At Texas Health Resources, A Strategic Approach to Evolving Cybersecurity Challenges | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

At Texas Health Resources, A Strategic Approach to Evolving Cybersecurity Challenges

November 14, 2017
by Heather Landi
| Reprints
Click To View Gallery

With a fast-evolving cyber threat environment and a continuous flood of healthcare data breaches, chief information security officers (CISOs) at hospitals and health systems face mounting pressure to safeguard their organization’s networks as well as critical clinical and financial data. Healthcare CI­SOs face complex and challenging issues with respect to information security, including rapidly evolving mal­ware threats, insider data breaches and the increasing use of medical Internet of Things (IoT) devices across their organizations.

In addition to security-focused projects, CISOs are of­ten involved in enterprise-wide technology initiatives as well. At Texas Health Resources (THR) this past year, C-suite executive leaders have been focused on a massive data center migration initiative. THR is an integrated health system based in Arlington, Texas with more than 350 points of access, including 29 hospital locations that are owned, operated or joint-ventured with THR, 100 outpatient facilities and 250 other community ac­cess points, including the Texas Health Physicians Group clinics. THR has more than 24,000 employees and the system serves more than 7 million residents across 16 counties throughout North Texas.

The health system’s CISO, Ron Mehring, says the or­ganization is migrating data centers housed in individual hospitals to “sophisticated, advanced co-location facili­ties” and the new data centers provide increased secu­rity controls and protections.

“Throughout the whole year, our focus has been on transforming our data center, and that includes improv­ing the availability and integrity of data and overall per­formance. It also includes the security controls within the data centers, from the physical controls to environmen­tal controls, to improving the general security and tech­nologies within the data centers themselves. And that’s been a ton of heavy lifting this year,” Mehring says.

Webinar

How to Assess IT Risk in a Healthcare Environment

In this webinar, Community Health System’s CISO Scott Breece and Lockpath's Sam Abadir will discuss the unique IT landscape of the healthcare industry and the challenges this presents for IT risk...

Ron Mehring

Mehring and his team also have focused on what he refers to as “blocking and tackling improvements,” ranging from multi-factor authentication enhancements to process improvements around vulnerability identi­fication and remediation activities. “We spent a lot of time trying to improve our assessment processes to get a little bit more detailed on the way that we identify risk and the way that we articulate risk to our stakeholders in the enterprise. We focused on general improvements in those areas, but most of our efforts have really fo­cused on our data center transformation, and some of the things that orbit around that.”

And, he adds, “That’s so important for our organization as we proceed to transform ourselves as a healthcare de­livery system. It’s really setting up the playing field; setting up the infrastructure and security services to support all those future business initiatives and clinical operations.”

The Current State of Healthcare Cybersecurity

When looking at the current state of cybersecurity in the healthcare industry, current data breach reports and news reports about malware incidents paint a trou­bling picture. Cybersecurity software company Protenus, which publishes a “Breach Barometer” report ev­ery month, reported 233 total breaches in the first six months of 2017; in all of 2016, about 450 breaches were reported. The company also reports that the trend first noted in 2016 has continued, with an average of one health data breach per day. Protenus tracks breach inci­dents either disclosed to the U.S. Department of Health and Human Services (HHS) or to the media.

However, there are indications that healthcare provider orga­nizations have boosted their cybersecurity efforts and are responding more quickly and strategically to cyber threats. In October, FirstHealth of the Car­olinas reported that it had shut down its computer networks af­ter a threat from a new version of the WannaCry malware virus was detected. The health sys­tem reported at the time that its information system team immediately identified the threat and implemented security protocols. The health system reported that because of the quick response by the infor­mation security team, the virus did not reach any patient information, operational information or databases.

In a 2017 Healthcare Information and Management Systems Society (HIMSS) Cybersecurity Survey, more than half of respondents (60 percent) reported their organizations em­ploy a senior information security leader, such as a CISO. What’s more, the survey results indicated that organiza­tions that employ a CISO or other senior information se­curity leader have adopted holistic cybersecurity practices.

Gauging the current state of healthcare cybersecurity, Mehring says, “Looking at it from a posture and a protec­tion perspective and when I talk to my peers, it feels to me that the water line is overall rising together. Five years ago, I think, in healthcare, what we saw is the ‘haves’ and ‘have nots’ at very dramatic levels. We had healthcare delivery systems and providers with differing levels of security, where a lot of the blocking and tackling secu­rity controls weren’t in place. There was this huge dispa­rate ecosystem, and that’s important because, especially when you get local, we all have to share; in a metroplex, all of our systems talk to each other. It’s important that we all understand that we all have to improve together.”

Mehring also says he is seeing more information shar­ing among healthcare security leaders, noting both infor­mal, local efforts as well as national efforts through cyber threat-sharing groups, such as the National Health Information Sharing and Analysis Center (NH-ISAC) and the HITRUST Alliance. In the Dallas area, one local hos­pital hosts regular summits bringing together local CISOs and security staff. Mehring says, “We share information with each other and give best practices, which is great, as when you get into the healthcare delivery ecosystem, local really matters. National is important, but when we are delivering care and sharing information, a lot of that is happening at a very local level, between health systems.”

Evolving External Threats

It’s widely known that healthcare is a prime target for hackers and cybercrime, with malware and ransomware attacks a constant concern for healthcare security lead­ers. In May, the WannaCry ransomware virus plagued the National Health Service in the United Kingdom and the NotPetya malware caused massive disruptions to multinational companies in 65 countries back in June, including health IT company Nuance Communications, which had to shut down its network.

Like many other healthcare security leaders, Mehring sees ransomware as a major threat to many industries, including healthcare, and one that will not go away any­time soon. As one silver lining, though, he also notes that security vendors are providing more robust infra­structures in response to the malware threats.

“I think a lot of people learned their lessons very quickly around ransomware and how to handle it. That includes, number one, putting the right protections in place on the front end, and if it gets in, having the right response and recovery strategy in place. We see many organizations being able to recover quickly from those types of destructive events. I think what you see is a lot of lessons learned being applied, so the impacts have gone down. But, do I think that threat exists? Absolute­ly, and it will continue to evolve.”

One way cyber threats have evolved, Mehring points out, is that hackers are starting to attack what he refers to as the "underbelly,” or the technical supply chain. In the NotPetya malware attack in June, for instance, cybersecurity experts believe that a software update mechanism of a Ukrainian tax preparation program had been compromised to spread the malware.

“When they attacked the Ukrainian application, which was associated to some U.S. companies as well as other companies, they attacked that trust that had been built with that company’s application, and they attacked, es­sentially, the update service associated with that appli­cation. When a malware gets in, with the right level of permission and the right level of access to the environ­ment, it’s going to do a little bit of harm, and depending on how it’s set up, it could do lots of harm.

He continues, “This is something that we really need to pay attention to; the vendors or software services that are integrated tightly into our healthcare delivery sys­tems. It’s probably the next attack vector in, and, unfor­tunately, it’s a great vector into an enterprise, because of the trust that we lay into those types of services.”

The speed of malware attacks is increasing as well, Mehring notes, and that puts more pressure on health­care organizations to have the right tools, techniques and processes in place to respond and recovery quickly. “The organizations that are not able to start to apply automation and orchestration into their infrastructure and services will probably see in the future how the lack of that becomes the real problem and can really impact their infrastructure.”

At Texas Health Resources, Mehring says the organi­zation’s cybersecurity strategy evolves to address these threats, with an increased focus on the security postures of its vendor partners. “You have got to ask really good questions of your vendors and how their services integrate into your environment. You need to ensure they are doing all the things that they should be doing to protect their environment, and yours, in the delivery of that service.”

He adds, ‘If you are integrating a software service into your environment, that’s managed externally by a vendor, you need to ensure you’re putting the appropriate con­trols in place so that any harm caused on their side does not impact the rest of the environment. And we do that through a lot of different ways, through appropriate pro­visioning of accessing and identity, appropriate provision­ing of network services and isolation and segmentation.”

Insiders Remain a Constant Threat

Specialist insurer Beazley reports that in the first nine months of 2017, unintended disclosures accounted for 41 percent of healthcare data breach incidents. The high level of unintended disclosure incidents remains more than dou­ble that of the second most frequent cause of loss—hack or malware (19 percent), according to the Beazley report.

At Texas Health Resources, Mehring says security leaders utilize sophisticated IT monitoring systems, such as behavioral analytics, to detect anomalous behavior as well as continuous auditing and monitoring of protected health information (PHI) within the electronic health re­cord (EHR) and data loss prevention technologies.

There are also non-technical processes and programs that should be used, Mehring points out, such as a hot­line that employees can use to report anomalous behav­ior. “You need a good hotline that allows the reporting of things, and from that hotline, you need to make sure the information is acted upon and communicated to the right department, whether its HR or it’s the legal or se­curity team,” he says.

At a high level, Mehring says it’s critical that the CISO have strong relationships with human resources and compliance leaders within the organization to de­velop processes and policies to identify and address insider threat actions. “From a policy perspective, it’s about who is going to own the policy for that type of data and who sets the rules?” A transparent sanction­ing program also is key so employees are aware that activities are being monitored. “Employees need to know that there is a process in place for accountability when something is inappropriately accessed or inap­propriately shared,” he says.

Medical IoT and Cybersecurity

For many hospital and health system CISOs, the gover­nance of medical device programs is the next frontier in IT security. Healthcare provider organizations are now managing an increasing number of digitally connected devices, and, as more devices come online, the cyberse­curity risk increases and intensifies in complexity.

“I think most of us are still coming to terms with how we characterize IoT. Is a medical device an IoT, is a re­frigerator that stores blood an IoT? Is a monitor that is displaying our marketing information in our hospital, is that IoT? If somebody gets a wearable, is that an IoT? And the answer to that is probably, yes, to all of that in some way,” Mehring says.

A critical, foundational step to managing medical de­vices is developing a comprehensive inventory and asset identification of all digitally connected devices within an organization, he notes. “Then you have to start develop­ing at least some internal rules of how we characterize those types of IoT things and make sure we can differen­tiate between those different asset types because they are going to get different protection profiles. A medical device is going to get a different protection profile than a monitor on the wall in a hospital passageway that’s providing branding information,” he notes.

Understanding how various medical devices communi­cate, both inside and outside the hospital environment, also is a vital step in maintaining and protecting devices. “Developing good data flow mapping and understand­ing the way that devices communicate is very important. That allows you to put in better protection mechanisms once you understand how things communicate with each other. You can ensure that the appropriate communica­tion security strategy is put in place around those devic­es,” Mehring says.

At THR, health system C-suite leaders have long been aware that cybersecurity is not just an IT problem, but a corporate-wide risk management issue, and one that requires an evolving, strategic approach to address the changing threat environment.

 


2018 Raleigh Health IT Summit

Renowned leaders in U.S. and North American healthcare gather throughout the year to present important information and share insights at the Healthcare Informatics Health IT Summits.

September 27 - 28, 2018 | Raleigh


/article/cybersecurity/texas-health-resources-strategic-approach-evolving-cybersecurity-challenges
/article/cybersecurity/healthcare-s-regtech-opportunity-avoiding-2008-style-crisis

Healthcare’s “RegTech” Opportunity: Avoiding a 2008-Style Crisis

September 21, 2018
by Robert Lord, Industry Voice, Co-Founder and President of Protenus
| Reprints

In the financial crisis of 2007 to 2009, the financial industry suffered a crisis of trust. A decade later, banks and other financial institutions are still working to regain the confidence of consumers and regulators alike. In 2008 and 2009, while working at one of the world’s top hedge funds, I had a front-row seat to the damage that occurred to our economy, watching as storied corporate institutions fell or were gravely damaged. Today, as co-founder of a health technology company, I see healthcare is approaching a similarly dangerous situation. We must get ahead of the curve to avoid disaster.

Like finance, healthcare is a highly-regulated industry where non-compliance can result in severe financial and reputational consequences for healthcare companies, and severe impact on people’s lives. We deal with HIPAA, MACRA, HITECH, and hundreds of other foreboding acronyms on a daily basis. A lot of attention goes to the terrific and important work of clinical decision support, wellness apps, and other patient care technologies, but problems in the back office of hospitals must be addressed as well. One of these problems is the amount and complexity of healthcare regulation, and our healthcare system’s inability to keep up.

In finance, where I spent the early part of my career, the adoption of what is termed “RegTech” (regulatory technology) was driven by the increasing complexity of financial technology and infrastructure sophistication.  As trades moved faster, and as algorithms, processes and organizations became more complex, the technologies needed to ensure regulatory compliance had to move in tandem.  The crisis we experienced in 2008 was partially the result of the inability of the industry’s regulatory capabilities to keep up with the pace of technological change.  In many ways, the industry is still playing a catch-up game.

As healthcare professionals, looking to the lessons learned by our colleagues in finance can help us predict patterns and stay ahead of the curve. Right now, I’m seeing alarming parallels to challenges faced in finance a decade ago.

Webinar

How to Assess IT Risk in a Healthcare Environment

In this webinar, Community Health System’s CISO Scott Breece and Lockpath's Sam Abadir will discuss the unique IT landscape of the healthcare industry and the challenges this presents for IT risk...

Robert Lord

The burden of regulation across our industry is simply staggering.  Thirty-nine billion dollars of regulatory burden is associated with healthcare annually, which is about $1,200 per patient, per year. Despite this high cost, we still have $1 trillion of fraud, waste and abuse in our healthcare system. With so much regulation, why are we seeing so little yield from that burden? In many cases, it’s because we’re merely checking boxes and not addressing core risks؅. Like finance, there was a great deal of effort on compliance with regulations, but not enough attention on addressing important systemic risks.

This is not to say I am against good regulation; in fact, many regulations serve to protect patients and improve care. The problem is that there are so many demands on healthcare systems, that compliance and regulation is often reduced to checking boxes to ensure that minimum defensible processes are built, and occasionally spot-checking that things look reasonable. We currently have nowhere near 100 percent review of activities and transactions that are occurring in our health systems every day, though our patients deserve nothing less. However, unless overburdened and under-resourced healthcare providers and compliance professionals can achieve leverage and true risk reduction, we’ll never be able to sustainably bend our compliance cost curve.

Systemic problems are often not discovered until something goes horribly wrong (e.g., Wall Street every decade or so, the Anthem data breach, etc.). Today In the financial industry, RegTech provides continual, dynamic views of compliance or non-compliance and allows management, compliance professionals and regulators to check compliance in real-time. They can view every record, understand every detail, and automate investigations and processes that would otherwise go undetected or involve lengthy and labor-intensive reviews.

The real promise of these new capabilities is to allow compliance professionals and regulators to perform the truest form of their jobs, which is to keep patient data secure, ensuring the best treatment for patients, and creating sustainable financial models for healthcare delivery. RegTech will open up lines of communication and help create conversations that could never have been had before—conversations about what’s not just feasible for a person to do, but what’s right to do for the people whom regulation seeks to protect.

No longer bound by limited resources that lead to “box-checking,” compliance officers can use new and powerful tools to ensure that the data entrusted to them is protected. At the same time, healthcare management executives can be confident that the enterprises they manage will be well served by risk reducing technological innovation.  Patients, the ultimate beneficiaries of healthcare RegTech, deserve as much.

Robert Lord is the co-founder and president of Protenus, a compliance analytics platform that detects anomalous behavior in health systems.  He also serves as a Cybersecurity Policy Fellow at New America.

 


More From Healthcare Informatics

/news-item/cybersecurity/hipaa-settlements-three-boston-hospitals-pay-1m-fines-boston-med-filming

HIPAA Settlements: Three Boston Hospitals Pay $1M in Fines for “Boston Trauma” Filming

September 20, 2018
by Heather Landi, Associate Editor
| Reprints

Three Boston hospitals that allowed film crews to film an ABC documentary on premises have settled with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) over potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.

According to OCR, the three hospitals—Boston Medical Center (BMC), Brigham and Women’s Hospital (BWH) and Massachusetts General Hospital (MGH)—compromised the privacy of patients’ protected health information (PHI) by inviting film crews on premises to film "Save My Life: Boston Trauma," an ABC television network documentary series, without first obtaining authorization from patients.

OCR reached separate settlements with the three hospitals, and, collectively, the three entities paid OCR $999,000 to settle potential HIPAA violations due to the unauthorized disclosure of patients’ PHI.

“Patients in hospitals expect to encounter doctors and nurses when getting treatment, not film crews recording them at their most private and vulnerable moments,” Roger Severino, OCR director, said in a statement. “Hospitals must get authorization from patients before allowing strangers to have access to patients and their medical information.”

Of the total fines, BMC paid OCR $100,000, BWH paid $384,000, and MGH paid $515,000. Each entity will provide workforce training as part of a corrective action plan that will include OCR’s guidance on disclosures to film and media, according to OCR. Boston Medical Center's resolution agreement can be accessed here; Brigham and Women’s Hospital's resolution agreement can be found here; and Massachusetts General Hospital's agreement can be found here.

This is actually the second time a hospital has been fined by OCR as the result of allowing a film crew on premise to film a TV series, with the first HIPAA fine also involving the filming of an ABC medical documentary television series. As reported by Healthcare Informatics, In April 2016, New York Presbyterian Hospital (NYP) agreed to pay $2.2 million to settle potential HIPAA violations in association with the filming of “NY Med.”

According to OCR announcement about the settlement with NYP, the hospital, based in Manhattan, violated HIPAA rules for the “egregious disclosure of two patients’ PHI to film crews and staff during the filming of 'NY Med,' an ABC television series.” OCR also stated the NYP did not first obtain authorization from the patients. “In particular, OCR found that NYP allowed the ABC crew to film someone who was dying and another person in significant distress, even after a medical professional urged the crew to stop.”

The OCR director at the time, Jocelyn Samuels, said in a statement, “This case sends an important message that OCR will not permit covered entities to compromise their patients’ privacy by allowing news or television crews to film the patients without their authorization. We take seriously all complaints filed by individuals, and will seek the necessary remedies to ensure that patients’ privacy is fully protected.” 

OCR’s guidance on disclosures to film and media can be found here.

Related Insights For: Cybersecurity

/news-item/cybersecurity/independence-blue-cross-notifies-17k-patients-breach

Independence Blue Cross Notifies 17K Patients of Breach

September 19, 2018
by Rajiv Leventhal, Managing Editor
| Reprints

The Philadelphia-based health insurer Independence Blue Cross is notifying about 17,000 of its members that some of their protected health information (PHI) has been exposed online and has potentially been accessed by unauthorized individuals.

According to an article in HIPAA Journal, Independence Blue Cross said that its privacy office was informed about the exposed information on July 19 and then immediately launched an investigation.

The insurer said that an employee had uploaded a file containing plan members’ protected health information to a public-facing website on April 23. The file remained accessible until July 20 when it was removed from the website.

According to the report, the information contained in the file was limited, and no financial information or Social Security numbers were exposed. Affected plan members only had their name, diagnosis codes, provider information, date of birth, and information used for processing claims exposed, HIPAA Journal reported.

The investigators were not able to determine whether any unauthorized individuals accessed the file during the time it was on the website, and no reports have been received to date to suggest any protected health information has been misused.

A statement from the health insurer noted that the breach affects certain Independence Blue Cross members and members of its subsidiaries AmeriHealth HMO and AmeriHealth Insurance Co. of New Jersey. Fewer than 1 percent of total plan members were affected by the breach.

See more on Cybersecurity