As a Fellow of the Institute for Critical Infrastructure Technology (ICIT), I was able to contribute my expertise to the legislative brief entitled “Hacking Healthcare in 2016: Lessons the Healthcare Industry can Learn from the OPM Breach.” In the brief, the ICIT provides a comprehensive assessment of the threats and healthcare trends that have the greatest impact on health sector security, as well as solutions and strategies to improve resiliency. The report draws from the OPM breach, which is a prime example of the enormous consequences an organization can face by not maintaining and protecting integrated systems.
Specifically, this brief details:
- The Healthcare System’s Adversaries (script kiddies, hacktivists, cybercriminals, cyberterrorists and Nation State Actors)
- A Multi-Pronged Approach to Meaningful Cybersecurity (people, policies & procedures and technical controls)
- Healthcare in a Digital Age (IoT, sensors, telehealth, remote monitoring, behavior modification devices, embedded devices, mobile applications and data sharing in the Cloud)
- Legislation and Collaboration (21st Century Cures Act, telehealth solutions for veterans, telehealth access expansion, prescription drug monitoring, EHR interoperability, mHealth IRB)
My contribution focused on the ever-increasing risk surface and the causes of data loss through theft and error. It has been 20 years since congress passed and President Clinton signed into law the Health Insurance Portability & Accountability Act (HIPAA). This law was created so that people could leave a job, maintain healthcare, and ensure their patient records were safe. The legislation saw the risk factors for patient data loss and misuse. So HIPAA guidelines seek to protect how patient data is stored, used and shared.
Fast-forward 20 years and the risk surface has grown significantly. The complexity of the healthcare system today leads to a situation where there are too many healthcare providers, payers, and even patients — with too much access, with too much privilege, with too many passwords to too many resources. No longer can data be protected by vigilance on the firewall. Sure you need to maintain strong firewall practices but the fact of the matter is the firewall is no longer the perimeter. Gaining control of a healthcare payer, provider or a patient user ID and password can lead to insurance fraud or unscrupulous activity of healthcare drug and or device sales that could be costly. This cost goes directly to healthcare cost — meaning you, your employer, and the government — so more taxes on us.
Well-respected organizations have determined that the leading cause of nearly 100% of data breaches are compromised user identities. Healthcare is no exception to the cause of patient data loss. Healthcare payers, and providers must share patient information in order to do their job. Even patients are now accessing their own data to share information about themselves, their insurance and workplace. All of this information is in a multitude of places and are accessed by the health industry workers and the patient’s user identities via laptops, desktops, phones and tablets. Identities are now the perimeter of any organization and they must be secured and protected.
So what can we do? In order to reduce an organization’s risk surface, the identities must be protected and secured. Access should be significantly reduced to what is needed for an individual or group to do their work. Privilege should be very specific and able to be audited to ensure people have the right access and privilege. Passwords should be minimized to one per person or eliminated and replaced with a smartcard and multifactor authentication (MFA) solution. The use of solutions that require a “have something and know something” access methodology is effective because that makes it difficult to steal both something physical that you have and something in your head.
Organizations should leverage current technologies for a single identity repository to provide rights to access resources instead of user accounts. Remove the use of VPNs to access on premise resources and use direct connections that leverage rights so that it is difficult for the thief to become you. And minimizes any damage if someone somehow stole your identity. Employ solid mobile device and application access management capabilities. Don’t make it difficult for the users to use the resources. Otherwise health care workers will find a way around it, patients just won’t bother to access the resources and your efforts are ineffective.
Any solution employed to manage access, privilege and identities needs to be easy to set up, easy use for both administrators and users. The solution must cover the entire environment to be effective, consistent and cost-effective. Avoid the “Frankenstein solution set” model. Point products that address the cloud apps and another that addresses the data center and yet another to address mobile and a fourth to deal with patients or partners outside your organization will make for silos that will create a very inconsistent delivery of protecting your identities across the entire environment. Silos will add weight that will create ineffective results that are difficult to report on for oversight and will add cost to your efforts. Users will get frustrated with all the different ways they need to manage all their tools. Patients will just forget even trying to access and add their data. Again, users will find a way around these difficulties and your risk surface will remain.
It is important to look for an identity platform that is developed as a single architecture that covers your entire environment. The platform needs to add value to existing technologies and solutions that are part of the security stack and overall infrastructure. This platform should provide a single identity using smartcards and MFA to access resources containing patient records regardless of where they reside. The platform should offer auditing, granular access control, isolation of resources, reporting of all access to privileged information and activity across the cloud, data center and mobile environment, to ensure easy complete reporting of activity for oversight. Users will enjoy the ease of use to their resources. Securing and protecting user identities using these tips will significantly reduce your organization risk surface.