1(630)802-8605 Ravi.das@bn-inc.net

There is one industry that I have not covered in some depth yet, as it relates to Cyber security.  And, that is the healthcare industry.  This is a market segment where confidential information and data are at most risk, and while there are Federal Legislations and Mandates out there to protect, such as HIPAA, it still lacks in maintaining adequate levels of Security.

This is according to the latest survey, known as the “Verizon Protected Health Information Data Breach Report, or “PHIDBR” for short.  Some of the key findings of this survey discovered that:

*58% of all security incidents involved Insider Attacks;

*70% of all of the External Attacks involve the use of Malware, especially that of Ransomware.

It was noted that all healthcare organizations, whether they are hospitals or even insurance related carriers, are all at risk to Cyber-attacks, and the theft of Patient Health Information (PHI).  According to the report, it seems like that nobody really fathoms the gravity of what a Cyber attack can mean, and the financial toll that it can take on the healthcare industry.

For example, if you were to be hit by a Cyber-attack, not only do you face stiff severe penalties that are imposed by HIPAA, but there are others which include the following:

*The attendant costs of notification;

*Credit report monitoring for affected patients;

*Reputational damage;

*Ultimately, the loss of patients.

It is important to keep in mind also, that addressing the Cyber threat landscape just does not fall onto the hands of the IT Department.  It affects each and every individual that works for a healthcare organization, and everybody must think with this mindset.  So, what are the steps that a healthcare organization can take to help ensure that they do not fall victim to a Cyber-attack?  Here are some key takeaways:

  • Ensuring high levels of visibility:

This simply means that all employees of a healthcare organization must be cognizant of any          unauthorized changes and misconfigurations on all critical assets, especially as it relates to        PHI.   This may seem like a hard task to accomplish, and granted, there is a lot to keep track, especially if you are large health provider.  But, if you implement the right file integrity          management and secure configuration management tools, this can be    made much easier to track any unauthorized changes in your PHI and related datasets.  Also, coupled along with these tools, your healthcare organization should also implement a vulnerability management package to help you be alert of any unintentional or malicious changes in your IT         environment.

  • Having the right process in place:

Although you may have implemented the right Security Technology tools in the last step, it is also extremely vital that you have the right process in place in order to garner the maximum benefit from them.  Now, everybody is not going to be all for following this process, and you even may have some employees that will not even participate in it.  But it in this case, it is imperative that you break this process down (perhaps each individual department, like Accounting, Finance, IT, HR, etc.) so that it can be manageable by all employees.  Equally important is that you make this distilled process appear as an end to end solution, so that the employees can see the value in what they are contributing towards to.  By doing this, your employees will be motivated to maintain better levels of “Cyber Hygiene”.

  • Maintain compliance:

As it was discussed before all healthcare organizations (even those that have a remote association to it) are bound by the stringent rules of HIPAA.  These means that your organization can be faced by an audit at any point in time.  Most healthcare businesses and corporations take the approach of “Point in Time Compliance”.  This simply means that they ramp up compliance efforts just in time before the HIPAA Audit, in order to make it look that they are always compliant, when the truth of the matter is, they really are not.  Preparing for these kinds’ audits can be very costly, so wouldn’t it just make more sense to maintain a continuous environment of compliance, so that you will always be ready for a HIPAA Audit?  This can be accomplished simply by using the tools described in Point #1.  For example, they contain out-of-the-box, audit-ready reports. The end result is that your organization is secure and is able to prove compliance to auditors efficiently.

My thoughts on this?

I used to be a contract tech writer for Blue Cross/Blue Shield of IL, and the most interesting aspect of this was that during my tenure there, the company faced a serious Cyber-attack which involved the theft of PHI.  But the difference was that not only was my manager found at fault, but all of the other IT Staff that had responsibility for maintaining those databases.

After that, they went to work immediately to repair the damage. This is just an example of how all parties need to share the responsibility if they have been breached.  But at that time, Blue Cross/Blue Shield was also implementing the use of a process in which one password could be used to access all of their online portals.  I still question to this day if that had anything to do with Security breach just described.

Another tool that healthcare organizations should consider using is that of Biometrics.  At least this is one way of guaranteeing that only the authorized workers are getting access to the PHI.  But this is not the magic solution either, it should be used in conjunction with other layers of Security layers for maximum benefit.

The steps that I have outlined in this blog are of course general in nature, and if you are the CIO or CISO of a healthcare organization, you should consider seriously hiring a Cyber security firm to help get these steps set in motion that are specific to you.

Finally, the Verizon report (as described earlier) can be accessed at this link:

http://www.verizonenterprise.com/resources/protected_health_information_data_breach_report_en_xg.pdf