Skip to content Skip to navigation

IT Security at St. Luke’s: An Assumption of Compromise

January 14, 2015
by Rajiv Leventhal
| Reprints
Reid Stephan

It would be hard to argue that 2014 wasn’t a year of healthcare data breaches. According to an Identity Theft Resource report, of the 761 reported data breaches, 322 of them (42.3 percent) came from the healthcare industry. The total number of records exposed totaled more than 83 million, with approximately 8.25 million coming from healthcare, approximately 9.9 percent of the total records breached, the report found.

What’s more, a recent IDC Health Insights report predicted, “By 2015, half of healthcare organizations will have experienced between one and five cyber attacks in the previous 12 months—with a third of those attacks successful. This will necessitate investments in "a multi-prong security strategy to avoid disruptions to normal operations and incurring fines and notification costs."

Certainly, the proliferation of digitized protected health information (PHI), lack of comprehensive risk mitigation strategies, omnibus rulings and increased audits all served to create a hotbed for breaches in 2014. As a result, focus will not only be on compliance but on IT risk management and process, including auditing and working with vendors to design and outline end to end security standards, expectations and responsibilities.

According to Reid Stephan, director, IT security, at the Boise, Idaho-based St. Luke's Health System, the high number of healthcare breaches in 2014 should come as a surprise to no one. “People that have been in this industry have read the tea leaves. This is not something that should catch anyone off guard,” he says. Stephan further says that it’s something that will likely continue over the next few years as well. “We will see a shift in the attack focus by organized crime syndicates, where they recognize that healthcare is an easier target. There is a lot of low-hanging fruit due to the lack of security investment in security capabilities and controls. We are, in a sense, newcomers to the digital battlefront, so it’s a cat-and-mouse game. Healthcare is behind the curve in terms of defenders and protectors of attacks,” says Stephan.

Stephan will be part of a panel discussion on Jan. 21 at the Institute for Health Technology Transformation’s (iHT2) Health IT Summit in San Diego. The panel, titled, "Privacy & Security: Strategies to Secure Patient Data," will aim to identify risk assessment strategies, discuss strategies for securing mobile devices, discuss accountability and Health Insurance Portability and Accountability Act (HIPAA) regulations, and more. Click here to register for the San Diego Health IT Summit to see Stephan and plenty of others. (iHT2 is a sister organization with Healthcare Informatics under the corporate umbrella of the Vendome Group).

Stephan goes on to note that while he wouldn’t quite say that the healthcare industry cannot defend itself when it comes to cyber attacks, there is evidence that it is lags behind other sectors in terms of investment  of security staff and controls. “My philosophy is that you have to develop an assumption of compromise,” he says. “The reality is that a skilled, determined hacker will find a way in. It’s not a matter of if, but when. So at that point you have to make sure that you have good controls in place to detect and mitigate what they do when they’re in.”

It also doesn’t help that healthcare has become an attractive target when it comes to its data; the industry possesses some of the same data that we might see in the banking and finance sectors. Payment information of patients, coupled with very valuable medical information is ripe for fraud or other financial gain for criminals, Stephan says. “As such, there is a high motivation for threat actors to attack the healthcare environment.  So that, in addition to the lack of mature security defenses that are in place, means you have a recipe for breaches,” he says.

St. Luke’s Defense

Stephan says that one of the keys to preventing breaches at St. Luke’s is to look at what is avoidable. “If you look at the Department of Health and Human Services (HHS)’ ‘wall of shame,’ [affecting 500 or more individuals], more than 90 percent of those breaches are a result of a lost or stolen device that are not encrypted. That is completely defensible. So we take steps to make sure that we close those gaps so we can [better] defend,” he says.

To that end, St. Luke’s encrypts all of endpoint devices so in the event of loss or theft, the health system doesn’t have to declare a breach, Stephan notes. And regarding mobile devices, the health system allows an employee to use a personally-owned device to access potentially sensitive or clinical data only if it meets the organization’s security policy. “We have the ability to remotely wipe [the device] or remotely reset the password and lock it. If it doesn’t meet that baseline check, the device won’t be allowed to access any of our systems that have our data,” says Stephan.