences taking priority of place, the ratio of spending-to-outcomes was dangerously out of balance. Whenever any supply chain (health services included) is fragmented to deliver a service to widespread consumption points, costs rise. The rationalizations for more services by more providers in more places started to show cracks, and now, cost-conscious healthcare providers are joining forces to keep the options consumers crave while removing the enormous expense of satisfying those cravings alone.
For years, IT asset managers have been an afterthought with little recognition for their contributions to deliver care or revolutionize healthcare’s digital transformation. In this evolving landscape, that’s no longer the case. When healthcare providers come together in (somewhat) holy matrimony, IT teams walk to the center of the stage to make sure the marriage is a happy and successful one. Of course, you may find yourself on either of two sides: you could be the health system absorbing a collection of clinics and hospitals or you could be the one getting pulled into the conglomerate. Either way, the stage light is beaming at IT asset managers to make the relationship work.
Let’s look at the role IT asset managers play in healthcare consolidation from both sides.
The Seller
IT asset managers sit at the syphon hose of asset intelligence to identify waste, consolidate technology, streamline workflows, and control the lifecycle from factory to recycling truck. Here, you have the opportunity to shine the apple and create even more value for potential suitors. Before the due diligence, you are impacting the income statement (P&L) to rein in expenses and magnify the effectiveness of the organization’s technology spend: you’re literally changing the bottom line.
This contribution to a successful sell cannot go unacknowledged. IT spending accounts for 8-10% of total spending within a healthcare organization; the same organizations who regularly have a 2-3% surplus (profit margins). By carefully and deliberately cutting costs, removing waste, and increasing IT efficiency, you have positioned your organization to command favorable terms and the freedom to holdout for the best offer from anyone wishing to get their hands on the goods.
The Buyer
With another acquisition, IT asset managers have another golden opportunity to stand out and demonstrate their ability to make the acquisition simple and easy. How? With asset intelligence.
Take a seat above it all, identify all the new devices and start the interrogation. You’ll soon discover wasteful inefficiencies, misaligned resources and users, woefully unprotected PHI, and a cohort of endpoints dangerously unhygienic. These assets are now your assets and they need your care and protection. For example, two years ago, you implemented a system to monitor every device, user, app, and data particle with the benchmarks of CIS, HITRUST, and internally calibrated standards. You therefore have a digital tethering technique to hook to any device and never let it out of your sight, allowing you real-time knowledge of the device fleet and the ability to command each one of them from central control.
By removing the sludge and the risks imposed by these additional assets, you’ve rationalized the purchase…and you don’t even work in finance. You don’t calculate net-present values or perform the value at-risk models of those Wall Street types. You’re simply doing what every highly skilled asset manager does; you remove the trouble spots before a costly reckoning crushes the grand plans of those who make plans.
The Value of IT
It has been said that IT is the forgotten piece of healthcare, that is, until there’s a problem. But when it comes to the mass consolidation happening all around us, we can see that there has never been a better opportunity to shatter this myth. Whether you find yourself looking at healthcare’s crunch from the seller’s or buyer’s perch, you have a chance to demonstrate just how important IT asset managers are to success. As a seller, you give the organization confidence that everything has been counted, assessed, streamlined, and positioned to attract only the best.  As a buyer, you weave together previously unfamiliar and separate inventories, apps, users, and machines to enable continuity of care and airtight security.
In such a moment, is there any doubt that IT asset managers are the heroes in this story? No one else has the deep understanding of assets and their interactions; of users and their needs; of historical events and the future’s requirements. If you want to see a lucrative exit or courageous acquisition, then recognize the IT asset managers who make it possible.
For more on how much data breaches can really cost healthcare organizations, download our whitepaper The True Cost of a Data Breach: Healthcare Settlements Involving Lost or Stolen Devices.
 
 
 
 
 
 

How HITRUST Can Help You

According to a new study conducted by researchers at Massachusetts General Hospital and published in the Journal of the American Medical Association, the number of annual health data breaches increased 70% over the past seven years. That same study noted that 75% of the 132 million breached, lost, or stolen records were a result of a ‘hacking or IT incident.’ There’s no question healthcare organizations are under siege by cyber criminals and significant improvements in information security are needed to keep up with their evolving attacks.
Staying ahead of cybercriminals is no easy task however so thankfully, there are resources available. In an attempt to support organizations make needed improvements, the Health Information Trust Alliance, HITRUST, an alliance of healthcare, technology and infosec leaders, first established a Common Security Framework (CSF) in 2007 for any organization that creates, stores, accesses or exchanges personal health information, PHI, to use. Unlike the government regulation HIPAA for example, which mandates PHI as a personal right, defines how PHI must be protected, and issues penalties for failure to do so via the Office of Civil Rights (OCR), HITRUST is a helpful framework that outlines an efficient approach to both risk management and regulatory compliance.
For more on the difference between government regulations and cybersecurity frameworks, check out my earlier post.
Many organizations think of HITRUST as a cybersecurity blueprint. It uses a comprehensive approach pooled from other frameworks, including NIST, CIS, COBIT and others, and it primarily relies on 13 control categories that can be lumped into 3 primary categories:

User security
Asset security
Data security

Since May, a slew of organizations have worked hard to achieve HITRUST’s newly launched certification which assists hospitals and health systems deploy, understand and report their effectiveness against the NIST CSF and also helps them view their efforts through the lens of HIPAA Privacy and Security Rules and other compliance regulations. Certifications and scorecards aren’t the single silver bullet to healthcare security of course, but it’s certainly a step in the right direction.
Is HITRUST certification for you? Possibly. You can read about the process here. For more on HITRUST, generally, check out my latest Cybersecurity Insights video below.

To stay up-to-date with the latest guidance for your healthcare organization’s cybersecurity disciplines, you can also subscribe to the YouTube channel.
Video Transcript:
Have you ever wonder about the HITRUST Cybersecurity Framework?  Well, in today’s episode, I’m going to satisfy your curiosity.
The Alliance is filled with industry vanguards from all sides: payers, providers, medical device firms, and other stakeholders.
They advocate for healthcare organizations and help spearhead policy, but have also published a crucial cybersecurity blue print. Which pools from others: CIS, COBIT, NIST, among others.
HITRUST is a greatest hits collector, distilling a framework from several great artists.
And it comes with 13 control categories that we can bundled into 3 chunks:
– User Security,
– Asset Security, and
– Data Security
 
When it comes to User Security
HITRUST provides policy guidance that spans the user’s lifecycle: from onboarding, provisioning, authorizing, authenticating, and deprovisioning users.
By controlling who, and in what circumstances, accesses PHI and other sensitive information, HITRUST gives a solid step toward cyber resilience.
Number 2: Asset Security
Looks similar to other frameworks. It starts with asset intelligence to validate resources and confirm their security posture. When controls, configurations, apps, and agents are calibrated for max security, you can say the device has good hygiene. Probably one of the best metaphors in our industry.
Good hygiene = AWWWW!
Bad hygiene = DANGER!
And finally, we come to Data Security
These controls include validating data integrity by looking at inputs and outputs and monitoring data protection to spot problems and mitigate risks.
You can see how this is neatly aligned with our previous discussion on HIPAA and PHI safeguards.
Throughout the security community, we are witnessing a tectonic shift back to the fundamentals. The HITRUST framework is one such example. By applying these controls, healthcare organizations can make the leap to stronger cyber resilience by focusing on the three areas: User security, Asset security, and Data security.
Follow the blue print, become resilient, win the game.
That’s it for today! And in future episodes, I’ll give you the rundown on more ways to improve cyber hygiene and stay strong in an uncertain world.

HIPAA Security Rule: Protecting Privacy and Improving Patient Care

In my previous post, we looked at the HIPAA Privacy Rule which mandates data protection of health information as a civil right. Boiling the rule down to its simplest form, HIPAA Privacy lays out what data requires protection and who is held accountable for keeping it confidential. However, it’s the HIPAA Security Rule that tells us how that data must be protected.
Three Security Safeguard Categories
The Security Rule calls for specific safeguards across three primary categories:

Administrative
Physical
Technical

Administrative safeguards are the procedures, training, and processes that foster data privacy and align with HIPAA standards.  Physical safeguards are used within material structures—server cages, workstations, etc.—that enable data security on the tangible attack surface.  Technical safeguards are the techniques used, whether deployed with humans or technology, controlling access to and the use of PHI.
As with all things in security, these safeguards are far from a one-and-done exercise. Data and devices are constantly on the move: continuous visibility is key.
When you hear about a government agency ‘providing guidelines’, we think one thing: compliance. Or more accurately, two things: compliance and the staggering costs to comply. This is valid thinking of course – the high price tags associated with HIPAA violations are intentionally painful to offending organizations.
Avoiding fines for failed compliance, along with the short- and long-term expense of a data breach, remains a top priority because dollars paid to cover penalties is no longer going to patient care. For organizations handling PHI, new, forward-thinking technologies demonstrably show the impact on outcomes and help to create an integrated health ecosystem that enthrones the patient as everyone’s primary objective. According to the Department of Health and Human Services the whole purpose for the Security Rule is to “protect the privacy of individuals’ health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care”. To be sure, strutting along the tightrope of superb care and maniacal data protection is no easy task.
Complying with the HIPAA requires significant planning, resources, teamwork, and continuous vigilance. Thankfully, enforcement agencies recognize this burden. Recently, penalty waivers were granted to providers along the East Coast serving the recovery effort after Hurricane Florence. However, the waiver was only connected to the HIPAA Privacy Rule to encourage sharing critical information to save lives…the Security Rule remained in full force. The Security Rule’s safeguards, HHS reasoned, should already be in place before any emergency; withholding waivers for those violating the foundational security safeguards for PHI.
Hungry for more? My latest video on Cybersecurity Insights provides quick hits on the HIPAA Security Rule. If you’re a greenhorn to HIPAA or if you’re the kind of person who can audit in your sleep, the video gives you a fresh perspective on how we approach the HIPAA Security Rule.
HIPAA Security Rule
Subscribe to the YouTube channel and stay up-to-date with the latest guidance for your healthcare organization’s cybersecurity disciplines.
 
Video transcript:
Welcome back! Josh here from absolute.
If you recall last time we saw how the HIPAA Privacy Rule tells us WHICH data need protection.
In this episode, we’ll explore the HIPAA Security Rule to see HOW to protect that data.
The security rule spells out safeguards that are like having a map, a compass and coordinates that guides you toward Data Protection Utopia.
There are three safeguard buckets:
– Administrative,
– Physical and
– Technical.
Administrative safeguards create an atmosphere where data protection is just woven into the day-to-day operation.
Physical safeguards are the observable and tangible garrison’s for PHI. Things like locked rooms, server cages, secure workstations, disposal facilities…
Then, there are Technical safeguards, where technology itself gets pressed into service to shield our most valuable data.
Access Controls enable users to get to the minimum necessary to prevent unauthorized access to PHI.
Audit Controls are the hardware, software and procedures that examine systems to validate those defenses. That’s right! There is a federal law demanding that every device, app, server, network connection and so forth, all go under the microscope.
Integrity controls helps to make sure that health data is never altered or destroyed in any unauthorized way. This is probably the biggest challenge when scaling Mt. HIPAA-Compliance.
Recently a federal judge upheld a penalty for more than four million dollars on a world-renowned health care provider, when they were unable to prove that a missing laptop was secure.
That’s expensive!
Administrative, Physical and Technical safeguards are not suggestions, but legal requirements for anyone working with health data.
Protecting PHI is hard. Protecting PHI on far-flung devices is even harder! But when you have a line-of-sight and continuously monitor all the pockets where PHI can hide, you can leap over those hurdles and satisfy the Security Rule.
 
 
 

Loading

Categories