Cybersecurity: The enemy is already inside the gate

Recent reports show patient record breaches reached an all-time high in the first half of 2019 – specifically, in the form of hacking, according to Cheryl Martin, chief knowledge officer for the American Health Information Management Association.

To block the entry points for hackers, healthcare organizations need to look beyond plugging the gaps to block access.

"The enemy is already inside the gate," Martin said.

Cybersecurity strategy has evolved as the number of attacks has gone up with digital access to health records.

Yet the perception among health organizations is, "'Here comes IT again, asking for more money,'" said Martin, who has a background in health information management and who has been a CIO for smaller health systems.

"Make sure to include the right people in the risk assessments," Martin said, "not just IT.  The health information management people know where all the data and patient data is. The C-suite, it's important they be represented. When you ask for the money, it's understanding this is not another toy, this is crucial."

Ed Zacharias, a partner at the health law firm McDermott Will & Emery, often consults with clients after a breach.

It seems like a simple concept, but one of the key steps for a health system is to understand where all of their PHI data is: how it comes in, how it's processed and stored, and how it goes out. But data passes through so many different touch points, this can be a tough assessment.

"The number of times I'm advising clients on a breach and they say, 'I didn't even know we process this on this system,'" Zacharias said.

Having a person within the organization who has an understanding of where the information is, who's accessing it and how many systems touch it is a legitimate job function, he said. This establishes accountability.

"Keeping track and managing that is a critical component," he said.

One way to do this is a data mapping exercise.

"Owning that exercise internally is something that identifies those vulnerabilities," Zacharias said. "The more devices that are connected, that just increases the potential risk landscape."

The enemy within often gets access through spoofing attacks and phishing scams that target staff emails.

Martin said nine times out of 10, it's a phishing attack that gets hospitals in trouble with their own security protocols.

Revenue cycle is particularly vulnerable.

Instead of gaining information to extort money, these hackers just ask for the money to be sent directly to them, by gaining control of a more senior person's email information and sending it out to an employee with the instructions to please pay this invoice directly.

"It looks like it's coming from a senior executive," Zacharias said.

Complying with HIPAA and government security regulations can be challenging, Zacharias said. While the government looks at a hospital's risk assessment report to determine what is reasonable, what the government thinks is reasonable and what the hospital thinks is reasonable are often miles apart.

"From the government side, you almost always see they failed to conduct a risk analysis," Zacharias said.

RECOMMENDATIONS

The best way to defend against cybersecurity attacks is to develop a robust, tested cybersecurity plan.

AHIMA recommends:

• To mitigate future data breaches, healthcare organizations first need to understand and accept why they are being breached. Healthcare information and data assets are neatly packaged into health records and collected in databases, storage systems and applications.
• Healthcare organizations need to identify the systems containing valuable information and data assets and apply layered security controls to those systems. This needs to be combined with the adoption of a security framework or guide such as the Health Information Trust Alliance Common Security Framework (HITRUST CSF) and the Essential Eight released by the Australian Cyber Security Centre (ASCS).
• Successfully developing and implementing a cybersecurity plan requires the participation and support of organizational leadership as well as cybersecurity expertise. There is a high demand for cybersecurity and a limited talent pool. Because of this, it might make sense for small-to-midsize hospitals to partner with an outside cybersecurity firm for their guidance and expertise. The day to day operational security should still be managed by an internal team.
• Organizations need to consider the negative implications of outsourcing, such as failing to meet expectations, differences in company culture, and the outsourcing company going out of business. The hybrid approach creates a situation where the internal team can be supported and developed until outsourcing becomes ad hoc.
• Interoperability of the various hospital portals that contain a patient's health information is a vital driver for patient engagement. Cybersecurity and interoperability should both be considered high priorities.
• Security should not be considered a potential hindrance to patient engagement. It can certainly be accomplished without a negative impact. This can be managed by adopting a security standard or framework that extends to secure interoperability. This will ensure appropriate security measures from authentication through secure transmissions are implemented. In addition, hospitals need to ensure business associates have also adopted a similar security standard.

Twitter: @SusanJMorse
Email the writer: susan.morse@himssmedia.com