How mature is your healthcare security program?

By Keith Tyson and David Houlding

Breaches in security are a thorn in the side of the healthcare industry, and show no signs of abating soon. A cursory look at major headlines substantiates this trend: “Healthcare accounts for 21 percent of data breaches worldwide”, “81 percent of hospitals and health insurance companies breached, ”Healthcare Data Still Vulnerable as Another Breach Occurs”, and so on.

According to the Ponemon Institute’s Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data, healthcare organizations manage a treasure trove of financially lucrative personal information and typically do not have the resources, processes, and technologies to prevent and detect attacks and adequately protect patient data.

Within the last few years alone, a rash of hacks, breaches, and other intrusions have cost the healthcare industry as much as $6 billion per year. In the battle against breaches, understanding of the enemy isn’t enough to win. You also need to better understand yourself. To manage breaches in a sustainable and simplified manner, maturity models offer a proven approach to quickly assess your own security posture, identify gaps and the steps needed to improve or further mitigate residual risk. An example of a maturity model is HIMSS’ Electronic Medical Record Adoption Method (EMRAM), which is an eight-step process that enables healthcare organizations to analyze their level of EMR adoption, chart their accomplishments, target next steps to improve, and track their progress against other healthcare organizations across the country. A maturity model method for healthcare security breaches focuses on identifying where your safeguards don’t measure up with established best practices, enabling you to make more concise decisions about where and how to invest future security spending and resources.

The challenge of constrained resources

An effective mitigation of any one type of breach is complex, requiring multiple layers of safeguards for defense-in-depth protection. This complexity increases exponentially when considering all of the different types of breaches together. But most organizations’ security programs are constrained by available budget and resources which are rarely sufficient to deploy all the defenses that the organization needs at one time. That’s why healthcare organizations need an incremental approach to security, adding defenses layer by layer like an onion over multiple years, and with each layer within annual resource/budget constraints, and focusing efforts on weaknesses identified in an assessment.

A place to start is the three most common breach risk scenarios:

  • Loss/Theft of Mobile Device containing electronic patient data: According to theU.S. Department of Health and Human Services website , there were 97 breaches of this type involving 500 or more patients in 2014, and 46 so far in 2015.
  • Insider Accidents/Workarounds: A healthcare worker shares sensitive patient data with another co-worker using a personal mobile device and third-party application that’s out of compliance with policy, leading to unauthorized access. In PWC’sGlobal State of Information Security Survey 2015, more than two thirds of respondents said current or former employees were the most common source of security incidents detected, pointing to insider accidents and workarounds or, in worst-case scenarios, malicious acts by a disgruntled employee or fraudster.
  • Remote Cybercriminal Attack: In 2014 it was widely reported that the FBI issued a private warning to healthcare providers that the industry was not as prepared to deal with cyberattacks as the financial and retail sectors, and that the possibility of increased attacks is likely. This points to yet another source of breaches – cybercriminal attacks.

Each of these scenarios presents unique challenges that can be addressed using the maturity model. Start by analyzing your accomplishments, comparing your operations to best practices. Identify gaps and target next steps to improve. Benchmark your progress against other healthcare organizations that have succeeded in adopting a higher level of security.

Because many breaches originate with end users, whether well-intentioned, accidental or malicious, be particularly attuned to these risks. User security awareness training is a key part of improving security, critical to establishing a culture of security. But don’t depend on users to follow through on complex security protocols. Remember that most of these users are involved in patient care and security will not, and indeed shouldn’t be, their highest priority. Assume that patient care staff (and other users with heavy workloads or pressing deadlines) will adopt workarounds if security creates roadblocks or inconvenience. Whenever possible, build security into the DNA of your systems and depend less on end user follow-through.

A maturity model also provides a multi-year roadmap for organizations to incrementally improve security and lower risk while keeping within limited annual budgets and resources. A good roadmap enables security leaders to make informed decisions about what investments to make in cybersecurity and human capital initiatives.

Combining a layered approach to security with a maturity model focused on breach risks, healthcare organizations can focus on the top priority – breaches – and cut through the complexity inherent in security. With a simple, practical way to identify and strengthen their breach security posture, security professionals can make a strong, detailed case for enhanced security programs with the rationale, roles and resources required. Organizations can evolve from little or no security to an advanced maturity level with highly effective mitigation of risk of breaches while keeping within yearly budget and resource constraints. By assessing gaps in security, and assigning a security risk level, beginning with a baseline maturity level in year one, organizations can add further safeguards to move to an enhanced maturity level, and add more safeguards in subsequent years to achieve an advanced maturity level.

Regardless of the approach, combining a defense-in-depth strategy with a strategic healthcare security breaches maturity model and collaborating across each layer – client, network and server – helps close the holes and delivers better protection, whether an organization is at the baseline, enhanced or advanced maturity level.

Given the myriad and growing security risks in healthcare, and the threats posed by each separate type of breach risk described in this article, the best approach is both proactive and preventative. Data security is fundamentally a strategic endeavor, involving not only the human aspect of training and enforcing security behaviors that will support continued security, but also benchmarking exercises designed to continually assess your risks in the face of available technologies, and the breaches that your organization likely faces. A security breaches maturity model can be applied to enact continuous self-improvement wherever healthcare organizations are in the maturity process.

Keith Tyson is a security consultant with Dell Healthcare and Life Sciences. He has more than 14 years of experience managing medical supplies development and commercialization, oncology program strategy, software innovation and development, and providing thought leadership to the data security community. He has published articles in such sources as HIMSS’ Journal of Healthcare Information Management, Hematology and Oncology News and Issues magazine, Healthcare IT News, HealthITSecurity, and mHealth News. He holds an MBA from Emory University.

David Houlding is the Healthcare Privacy and Security Lead at Intel Health and Life Sciences, with more than 20 years of experience in healthcare, privacy and security, and enterprise architecture. His responsibilities include privacy and security leadership for the healthcare and life science industry globally. In this role David leads healthcare security and privacy research through to defining strategy, roadmaps, reference architectures, solution incubation, prototypes, pilots, and sales and marketing field support for the Health and Life Sciences (HLS) sector. He has published and contributed to numerous articles in major trade journals including Privacy Advisor, VentureBeat, Healthcare Info Security, Healthcare Technology Online and Dr. Dobb’s Journal. David has also made contributions to book publications including XML Unleashed, and has been interviewed for newspaper and other articles.

About the Author: Power More