Tackling security vulnerabilities in health care
Network security is critical for any organization, but in the health care space, with the personal and medical details of millions of individuals in the balance, the stakes are even higher. Out-of-date software, unimplemented patches, or even outdated passwords could be the vulnerability that exposes the sensitive information of an innocent and unsuspecting patient base. Two recent security breaches suffered by prominent U.S. health insurers highlight these vulnerabilities.
In February, Anthem Inc., the second-largest health insurer in the U.S, revealed that a previously-disclosed hacker attack compromised the health care records of as many as 80 million individuals. A few weeks later, Premera Blue Cross reported that the personal, bank, and health data of an estimated 11 million individuals was exposed when hackers penetrated its system in a similar assault.
These two high-profile security breaches have intensified the spotlight on data security, and raised several important questions for health care organizations (what HIPAA calls “connected entities”) and groups that provide supporting services to health care entities (called “business associates”). These groups should be asking the following questions:
- Why didn’t HIPAA compliance prevent the attack?
- Could this happen to our organization?
- What should we be doing beyond HIPAA to assure the security and privacy of patient data?
There may never be complete agreement on the answers to these fundamental questions, but most health care professionals will agree that all organizations involved in the handling or storage of patient information need to do more to protect patient data.
The Premera breach exemplifies concerns that even HIPAA-compliant organizations could have deficiencies in certain security practices, increasing the vulnerability of their systems and data. In the near-term, health care organizations must improve network monitoring to detect and respond to attempted breaches, ensure consistent implementation of configuration standards, offer better patch management, tighten controls over user accounts and user authentication, and properly encrypt health records stored within systems or databases, including data at rest as well as data in transit. But these are tactical issues.
On a strategic level, to address the question of whether patient health care information is properly secure, organizations must approach the HIPAA rules not merely as a checklist for avoiding fines, but as a framework for implementing and maintaining a functional information security program for your organization.
HIPAA compliance can equal security
Security is really about risk, and managing risk requires understanding your network and business. Well-informed decisions about security measures, practices, and technologies depend on an organization’s desired risk posture and require the organization to:
- Assess how data is stored, accessed, and managed.
- Identify current vulnerabilities and threats.
- Perform a risk assessment based on collected information.
- Implement solutions and countermeasures consistent with your risk tolerance.
- Allocate the right resources (time, money, and people).
Health care organizations need to take inventory, understand the unique circumstances of their operations, and use the HIPAA security rules as a basis for understanding the security processes or solutions that are required to protect patient health care data effectively.
There are no silver bullets or quick fixes for health care security
Physical health and network health are more similar than you might think. Medical professionals will tell you there is no good substitute for living a healthy lifestyle, including a balanced diet, exercise, reducing stress, resting, and periodic checkups. Too often though, folks would rather spend their money on a magic, appetite-suppressing pill or buy the latest exercise equipment that promises to shed pounds for a brief investment of minutes per day.
The same is true for the security of networks and technology. Rather than investing in sound practices, processes, tools, and periodic checkups, too many organizations look for a single, automated solution that greatly reduces or eliminates the need to practice sound security. If health care organizations really want a healthy and secure network, they must engage in multiple activities that work together to provide a secure environment.
Practical first steps to reinforce data security
Health care organizations grappling with questions such as “How do we do better?” or “Where do we start?” can follow some basic first steps derived from the 2013 HIPAA final omnibus rule. These prescribed steps include:
- Assign ownership: Name a privacy/security officer who is responsible for your data security and compliance programs.
- Find the sensitive data: Identify the location and data flows of patient health care information (PHI) in your environment.
- Conduct a risk assessment: Audit your network to understand how patient data is stored, managed, and secured.
- Publish an information security policy: Creating formal, written documentation of all policies and procedures is essential.
- Provide security awareness training: The human element is very often the weakest security link, so it is essential to train personnel on the appropriate behaviors as well as the reasons why their role is critical in the security of PHI and overall compliance.
Continuous network monitoring for health care
While no single or point technology solution can completely solve an organization’s security needs, there are solutions available that help organizations maintain an acceptable risk or security posture by providing a near real-time and ongoing view of network operations. The key controls available in these continuous monitoring solutions align themselves closely with the required indicators, such as:
- Finding PHI by identifying all assets and data flows within your network.
- Identifying the weaknesses that may have prevented these recent breaches, which include discovery of vulnerabilities, misconfigurations, or missing patches.
- Monitoring and detection of malicious events that could indicate attacks, and enabling early detection to minimize damage and data loss.
The bottom line is that health care businesses must take a holistic view of their organization and its security goals to protect patient health data as well as other sensitive information. Continuous network monitoring provides this insight while at the same time providing evidence that your organization is compliant with HIPAA security rules and maintaining a secure risk posture.
Jeff Man is a Tenable strategist specializing in compliance. He has over 30 years of information security experience, including cryptography, information security, and most recently PCI. Jeff has served as a QSA and trusted advisor for both VeriSign and AT&T Consulting. As an NSA cryptographer, he oversaw completion of some of the first software-based cryptosystems ever produced for the high-profile government agency.