At the iHT2 Miami Health IT Summit, expert panelists discussed the best ways to protect patient data, agreeing that the vulnerability of the healthcare industry and the value of medical data makes the sector ripe for attack.
On Feb. 10, at the Health IT Summit at the Ritz-Carlton Coconut Grove in Miami, Fla., sponsored by the Institute for Health Technology Transformation (iHT2—a sister organization of Healthcare Informatics under our corporate parent organization, the Vendome Group LLC), panelists discussed data security as part of a session titled, "IT Risk & Compliance: Securing ePHI." On the panel were: moderator John Christly, CISO/HIPAA security officer, Nova Southeastern University; Tim Ramsay, associate vice president and CISO, HIPAA Security Officer, IT, University of Miami; Marlon R. Clarke, Ph.D., director - network operations and services adjunct faculty - Graduate School of Computer and Information Sciences, Nova Southeastern University; Leon Hoover, CIO, Hendry Regional Medical Center; and David Finn, Health IT officer, Symantec. Below are excerpts of that panel discussion.
How does the risk of an attack in the healthcare sector compare to other industries?
David Finn: I'm tired of seeing the 'wake-up call' headlines every time we have a major breach. We continue to see it, yet most of the industry seems to be sound asleep. CFOs and CIOs need to understand this fact: this is an industry problem, a business problem. Healthcare is a target, the FBI has said that repeatedly to us. The new business model is about sharing data that is more secure than ever before. Talk about mixed signals! A credit card record might be worth a dollar or two on the black market, but a patient data record is worth $40 to $80 perhaps.
Marlon Clarke: It comes down to value. Data from a medical facility can be used to do phony medical care in additional to the financial stuff, so the value is just so high. It was reported a medical record was sold on auction for $251. Financial data and medical data is not comparable anymore. It's a no-brainer.
What are the main threats in 2015 and beyond?
Tim Ramsay: Look at the automobile industry, it was the race cars that developed brakes, as they let you go even faster in and out of turns. When we are deploying telehealth, moving out to the patient community and sharing data, it's about going safely under control. The only worse thing than making a billion dollars is spending two billion on fines. You see what Capital One and Bank of American are doing, monitoring potentially fraudulent charges, saying "this person has never signed on at 2 a.m. to make a transaction." Charge denied! That is the level of granularity we need. It's about visibility first of all, and then the approach.
Finn: Everyone has their top 10 or 15 things that you need to do as we enter a new year, but at the end of the day, security is a people issue. We have to make it a business problem—businesses need to recognize the tools, and be trained too. A fool with a tool is still a fool. They are guardrails, they are there to help. If we're not turning data into information that is actionable, all we're doing is helping the hardware vendors that sell storage. Educate those who are using the tools about how to use it properly.
Leon Hoover: People are the biggest risk. Also, you have to ask, how do you validate that the person sitting in front of you really is that person?
Clarke: Look at Target. One of the trends is that there are more connected devices than ever before. It has expanded significantly. Security wise, we see that as the threat increasing. Target was compromised by a third-party system. If an attacker is able to compromise a system that takes the vitals of a patient, that increases the threat. We need to develop strategies to better manage the influx of connected devices. Will we ever get our hands around it? It's going to be a challenge.
So it's not the Russian and Chinese hackers?
Ramsay: (Shakes head). Academic medical centers are generally wide open environments, so it's that insider threat, knowing you're at risk; someone who has been taken advantage of and compromised. Our own freedom is being used against us.
Clarke: There is a term "advanced threats." One of the main stages in the attack is a phishing email, and the objective of that is to deploy malware on a computer within the environment. Once the person trusts that link and clicks on it, the entire environment within your organization is now at risk. Yes, the original person might be someone external, but without the person who clicked it and started that chain reaction, the issue would not be happening. Inside employees play a major role.
Is it any different if you're planning for risk in the cloud?
Finn: The due diligence you would due for an electronic medical record (EMR) shouldn't change for the cloud. The cloud isn't something to inherently fear, but you do have to address security up front. Understanding your data shouldn't change anything, and in some ways it should make your life easier. The cloud is unforgiving though, if you make a mistake, it's gone.
Clarke: Addressing all of these concerns up front is the key. It is difficult to go back afterwards. You need to ensure it's all incorporated to whatever agreement you sign up with your cloud provider.
So what are the best practices for being compliant?
Finn: When the phase of it being implemented has passed, and now you have to remain compliant, it has to become a business issue. IT can't be the police for everything out there. Until you get a top-down model built, this is where it breaks up. As a security specialist or an IT person, if you have done all your work, the business then has to own it. If you haven't figured that out, it's all for naught.
Ramsay: Security isn't compliance. Home Depot and Target were PCI-compliant when they were breached. It's not about checking the box. If you track the way they made it though Congress, every time they referred to the National Institute of Standards and Technology (NIST). Strip away the acronyms, it's about data segmentation. When it comes to privacy, our technology is ahead of our ability to manage it. This will define our time.
Clarke: If you practice good security within your organization, forget about the regulations for now. Just do a good job of securing your environment, because if you do that, you have won half the battle. Then look at the specifics that the regulations might require.
Finn: I say stick with NIST, it covers all the rules. No one is keeping pace like NIST. If you're struggling, I really back the NIST approach, it's the way to go.
Ramsay: We are seeing a lot more alignment, people are talking to one another. Don't feel like you are being left out. You cannot manage what you can't measure. If compliance in your organization is people checking boxes, you need to increase the level of sophistication. The people issue is the goal. Compliance is about shaping the culture, more than trying to fight the bad guy, because you're outnumbered.
Clarke: The best compliance is to make it inaccessible. But a more reasonable approach is to implement reasonable controls, with reasonable technology to support the objectives of the business. It comes down to managing your risk because I don't think you'll ever be 100 percent secure.
Ramsay: Imagine having a party at your home, and as people walk in, you want to know if they were invited, so you have someone who greets them at the door. Now, your guests cannot go into the bedrooms. But if they do get there, they can't get to the safe. If they do get to the safe, they can't get the combination to get inside it. The idea is to make them break multiple things. Hackers are businessmen and will go where it's easiest. When securing ePHI, perfection is not the standard. Take what you can get, be reasonable. If security wins at the expense of the business, it will be a short tenure for the security staff. You need to blend the needs of both sides. It's the weak that will be taken advantage of. Don't be among them, be no less than the middle of the herd.
Finn: Good security now is better than perfect security never, because there is no such thing as perfect security.