At the Nashville Health IT Summit, a Nuanced Discussion of the Complexities of HIT Security | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

At the Nashville Health IT Summit, a Nuanced Discussion of the Complexities of HIT Security

July 6, 2017
by Mark Hagland
| Reprints
Healthcare IT leaders shared the challenges facing them—and gains they’re making—around developing a security culture

On June 28, at the Health IT Summit in Nashville, sponsored by Healthcare Informatics and held at the Hilton Downtown Nashville, a panel of industry experts on health IT security had a complex, layered discussion of the complex, layered current landscape around data security.

The panel discussion session, entitled “Building an Integrated Security Strategy: Practical Tips for Creating a Governance Structure that Meets your Standards,” was led by Lee Barrett, executive director of the Electronic Health Network Accreditation Commission (EHNAC). Barrett was joined by Patty Lavely, senior vice president and CIO at Gwinnett Medical Center (Lawrenceville, Ga.); Shane Pilcher, administrative director, information services, Siskin Hospital for Physical Rehabilitation (Chattanooga); Shayne Champion, director, information security and architecture, Erlanger Health System (Chattanooga); and David Finn, a former CIO and the health information technology officer at the Mountain View, Calif.-based Symantec Corporation.

The discussion quickly became very pragmatic, after Barrett asked his fellow panelists, “As each of you have developed and managed your security strategies for your organizations, what are some of the practical things you’ve done to support governance structures?”

“One of the things we’ve done,” said Champion of Erlanger, “is to look at our governance structure and look at what’s practical. For some organizations, you can do something as robust as what we’ve been doing; for others, that’s not possible.”

“Working for years on the technical side to harden our structures, we didn’t really have a formal security risk program,” Pilcher reported, of the situation at Siskin. “So we’ve taken a journey over the last year and a half to start to develop governance and management structures. We’ve consulted outside organizations. We’re using NIST [the framework from the National Institute for Standards and Technology, within the U.S. Department of Commerce] and other frameworks to help us start. We’ve putting committees into place to help us start as a body. And we wanted to make sure it wasn’t information systems-driven, but organizationally driven. So we brought in our compliance officer, our HR director, so that as we put out new policies, they w ere organizational.”


Components of Strong Cybersecurity Program - A Closer Look at Endpoint Security Best Practices

Endpoint protection remains a core security challenge for many healthcare organizations and it is more important than ever for healthcare organizations to actively manage their full range of...

Finn said, “I’m going to echo those comments. I spent 25 years in the provider space, in roles ranging from a systems auditor to a CIO, prior to joining Symantec. And when I arrived in a security and privacy officer role in a hospital organization, I realized that we had a lot of data—but at the same time, that we didn’t understand the data. And the last people to understand the data are the IT people. So you have to understand the data and what’s at risk, and what’s important, and you have to tier that data,” he said. “IT cannot make those decisions; you’ve got to have the organizational and data owners, and the users—clinical, finance, etc.—and they’ve got to decide what levels need to be protected, and levels of protection on that data.”

“I agree with everything said,” Gwinnett Medical Center’s Lavely said. “And the most important element has been education. We put into place some formal policies, pulled together a framework. Then the next step was to bring in compliance, risk, and HR, and get them on board with the framework. And then I went to the c-suite and the board, because the board is ultimately responsible. And I’ll say, with the leadership, it’s a constant work in progress of continuing that education. It’s a little easier now [to persuade people of the need for healthcare IT security], because we have so many public issues affecting us personally as individuals, whether with Target or Home Depot, for example. But we continue to look at issues like password expiration and other issues—and it’s becoming more and more acceptable to put in [more rigorous] policies and procedures than previously, but not without education.

Achieving—and Maintaining—Board-Level and C-Suite-Level Engagement

“As you’re working with your management and board of directors, how do you keep the informed and engaged, and supportive of your various objectives and work?” Barrett asked his fellow panelists. “How do you engage and keep the board engaged? And are there other committees, like the audit committee, that you involve? How do you manage all of those groups? Patty, any specific kinds of ideas?”

“Well, we’re very fortunate,” Lavely responded. “We have a member of our board who comes from the telecom industry. He’s actually no longer in that industry, but that background has been tremendously helpful. And cybersecurity now reports to the audit committee on the board, and he’s on that committee. In fact,” she went on, “we had a board meeting Monday night. And we just produced our section on cybersecurity for the board; in my report to the board every month is a section on cybersecurity; it takes their eyes to that section of the report. And then we do an extended report to our audit and compliance committee every month. And when we have a potential big breach, I will call to give that member a heads-up. We don’t want them involved in the operations, that’s not their role; but we try to keep a high level of awareness. And I would not go to the board for funding without going to the c-suite first, but when I do bring something to the board, it’s a non-issue; it gets approved.”

“To Patty’s point,” Finn said, “it really is educational. And particularly the community hospital boards, they’re not IT experts; sometimes, they’re not even healthcare experts. So it’s a long, slow process. And you have to meet them where they are. If you start talking about IT, you’re going to lose them, or clinical workflow. You have to meet them where they are.”

There’s also the element of time for the education to sink in, and also the need to find data and statistics that will impact board members’ thinking, Pilcher noted. “This year, we’ve actually had a cyber-insurance expert on our board, to get that expertise and knowledge,” he said. “So the education doesn’t happen overnight. And one of the challenges is finding the metrics to submit to the board that provide value and interest and don’t waste time. And we also report to the audit and compliance committee as well. And teaching them is very important as well. We’ve had a penetration test. And if you’re updating them, they know the issues involved. And it doesn’t take a lot of convincing. They will start asking deeper questions and start asking you follow-up questions; they want to go deeper with you.”

Champion agreed, adding that “As a cybersecurity professional, I feel like a lot of my job is to be a professional translator. I’m constantly translating between technical teams and business. So when we speak to executives and our board level leadership, we speak at a high level. I don’t want to talk subjectively; I want to talk about the percentage of risk of something happening this year, and the dollar impact if something happened. I want them to be able to make choices based on those factors. And we also want them to understand how well we’re doing or not doing. And I want to make sure that we can compare ourselves not just against local competitors, but against industry generally, so we can be as competitive as we can be.”

Are Healthcare Leaders Really Sharing About Breaches Yet?

At this point in the panel discussion, an audience member raised his hand to ask a question. “The speaker before this advocated for sharing in the event of a misadventure of some type,” the audience member stated. “Do any of the panel members discuss this with their boards, what steps we should take in the event something happens? Are we going to share? Healthcare is not a big ‘sharer.’ I don’t believe that a lot of people are sharing.”

In response to that audience member’s question, Champion asked a question of his own. “How do you turn that into a business proposition?” he asked. “It’s really simple. Compare this to a security guard in a hotel. He has to make sure that every door and window is locked at all times; the bad guy only has to find one unlocked door or window. That’s the thing: if one person finds an opening… Teaching that, and that’s what Patty was talking about, teaching that, that’s changing the valuable proposition, making it harder for the attacker. And if we share, that helps.”

“You’re right, the culture has been to hold that information very tightly, but that’s a culture that’s changing,” Pilcher said, in response to the audience member’s contention that the healthcare industry has not been an open one when it comes to sharing challenges. “When it comes to security, that’s the one thing that I’m seeing organizations breaching that competitive wall, and working together to combat this. Because it is a war, and there’s no single silver bullet for this. It’s also very costly. The scope may change, but the same problems are there for everyone. In Chattanooga, we’ve developed a regional group that meets once a quarter, and we’ll invite CISOs from major Fortunate 500 companies. And we’re sharing with each other how we’re going about doing things.”

Finn reported that “I had the pleasure of serving on the Healthcare Cybersecurity Task Force, under CISA, the Cybersecurity Information Sharing Act, passed by Congress. We’ve got to get over people not wanting others to know they have flaws and problems. Quality is about sharing information,” he emphasized. “To Shane’s point, this drives down incidents of all kinds. That said, we have a very fascinating industry, because we range from huge, multi-billion-dollar corporate providers, to solo physicians. We got into this mess together; we’ve got to get out of it together.”

“And I’m seeing that organizations are starting to get over it; they’re starting to share information with each other. And they’re learning ahead of time what sorts of strategies they might pursue,” Barrett said. “So I’m starting to see a lot more openness; it’s happening> And because people are looking at cost, they’re saying, hey, we need to be proactive rather than reactive. In the last session we had a few weeks ago, the entire session consisted of how we could come up with some practical suggestions for medical practices, from single-doc practices to larger group practices. But it’s all education and awareness. The good news is that, from the EHNAC level, I’m seeing a lot more sharing.”

“I agree with what everybody said; but from my point of view, I’m not seeing the sharing of information, yet,” Lavely interposed. “And we desperately need it. The only w ay we’ll combat the Petya, the NonPetya, the WannaCry—is through sharing. And our board and senior executive management, are still skittish about sharing information publicly. There are a lot of issues to consider. However, for survival, we’ve got to share. And I’ve recently been trying to pull together all the CIOs from the Atlanta area, to share. The first battle is getting everyone together, per schedules. And we’re all friends; but the first thing someone said was, can we put together a confidentiality agreement? So there’s a way to go.”

“And during WannaCry, HHS was holding daily open phone calls on the situation,” Finn said, referring to the Department of Health and Human Services. “So it is changing. And we’re seeing a shift around security; traditional security people wanted to lock things down and keep moving. Risk management is different from security. So we’re seeing a shift from it being just a security issue, to being a risk management issue.”

“And when you’re sharing information about an incident, you’re not having to share everything—every vector you got hit with, every failed policy,” Pilcher noted. “You’re sharing the major points. So you’re not having to share everything. I do advocate not sharing everything, but sharing enough to give benefit, and get benefit back.”

“And because we’re talking about technology, we sometimes fail to talk about this in ways we can understand,” Champion added. “Who invented the polio vaccine? Jonas Salk. How many people in his family or among his friends were affected by polio? No one knows, and it doesn’t matter. So you don’t have give tremendous amounts of data, nor do you need to get into tremendous levels of data with your board and c-suite. Explain things in simple terms they can understand.”

The Board’s Responsibility

“What is the board’s responsibility in all of this?” Barrett asked his fellow panelists.

“The board’s responsibility is to manage risk, so I try to put everything in terms of managing risk,” Lavely said. “And we do a comprehensive annual cybersecurity risk assessment. And we use that assessment, and the elements in it, to measure risk and how we’re reducing risk. That’s the main part of what I share with the big board every year. We try to keep it to a high level for them. Now, for the audit and compliance committee, we give them much more detail, such as anything we’re doing, like encryption, and all the tools we’re using, and our assets, and so that’s much lengthier. And it’s a tough one to determine how much detail to share with them [in terms of what they can absorb].”

Finn offered that “Bruce Schneider, one of the security people I most admire, has said that more people are killed every year by pigs than by sharks, which shows you how good we are at evaluating risk—and Bruce is one of the true thought-leaders around data security. We all know where the sharks are; we need to figure out where the pigs are.”

“Yes, and keeping the board completely informed at the business level remains important,” Pilcher said.

“A couple of things around metrics,” Champion said. “What’s important to the board is your business’s mission—and its goals, assets, etc. So being able to draw a direct line back to the organization’s core emission, is important.”

Creating a Cybersecurity Culture

“How do you create a cybersecurity culture within your organizations?” Barrett asked his fellow panelists.

“I think that’s a top-down kind of thing,” Lavely responded. “And I don’t know if we’ve created it yet, but we’ve actually got a lot of clinicians, of medical staff, calling us and asking whether something is fraudulent or not. So it goes back to the education, because our best defense is our employees. We continue to send out tips on a regular basis, we do phishing campaigns, and education around phishing campaigns, and we even provide handouts for how to do safe computing at home, because we hope that helping them in their home environment will translate to their habits in their work environment.”

“I started out as a privacy and information security officer, in 2001,” in a health system, Finn said. “I had a medical staff of 1,600 doctors, and a staff of 10,000 employees, and a health plan and an MSO, and I had a privacy compliance person and security compliance person, and myself. And I realized I need about 12,000 security officers—and that’s what we set out to do! For months, I visited every practice, every floor, every location, as did my managers. And we did basic training, and made it fun. And it has to be personal. And we did a privacy and security fair. And by the time I left the organization, we had a few thousand people coming to that privacy and security fair. And we live in a whole different world from even 10 years ago. Everyone’s got a smartphone, and a tablet,” he added. There’s a statistic that says that the average adult has 3.6 Internet-connected devices. So we have to change the way we think about data, about information technology; and we have to change the way we live our lives.”

Pilcher offered that, “As Patty indicated, there’s not one single approach that works for everyone; so you’ve got to be flexible. And so you need to take every opportunity you have, to talk about security. Make it fun and topical. I usually put out tips every month, to warn and update users; and the feedback has been very positive. And like Patty, I give people tips they can use at home, because improving their computing habits at home will help us. And every hospital typically has a cafeteria that sells cookies and treats—post tips in that area.”

And, noted Champion, “Microsoft calls their salespeople ‘product evangelists’—and that’s the kind of attitude I’d like us to take, to evangelize around the importance of [health IT security]. And we reach out to people, we have lunch-and-learns that help them do safer computing at home. And we actually tell them, give us a call, and we’ll help you with your home network. We also have a training session with physicians—and the big problem with them is, ‘so what? How does this affect our worklives?’ So we’ll go up on stage and live-hack a medical device. And all of a sudden, they realize the importance of this, and how it connects with the need to protect their patients.”




The Health IT Summits gather 250+ healthcare leaders in cities across the U.S. to present important new insights, collaborate on ideas, and to have a little fun - Find a Summit Near You!


Florida Provider Pays $500K to Settle Potential HIPAA Violations

December 12, 2018
by Heather Landi, Associate Editor
| Reprints

Florida-based Advanced Care Hospitalists PL (ACH) has agreed to pay $500,000 to the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) to settle potential HIPAA compliance failures, including sharing protected health information with an unknown vendor without a business associate agreement.

ACH provides contracted internal medicine physicians to hospitals and nursing homes in west central Florida. ACH provided services to more than 20,000 patients annually and employed between 39 and 46 individuals during the relevant timeframe, according to OCR officials.

Between November 2011 and June 2012, ACH engaged the services of an individual that claimed to be a representative of a company named Doctor’s First Choice Billings, Inc. (First Choice). The individual provided medical billing services to ACH using First Choice’s name and website, but allegedly without the knowledge or permission of First Choice’s owner, according to OCR officials in a press release published last week.

A local hospital contacted ACH on February 11, 2014 and notified the organization that patient information was viewable on the First Choice website, including names, dates of birth and social security numbers. In response, ACH was able to identify at least 400 affected individuals and asked First Choice to remove the protected health information from its website. ACH filed a breach notification report with OCR on April 11, 2014, stating that 400 individuals were affected; however, after further investigation, ACH filed a supplemental breach report stating that an additional 8,855 patients could have been affected.

According to OCR’s investigation, ACH never entered into a business associate agreement with the individual providing medical billing services to ACH, as required by the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules, and failed to adopt any policy requiring business associate agreements until April 2014. 

“Although ACH had been in operation since 2005, it had not conducted a risk analysis or implemented security measures or any other written HIPAA policies or procedures before 2014. The HIPAA Rules require entities to perform an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of an entity’s electronic protected health information,” OCR officials stated in a press release.

In a statement, OCR Director Roger Severino said, “This case is especially troubling because the practice allowed the names and social security numbers of thousands of its patients to be exposed on the internet after it failed to follow basic security requirements under HIPAA.”

In addition to the monetary settlement, ACH will undertake a robust corrective action plan that includes the adoption of business associate agreements, a complete enterprise-wide risk analysis, and comprehensive policies and procedures to comply with the HIPAA Rules. 

In a separate case announced this week, a Colorado-based hospital, Pagosa Springs Medical Center, will pay OCR $111,400 to settle potential HIPAA violations after the hospital failed to terminate a former employee’s access to electronic protected health information (PHI).

Pagosa Springs Medical Center (PSMC) is a critical access hospital, that at the time of OCR’s investigation, provided more than 17,000 hospital and clinic visits annually and employs more than 175 individuals.

The settlement resolves a complaint alleging that a former PSMC employee continued to have remote access to PSMC’s web-based scheduling calendar, which contained patients’ electronic protected health information (ePHI), after separation of employment, according to OCR.

OCR’s investigation revealed that PSMC impermissibly disclosed the ePHI of 557 individuals to its former employee and to the web-based scheduling calendar vendor without a HIPAA required business associate agreement in place. 

The hospital also agreed to adopt a substantial corrective action plan as part of the settlement, and, as part of that plan, PSMC has agreed to update its security management and business associate agreement, policies and procedures, and train its workforce members regarding the same.

“It’s common sense that former employees should immediately lose access to protected patient information upon their separation from employment,” Severino said in a statement. “This case underscores the need for covered entities to always be aware of who has access to their ePHI and who doesn’t.”

Covered entities that do not have or follow procedures to terminate information access privileges upon employee separation risk a HIPAA enforcement action. Covered entities must also evaluate relationships with vendors to ensure that business associate agreements are in place with all business associates before disclosing protected health information. 


More From Healthcare Informatics


Eye Center in California Switches EHR Vendor Following Ransomware Incident

December 11, 2018
by Rajiv Leventhal, Managing Editor
| Reprints

Redwood Eye Center, an ophthalmology practice in Vallejo, Calif., has notified more than 16,000 patients that its EHR (electronic health record) hosting vendor experienced a ransomware attack in September.

In the notification to the impacted patients, the center’s officials explained that the third-party vendor that hosts and stores Redwood’s electronic patient records, Illinois-based IT Lighthouse, experienced a data security incident which affected records pertaining to Redwood patients. Officials also said that IT Lighthouse hired a computer forensics company to help them after the ransomware attack, and Redwood worked with the vendor to restore access to our patient information.

Redwood’s investigation determined that the incident may have involved patient information, including patient names, addresses, dates of birth, health insurance information, and medical treatment information.

Notably, Redwood will be changing its EMR hosting vendor, according to its officials. Per the notice, “Redwood has taken affirmative steps to prevent a similar situation from arising in the future. These steps include changing medical records hosting vendors and enhancing the security of patient information.”

Ransomware attacks in the healthcare sector continue to be a problem, but at the same time, they have diminished substantially compared to the same time period last year, as cyber attackers move on to more profitable activities, such as cryptojacking, according to a recent report from cybersecurity firm Cryptonite.

Related Insights For: Cybersecurity


Report: 30 Percent of Healthcare Databases Exposed Online

December 10, 2018
by Heather Landi, Associate Editor
| Reprints

Hackers are using the Dark Web to buy and sell personally identifiable information (PII) stolen from healthcare organizations, and exposed databases are a vulnerable attack surface for healthcare organizations, according to a new cybersecurity research report.

A research report from IntSights, “Chronic [Cyber] Pain: Exposed & Misconfigured Databases in the Healthcare Industry,” gives an account of how hackers are tracking down healthcare personally identifiable information (PII) data on the Dark Web and where in the attack surface healthcare organizations are most vulnerable.

The report explores a key area of the healthcare attack surface, which is often the easiest to avoid—exposed databases. It’s not only old or outdated databases that get breached, but also newly established platforms that are vulnerable due to misconfiguration and/or open access, the report authors note.

Healthcare organizations have been increasingly targeted by threat actors over the past few years and their most sought-after asset is their data. As healthcare organizations attempt to move data online and increase accessibility for authorized users, they’ve dramatically increased their attack surface, providing cybercriminals with new vectors to steal personally identifiable information (PII), according to the report. Yet, these organizations have not prioritized investments in cybersecurity tools or procedures.

Healthcare budgets are tight, the report authors note, and if there’s an opportunity to purchase a new MRI machine versus make a new IT or cybersecurity hire, the new MRI machine often wins out. Healthcare organizations need to carefully balance accessibility and protection.

In this report, cyber researchers set out to show that the healthcare industry as a whole is vulnerable, not due to a specific product or system, but due to lack of process, training and cybersecurity best practices. “While many other industries suffer from similar deficiencies, healthcare organizations are particularly at risk because of the sensitivity of PII and medical data,” the report states.

The researchers chose a couple of popular technologies for handling medical records, including known and widely used commercial databases, legacy services still in use today, and new sites or protocols that try to mitigate some of the vulnerabilities of past methods. The purpose of the research was to demonstrate that hackers can easily find access to sensitive data in each state: at rest, in transit or in use.

The researchers note that the tactics used were pretty simple: Google searches, reading technical documentation of the aforementioned technologies, subdomain enumeration, and some educated guessing about the combination of sites, systems and data. “All of the examples presented here were freely accessible, and required no intrusive methods to obtain. Simply knowing where to look (like the IP address, name or protocol of the service used) was often enough to access the data,” the report authors wrote.

The researchers spent 90 hours researching and evaluated 50 database. Among the findings outlined in the report, 15 databases were found exposed, so the researchers estimate about 30 percent of databases are exposed. The researchers found 1.5 million patient records exposed, at a rate of about 16,687 medical records discovered per hour.

The estimated black-market price per medical record is $1 per record. The researchers concluded that hackers can find a large number of records in just a few hours of work, and this data can be used to make money in a variety of ways. If a hacker can find records at a rate of 16,687 per hour and works 40 hours a week, that hacker can make an annual salary of $33 million, according to the researchers.

“It’s also important to note that PII and medical data is harder to make money with compared to other data, like credit card info. Cybercriminals tend to be lazy, and it’s much quicker to try using a stolen credit card to make a fraudulent purchase than to buy PII data and run a phishing or extortion campaign. This may lessen the value of PII data in the eyes of some cybercriminals; however, PII data has a longer shelf-life and can be used for more sophisticated and more successful campaigns,” IntSights security researcher and report author Ariel Ainhoren wrote.

The researchers used an example of hospital using a FTP server. “FTP is a very old and known way to share files across the Internet. It is also a scarcely protected protocol that has no encryption built in, and only asks you for a username and password combination, which can be brute forced or sniffed

by network scanners very easily,” Ainhoren wrote. “Here we found a hospital in the U.S. that has its FTP server exposed. FTP’s usually hold records and backup data, and are kept open to enable backup to a remote site. It could be a neglected backup procedure left open by IT that the hospital doesn’t even know exists.”

According to the report, hackers have three main motivations for targeting healthcare organizations and medical data:

  • State-Sponsored APTs Targeting Critical Infrastructure: APTs are more sophisticated and are usually more difficult to stop. They will attempt to infiltrate a network to test tools and techniques to set the stage for a larger, future attack, or to obtain information on a specific individual’s medical condition.
  • Attackers Seeking Personal Data: Attackers seeking personal data can use it in multiple ways. They can create and sell PII lists, they can blackmail individuals or organizations in exchange for the data, or they can use it as a basis for further fraud, like phishing, Smishing, or scam calls.
  • Attackers Taking Control of Medical Devices for Ransom: Attackers targeting vulnerable infrastructure won’t usually target healthcare databases, but will target medical IT equipment and infrastructure to spread malware that exploits specific vulnerabilities and demands a ransom to release the infected devices. Since medical devices tend to be updated infrequently (or not at all), this provides a relatively easy target for hackers to take control.

The report also offers a few general best practices for evaluating if a healthcare organization’s data is exposed and/or at risk:

  • Use Multi-Factor Authentication for Web Applications: If you’re using a system that only needs a username and password to login, you’re making it significantly easier to access. Make sure you have MFA setup to reduce unauthorized access.
  • Tighter Access Control to Resources: Limit the number of credentials to each party accessing the database. Additionally, limit specific parties’ access to only the information they need. This will minimize your chance of being exploited through a 3rd party, and if you are, will limit the damage of that breach.
  • Monitor for Big or Unusual Database Reads: These may be an indication that a hacker or unauthorized party is stealing information. It’s a good idea to setup limits on database reads and make sure requests for big database reads involve some sort of manual review or confirmation.
  • Limit Database Access to Specific IP Ranges: Mapping out the organizations that need access to your data is not an easy task. But it will give you tighter control on who’s accessing your data and enable you to track and identify anomalous activity. You can even tie specific credentials to specific IP ranges to further limit access and track strange behavior more closely.


See more on Cybersecurity

betebet sohbet hattı betebet bahis siteleringsbahis