“It’s not inconceivable that there could be a large infrastructure attack in America and if there was, it could absolutely affect a hospital’s ability to deliver care.”
---Mac McMillan, chairman, CEO and co-founder of Austin, Texas-based consulting firm CynergisTek, in a recent interview with Healthcare Informatics
The healthcare cybersecurity crisis does not seem to be significantly improving, and experts continue to warn us of the potential ramifications. According to the 2017 year-end data breach report from Baltimore-based cybersecurity software company Protenus, last year there were 477 healthcare breaches reported to the U.S. Department of Health and Human Services (HHS) or the media—compared to 450 reported breaches in 2016 (it should be noted that there was also a drastic decrease in the number of affected patient records—27.3 million records breached in 2016, over five times greater than the number of records affected in 2017). Nonetheless, 2017 still saw an average of at least one health data breach per day throughout the entire year.
At healthcare organizations across the U.S., chief information security officers (CISOs) are deploying new strategies and approaches to cyber defense as they continue to face the new reality that data breaches are at this point becoming expected. In fact, a recent survey of more than 600 CISOs and other information security professionals across multiple industries, conducted by the Ponemon Institute, revealed that two-thirds of respondents believe that their companies are more likely to fall victim to a cyber attack or will face a data breach this year.
According to that same survey, when asked what they predict will happen to their organization in 2018, CISOs and other top security leaders indicated that human error actually leads the list of their worries. Sixty-five percent of respondents specifically reported they worry that a careless employee will fall for a phishing scam that results in a credential threat.
So what are some ways in which CISOs and other healthcare security leaders are working to fight off cyber attackers and better protect their data? None of the experts who Healthcare Informatics interviewed for this piece believe in any “magic bullet” approach, but more frequently now, leading minds are pointing to a few specific areas in which organizations can improve their strategies—namely, monitoring users’ behaviors and leveraging identity and access management (IAM) protocols.
Advanced Behavioral Monitoring and How it Could Help
CynergisTek’s McMillan, who has long been a strong advocator for cybersecurity strategies that do more than simply “following the rules” and performing traditional audit methods as a manual process, feels that organizations have to think about behavioral monitoring— in which organizations monitor their users at a high level—in terms of “attributes.” What he means by that is just about everything that happens in the system is an attribute—a user, a person, a patient, a time of day, and a location can all be attributes. And the more attributes one can associate with a given series of events, the more accurate one can get with analysis, he says.
As such, McMillan opined that using behavioral analytics, when focused on all of these attributes, is more effective than traditional methods that don’t take into consideration these attributes, but rather take in more things that are compliance- or rules-based, and are very limited in the information they look at.
He brings up an example of a nurse working in the ED. There is typically a pattern that emerges after studying numerous nurses in the ED that shows what a nurse’s profile looks like. When a person in that role begins to have a different role or something changes in that profile that’s an anomaly, the system then can alert someone to check up on it since this person isn’t acting like he or she is expected to act in that role.
“That’s the difference in these new behavioral analytics type tools that give you the ability to do more granular analysis, pulling in more attributes than the old manual compliance processes that are literally looking to see if Nurse Betty looked at someone’s record that wasn’t on her floor. And then someone has to go follow that lead and do a bunch of other data collection to figure out if Nurse Betty should have been over there, why was she there, and what were the circumstances? That is very time consuming and inefficient,” McMillan says.
Meanwhile, these [newer] tools can quickly look at everything associated with Nurse Betty and narrow down that this was the day that she was not working in her normal location, but she was assigned somewhere else and saw X patients. “You can quickly identify those events that look [like] outliers,” McMillan explains. He adds that behavioral analytics tools “allow you to study the behaviors of all of the different players in the equation of an event—not just the patient, but the caregiver, whoever was involved in the access, as well as the location and the activity, so you can understand more accurately what’s going on and what is really happening.”
Indeed, while there is a general consensus that behavioral monitoring strategies are becoming increasingly necessary, the question then becomes, how many healthcare CISOs are deploying these methods? And how sophisticated are their processes?
Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.