The healthcare industry has certainly become a desirable target among the advanced hacker population. I’m not the only one who recognizes this. At HIMSS15 this year in Chicago, healthcare IT professionals gathered to discuss the hottest topics impacting health IT. This year, patient privacy and data security made the top of the list. This was evident with the event’s new Cybersecurity Command Center that featured breakout sessions, demos, and talks focused on how to improve cybersecurity in healthcare. CIOs and technology professionals alike have banded together since the conference to discuss new, innovative ways to tackle these new cybersecurity threats.
Nonetheless, in many of the recent health data breaches, two main contributing factors were evident that need to be addressed:
- Unauthorized access was obtained through our broadest and most variable vector -- users of our systems.
- Unauthorized access went undetected for an extended period of time.
At this point, we must assume that we are each a potential target for cyber hackers and shift our thinking from perimeter protection solutions toward anomaly detection, education and aggressive process improvement. The goal must be to change the general behavior and practices of our most vulnerable layer; the people that use our systems every day and couple with a focus on rapid detection systems and response protocols that will assist us in quickly identifying abnormal and potentially dangerous activity.
Data protection priority goes beyond just PHI
In the Healthcare industry, we tend to fixate on the Protected Health Information (PHI) as that is the primary focus of HIPAA. Personally Identifiable Information (PII) is NOT covered by HIPAA but must be guarded with the same rigor. An important lesson in the recent breaches is that we must treat and protect sensitive data equally in order to maintain the sanctity of our patient data and the confidence in our ability to secure that data effectively.
Data security is more about knowledge and behavior than tools and technology
Electronic Information Security is complex and expensive. As such, it is very easy to become overwhelmed by the challenge to strike a balance between Security Risk Mitigation, Accessibility/Usability and the reality of budget constraints. Many of the out of the box security solutions on the market boast turn-key solutions that lead us to believe that we are “safe”, saving time and money. In fact, there is no silver bullet and our best investment is in resources that focus on the threat landscape and the implementation of thorough solutions focused on access control, anomaly detection and response strategies that systematically lower the risk of extended exposure to unauthorized access conditions.
Recent advances in health IT are moving at the speed of light, but it’s up to us and other healthcare professionals to ultimately be arbiters of the data we supply, transmit, protect and exchange. At NaviNet, we have an entire team occupying an entire floor known as the NaviNet Operations Center in our Boston office dedicated to protecting our network that traffics data between 600,000 providers throughout the U.S and over 30 health plans. We couldn’t be America’s largest healthcare collaboration network if it wasn’t for our dedicated team. We as healthcare professionals must each take it upon ourselves to improve our understanding of the risks that we present and seek out resources to educate ourselves on safe computing best practices while delivering best-in-class business critical applications. So, how does your organization battle cybersecurity and balance your healthcare business initiatives at the same time?
Author: Thomas Smolinsky, Vice President & CISO, Technical Operations, Technical Operations