Stop us if you’ve heard this one before: A laptop is stolen and the theft results in the owner’s personal data being accessed by a threat actor. All user’s private data, including financial records – among other data – are made publicly available since there was little more standing between the attacker and data protection, other than a weak, easy to bypass password.
Now let’s take this scenario one step forward by changing the laptop to one owned by a healthcare professional. This one small change has triggered a huge problem for the owner and the healthcare organization they work for. Additionally it possibly violated the Health Insurance Portability and Accountability Act (HIPAA) regulations that govern all healthcare stakeholders and the devices that process and store patient data and records.
The biggest differences between the two nearly identical scenarios are:
- The latter has the potential to negatively affect the privacy of thousands of patients.
- The latter is regulated by governmental laws worldwide that vary by region.
- The latter can and does carry stiff penalties for violations. These may include loss of employment, steep fines, and/or may even be punishable by incarceration.
Ironically, the biggest takeaway from both scenarios is that they both could have been mitigated using full disk encryption with a strong cipher. This technology is included within most modern operating systems free of charge.
To be fair, enabling encryption would not have prevented the laptop from being stolen nor attackers from trying to exfiltrate the data contained within, but when a strong enough algorithm is used (which are used by most common operating systems by default) and the recovery keys are managed properly and securely, it could take a very long time before the encryption is defeated – much longer than is likely worth the attacker even attempting to bypass the encryption altogether. However, encryption turns the story from one of a loss of private patient data into one of hardware loss. It’s much simpler, not to mention cheaper, to just replace the device.
Everyone plays a role in security
Any security professional will tell you, there is more to information security than simply enabling full disk encryption. The keys to successful implementation of security practices are to:
- Know the business requirements.
- Understand the industry requirements (e.g., regulations).
- Identify the risks to data that systems may be exposed to.
- Communicate with the stakeholders so everyone understands what is necessary to keep data protected.
- Provide users training so they understand what is expected of them and how it ties into the holistic view.
- Implement security plans that comprehensively mitigate the known risks, including insight into monitoring device health, patch management, reporting, and remediation at a minimum.
- Embrace best practices and guidance provided from frameworks, such as National Institute of Standards and Technology (NIST) or Center for Internet Security (CIS), zero-trust, and defense in depth strategies to layer security protections and verify protections are working as they should be to secure data at all times.
- Vetting supply-chain pipeline partners and maintaining safeguards to limit access when and where possible, including access to internal and cloud-based systems, regularly scheduled upgrade cycles for mission-critical/industrial/Internet of Things (IoT) equipment, and managing how data is accessed and stored on vendor-owned systems.
- Align corporate policies with regulations to reflect guidelines, best practices, and expectations for all stakeholders working internally and externally for the organization.
Governance + IT work together
Protected Health Information (PHI) is regulated globally by the laws of the country or region. In the United States, that regulation is known as HIPAA and is summarized by the Centers for Disease Control and Prevention as “national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.” Violating these protections – in whole or in part – can lead to repercussions, depending on the severity of the violation. The Office of Civil Rights (OCR) is responsible for enforcing HIPAA’s privacy and security rules, as data leaks or breaches are considered a violation of the patient’s civil rights.
Organizational leadership and IT should be cognizant of cybersecurity and its role in ensuring patient confidentiality as the protections implemented fall under their direct purview as the governing and systems management bodies respectively. A lapse in this view can lead to a multitude of issues beyond access to privacy records, such as tampering with patient data and limited patient care. All of which can have a decidedly negative impact on patient health and may even lead to fatalities if patient’s access to general healthcare is prevented due to security issues, such as ransomware making systems unavailable.
Adoption of technologies and processes, such as zero-trust and cloud-based applications are increasingly used to mitigate security risks on managed devices. These can be leveraged to protect against issues detected in systems, operating as fail safes to allow patients to continue receiving the care they need despite local system compromises. Developing change management cycles, disaster recovery plans and remediation processes will help governance determine how data systems are to be protected based on the organization’s unique needs and risk factors.
Additionally, implementing a policy of standardization for computing devices and data protection helps IT to apply templated configurations to specific device and data types, ensuring that all devices of a certain type, for example, laptops issued to doctors providing telehealth services have a minimum set of protections in place to secure patient data through known security policies, like disk encryption, VPN, compartmentalization of data to isolate business data from personal data, endpoint protection and managed settings to be certain that each device in this category is configured appropriately to provide end-to-end security coverage.
Educating the users
In 1597, Sir Frances Bacon is attributed with the saying, “Knowledge is power.” Since then, the idiom has come to be used by many individuals over time. Simply put, the more you know, the better equipped you will be in handling what may come your way. While this is true of many things in life, it is an essential a way of life for information security at all levels, including your users.
Educating your users, particularly those tasked in working with sensitive data as part of their daily job function, is a basic need for protecting data from unauthorized access. Especially in telehealth when direct this becomes a major necessity. Often immediate access to technical support may not be available given the disparity of work from home (WFH) programs. Furthermore, organizational devices on a home network that was setup by without professional security oversight and exposed to consumer level devices increases the risks data need to be mitigated even further. Educating healthcare workers on the proverbial do’s and don’ts, best practices, and known attack types, like how phishing works and how to identify it to not fall prey to it, are all important, yet a sadly overlooked aspect to address informational shortcomings.
As the adage goes, a chain is only as strong as its weakest link. Bear that in mind next time an organization that has the resources available to purchase the latest hardware, hire talented staff, and configure all manner of security controls to limit access to patient records becomes the victim of a ransomware attack. All because an employee clicked on a spoofed email that really installed a payload that encrypted the data on their device and also the of all systems the user was able to connect to at the time of infection, including the monitoring infrastructure that was actively watching over patients back at the hospital.
Security is everyone’s responsibility. Whether we’re involved directly or indirectly, all users need to be included in this conversation. Part of the conversation will be foundational; a larger part will pertain to their specific responsibilities and the productivity tools they use to perform their roles. By now it’s no secret that the global-health crisis has changed how and where we work. To that end, the shift created by WFH programs such as telehealth, has introduced new ways to perform the same tasks. And it is these very new tools that should be at the catalyst, leading these education programs since they are often the very same tools that threat actors are targeting in an effort to go after the low-hanging fruit as it were.
Without the benefit of company network and security appliances protecting the line of demarcation that separates work from home, threat actors have updated their tools to focus on pivoting attacks toward the users relying on popular collaboration, video, and data storage tools – all just as easily accessible from the cloud for them too – in a concerted effort to compromise devices no longer under the direct protection of the organization’s network perimeter to capture as much data as they can. And while healthcare in general has always been a big draw for threat actors, the shift to telehealth has opened up a new attack vector, allowing determined attackers to seize the opportunity to compromise unsuspecting users.
And one of the most effective ways to mitigate that vector as much as possible is through training your users. Effective, measurable security awareness training based on proven techniques, that can be free or paid resources that address a host of common attack types, those targeting phishing, email security, and password policies are among the most popular. It shouldn’t come as a surprise as these are some of the avenues bad actors often take in order to trick employees into divulging information and credentials used to attack a system and compromise PHI daily.
It’s all about protecting the patients
One area that is not often discussed in the security paradigm is that of the patient. We're not referring to protecting patient records, but rather the patient themselves as they relate to their healthcare provider. In these uncertain times, healthcare professionals are understandably being pulled in many different directions. Much of these technologies are just as new to healthcare professionals as they are to the patients receiving telehealth services, so how are their needs being addressed with respect to verifying that they are – in effect – speaking to the correct healthcare professional during a telehealth meeting and not an imposter?
Most of the time, links to video/chat programs are provided to the users. They click on the link to enter the chat and once inside the meeting room, they are speaking with their provider. However, one common attack in the education sector has led to students entering a meeting room they believed to be their virtual classroom, only to find out that the educator was actually someone else claiming to be the teacher. And while this has led to tighter security controls over virtual meeting spaces and the recognition of your teacher’s face should be a clear indicator that something is awry, the same cannot be said for a patient that has maybe never met their particular medical provider beforehand. Or in the event that an assistant might begin the session to gather pertinent data before the doctor assumes control of the session, how are patients able to verify the identity that the person(s) they may be speaking to are actually the healthcare providers and that they aren’t sharing private medical information with a bad actor that may have hijacked the session?
Consider a similar, real-world scenario whereby a representative from a regional ISP might knock on your door and say that something is affecting the internet access in the nearby area and they would like some information on your current network conditions. Perhaps, they’d like to exam the wiring that comes from the nearest telco to make sure there aren’t any problems with the line coming into your home. How do you trust that they are who they say they are before letting them into your home? Typically, identification systems are the order of the day for these scenarios, but that gets complicated online since it cannot be verified so easily.
While this is not a widespread concern as of yet, if there’s one thing that IT has shown is that technology is ever changing and it’s this very dynamism that fuels positive advancements – unfortunately, with the good must also come some difficulties. It is a good thing for patients and healthcare providers that this problem may seem daunting, but can be mitigated. It takes some forethought to implement into the existing provider workflows, but with patient care being the focus, security has to be a consideration.
Get the balance right
Between governance, IT, healthcare, and users, the priorities can sometimes diverge. While everyone is driving in the same direction generally, how they go about getting there can and often varies from stakeholder to stakeholder. One of the biggest problem points and opportunities to strike the right balance is between what IT must do to secure data and devices, while still enabling caregivers efficient ways to provide adequate care to their patients with minimal friction.
This balance sounds difficult to establish, but comes down to the same proposition as most information security activities: How do we mitigate any one risk to an acceptable level for the organization? When it comes to health care, there will, by definition, be times where the wellbeing of the patient trumps the need for security. While this may lead security teams to be reluctant to support adopting newer technologies, it will allow for organizations to provide the best quality healthcare. In these areas, security teams will often have to look for non-traditional ways to mitigate risks by introducing more education, processes, or novel security tools to keep private data continually protected.
A secondary balance that appears as a result of the first above, is that by addressing security and endpoint management, as well as remediation of security incidents, the healthcare provider’s experience must be considered. Many providers are not overly technical and are focused on providing the best care. As IT and security teams build out their processes and tools to mitigate risks, how it impacts the provider in their daily life or during security incidents become an important consideration. Patients benefit from this entire process through a painless experience that keeps their privacy and healthcare data protected as they benefit from healthcare providers.