This is a piece on healthcare security from Mark Beckmeyer, Binary Fountain’s Director of IT Security. Mark’s 30+ years of experience give him insight into evaluating, implementing, and maintaining security compliance programs within healthcare entities.
Healthcare Security and Privacy as Corporate Culture
Common threats to healthcare IT security include hacking attacks, ransomware, PHI exposure, and HIPAA violations. These threats occur at the operational level, but a key component in defending against them is a security-minded corporate culture.
An active, involved Chief Security Officer must work with compliance executives to drive the organization. They need to ensure it stays current on security innovations and evolving threats. They must continuously adopt and implement IT safeguards and enforce privacy and security policies with regular awareness and training updates.
Healthcare Data is a Primary Target of Malicious Activity
Many of healthcare’s evolutions have been progressing at breakneck speed, but until recently its embrace of security lagged behind.
Pre-HIPAA, you could stand at a nursing station in just about any hospital or clinic and see patient forms and files everywhere – in paper folders, not digital ones. When you walked into a patient’s room, there would nearly always be a clipboard filled with medical notes and observations. Back then, you would not find much security to stop an inquisitive visitor from peeking. Information that’s protected by law today was supposed to be private, but there was not a requirement to protect and secure Protected Health Information (PHI).
Healthcare data has also been a primary target of malicious activity, putting PHI more at risk. There are several reasons for this. One is the centralization and the sheer quantity of patient and provider data.
Another is history: for example, the banking industry was light years ahead of healthcare IT in strengthening security, so the value of stolen credit card numbers became less attractive in comparison. Victims can close and reopen financial and credit accounts. In contrast, victims can’t cancel and reopen their health information.
As a result, the permanence of stolen health information means that the illicit market pays more for it. It can be used for deeper identity theft, as well as for filing lucrative fraudulent medical insurance claims. By some estimates, stolen medical records are around 20 times more valuable on the dark market than financial records.
Management Sets the Tone
In the 2017 attack on Equifax, hackers exploited a security flaw to steal records of 143 million people. The stolen records included names, birth dates, Social Security numbers, and more.
The company eventually admitted learning of the vulnerability two months before the attack. As a result, the CIO and CSO were fired. If the company had set higher security standards from the top-down, would the flaw have been patched sooner?
In my career, I have seen pro-active organizations embrace security and reactive organizations leave themselves open to security risks. Executives must think of security not as an expense to the company, but as an investment in the company. If top management doesn’t understand the ROI of security, the resulting lack of commitment can have costly consequences.
One such example is a large health insurer who didn’t act on an on-site risk assessment. The assessment revealed that their data center had no backup power supply. The company chose not to address the problem quickly. As a result, a hurricane knocked the data center out of service by soon afterward.
That insurance company was reluctant to invest a small amount to ensure the uninterrupted operation of vital systems. Ironic, right?
Top management should never be stuck saying, “We didn’t know about this vulnerability” when a breach happens. C-level executives must engage in a regular back and forth with IT and security managers. They must reinforce a cultural commitment to security and receive regular reports from the operational staff. Details like making security a standing topic of weekly staff meetings can go a long way in supporting communications.
If not, the consequence is that management forfeits the chance to set the tone. As a result, it could leave itself in the dark on the news of risks, and responses to actual breaches.
Exceptional Healthcare Security Means No Exceptions
Even more dangerous, management sometimes behaves as if security standards don’t apply at their level. In one case, staffers used secure servers to store personal music files. In another, a CIO actually helped architect an internet access system that bypassed security.
By some estimates, internal threats are a factor in up to 90% of all breaches. No employee, no matter their level of importance, should ever be allowed to compromise the organization’s approach to security.
Compliance Is a Milepost, Not a Destination
Management sometimes makes the mistake of checking off regulatory and procedural boxes as the end goal. This may be due to a lack of vision or misperception of the true cost of lax security.
As important as HIPAA compliance and SOC 2 certification are, they are mileposts on the road to information security for health systems. Management must not treat Healthcare security as a one-time destination.
Continual security evolution will be essential as internet usage rises, privacy rights awareness grows, and legal threats over privacy violations increase.
Best Practices With Staff
It’s common for people in IT to fulfill multiple roles. However, best practice argues against putting the same person in charge of both IT and security. This is because it can lead to blind spots. It’s not easy to design a demanding penetration challenge exercise on your own IT systems.
Ideally, every employee’s performance evaluation should include criteria for meeting security goals. They should receive positive points for training and awareness participation, as well as negative points for actual breaches.
Support Patient Data Security
Reputation managers recognize that well implemented and maintained security is an investment worth making.
Beyond protecting PHI, a good reputation for security can offer a competitive advantage for attracting new patients. With so many recent breaches, we can expect that nearly every patient is more aware of security. They are beginning to recognize it as a risk factor in healthcare. There’s a high chance that everyone knows someone who has been affected.
Reputation managers may not need to be security experts, but it’s useful to be familiar with the latest developments. This helps to keep your organization and its patient data safe and secure.
Data security needs to be taken seriously and should be a high priority for healthcare organizations.
Healthcare Security Excellence at All Levels
An organization’s culture of security should commence at the very top. It must extend from the board of directors to the C-level executives and throughout all levels of the workforce. Establishing safety and security as a performance metric helps keep awareness high and demonstrates the tangible commitment of the organization to effective security.
We hope that every healthcare organization and practice will work to be the best of the best.
Do not measure excellence by budget size. Instead, measured it by the strength of the commitment to excel at security. It’s a commitment to operate at a level well above the minimum standards of compliance.
Mark Beckmeyer, D.Sc., CISSP, is Binary Fountain’s Director of IT Security.
Do you have a healthcare information security concern or question? Let us know what’s on your mind, and look for answers to your concerns in future posts from Mark.
Want to learn more about how Binary Fountain’s secure products can improve your online reputation?
About the Author
Director, IT Security