Privacy & Security
Despite some halting progress with cybersecurity readiness, healthcare is still lacking in many key areas, according to a new progress report from the consultancy CynergisTek.
In particular, the study took a look at how healthcare organizations are stacking up with the advice and best practices of the NIST Cybersecurity Framework, as well as the HIPAA privacy and security rules. The findings, say CynergisTek researchers, are "sobering."
WHY IT MATTERS
To start with, the report – based on the results of assessments, audits and reviews performed by CynergisTek at some 600 healthcare organizations and business associates – found that, from the perspective of NIST CSF most of those orgs surveyed were still performing "well below where we would like to see them," said CynergisTek CEO Mac McMillan in the report.
It found an average 47 percent conformance with NIST CSF controls and an average 72 percent compliance with the HIPAA Security Rule.
While the HIPAA adherence was slightly better and "within normal range," several specific findings underscored a key point that's become a mantra: "compliance does not equate to security," he said.
For example, while hospitals and health systems may be meeting the letter of the law when it comes to HIPAA rules, CynergisTek researchers found that one of the key planks of conformance with NIST CSF – breach detection – was not where it should be for many of those organizations it assessed.
"Given the threat environment we operate in today where literally some percentage of almost everything computerized is a threat, the inability to effectively discover and respond to events is a real issue," said McMillan.
Worse than the numbers themselves is the fact that they represent only a minimal improvement in NIST CST conformance since a similar progress report was done this past year – just a 2 percent increase – and CynergisTek actually saw a 2 percent decrease compliance with the HIPAA Security Rule.
Researchers also found that of the five "core functions" of the NIST CSF – identify, detect, protect, respond and recover – there was relative stability, year-to-year, even as "detect" component lagged the other four.
But when it came to awareness and training, a key driver of the "protect" plank, there was a slight downtick in conformance, the report shows.
That's "likely not significant," researchers conceded, but "it does beg the bigger question around security: If you are not improving, are you actually slipping back?"
Among some other notable findings from the study: More than 60 percent of CynergisTek's assessments discovered noticeable gaps in the maintenance of written policies and procedures to guide healthcare workforce around the use and release of PHI.
As for third-party vendors, "the most common gaps among included risk assessment, access management, and governance," researchers found. And at healthcare organizations, nearly 75 percent of unauthorized insider access came from employees' household members.
THE LARGER TREND
Interestingly, at least on the subject of breach detection, the findings of the Cynergistek report diverge somewhat with those of another study this week, from BakerHostetler, which found that while phishing scam artists are still doing their darndest to take advantage of employee error, one of the bright spots had to do with substantial improvements in in-house detection among the organizations it surveyed.
Whichever of those stats is more indicative of the true larger picture, however, its inarguable that healthcare still has major work to do when it comes to cybersecurity preparedness – and that goes for all employees across the enterprise, from low-level back office staff to the CEO. Indeed, as we showed this week, too many CEOs – amazingly – still aren't giving infosec the high-level attention and on-the-ground resources it deserves and demands.
ON THE RECORD
David Finn, executive vice president of strategic innovation at CynergisTek, said the decline in the awareness and training category under the NIST CSF "protect" capability "is very alarming considering how much more sophisticated attackers were with targeted phishing attempts and new attack vectors, such as medical devices."
In addition, "the fact that we did not see any improvement in either the respond or recover functions means we may be losing even more ground with the increased number of attacks last year," he noted. "Organizations need to take into account whether their individual security needs are actually being met in order to be truly secure, and not only compliant."
Twitter: @MikeMiliardHITN
Email the writer: mike.miliard@himssmedia.com
Healthcare IT News is a HIMSS Media publication.
Infosec is a patient safety issue and it’s critical that customers trust you. But many health systems have been investing too little for years. It’s time for that to change.
Cryptographic technology addresses the security problems that blockchain doesn’t, according to Cryptoloc Technology Founder Jamie Wilson.
“Everyone is looking at blockchain, but there are a whole lot of flaws with this technology. Even with a private blockchain, you’re enabling a cyberattacker to take control of your entire system. Blockchain also involves the use of an open ledger, which allows an attacker to track back and access your entire medical history,” he told HITNA.
“With cryptographic technology, no one else has access to the information except for the user themselves. There’s also a full audit trail where everything is date and time stamped, so you’ll know who has accessed the file and where they have accessed it from.”
Wilson said security by design – taking a proactive instead of reactive approach to data security by building security into infrastructures from the ground up – is the best approach.
“Cryptographic technology allows just that. By encrypting each and every file uniquely, no two files are the same. And malware and ransomware gets reduced as should a user gets attacked, you can identify that they’re being held to ransom.”
Wilson identified that heightened levels of connectivity in Australia’s national healthcare system have also created additional points of exposure for cyberattacks, highlighting the need for new ways to secure these systems
“The ideals behind having a national health system to share and control medical records between doctors, specialists and patients is sound and could vastly improve the quality of healthcare in Australia,” he said.
“Unfortunately, storing and sharing such a wealth of personal data provides many security vulnerabilities and is a lucrative target for cyber criminals.”
With the national healthcare system suffering many compromises – the number of data breaches involving My Health Record has risen from 35 incidents in the last financial year to 42 incidents this year – and more than 2.5 million opting out of using the voluntary system, Wilson said stronger data security technologies are necessary.
“Cybercriminals are not looking at just one individual; they’re looking at a wider collection of information to be able to attack them later and abuse their identity,” Wilson said.
A recent Office of the Australian Information Commissioner (OAIC) report supported his claim, identifying that malicious and criminal attacks were the second largest source of data breaches from the health sector, at 46 per cent.
It also found that cyber incidents were the most common type of attack, accounting for 44 per cent, while theft of paperwork or data storage device was the second most common type of attack (32 per cent).
“A centralised health record system is a fantastic idea. However, we need to be able to secure this data and be able to share this information securely on a global stage to ensure that individuals receive the correct medical treatment that they’re entitled to,” he said.
[Read more: Connected care: protecting patient privacy and security | Industry calls for more caution over MHR system]
Wilson also said Australia is not where it needs to be from a global healthcare security perspective.
“Australia is falling with regards to cyber and the securing of information,” he said.
“The best way of doing this is reviewing the way that we do security today and bringing the control back to the user. That gives the user the control to be able to share their information with third parties should they wish to do so. This ensures that information is not flowing out to multiple parties outside of the system.”
In addition, Wilson addressed the need for more security around external mobile devices, especially with more BYOD (bring-your-own-devices) and Internet of Things devices getting integrated into the healthcare system.
“This goes back to what I mentioned around security by design and having security built into every part of the healthcare IT management process,” he added.
Wilson will further discuss how the new cryptographic platform of Cryptoloc reinvents data security at the upcoming 2019 HIMSS Health 2.0 eHealth Summit in Singapore.
At MEDinIsrael in Tel Aviv, Cynerio CEO Leon Lerman shares how his company keeps medical devices and hospital networks safe from cyberattacks.
Cybersecurity experts at BakerHostetler document some bright spots and areas for improvement for healthcare organizations.
Participants in the program will be guaranteed a two-year position at a federal agency.
The Digital Transformation Agency (DTA), set up to improve people’s experience of government services, has set out new requirements as part of a new Secure Cloud strategy, bringing more change around privacy and security policies for all industries including healthcare.
The new requirements demand Australian software companies to complete a compliance process and accreditation before they’re able to roll out third-party services.
The mandatory policy applies to any third-party that uses cloud services to connect with the Department of Human services (DHS) – this encompasses services such as My Health Record, Medicare, National Disability Insurance Scheme (NDIS), Pharmaceutical Benefits Scheme, and other forms of care.
Macquarie Cloud Services Head of Customer Experience Phil Wallace said the move aims to lift security protecting sensitive health data and payments platforms, which is vital for healthcare as it’s responsible for more mandatory data breach notifications than any other sector.
“Because of the sensitive nature of healthcare data, the DHS has always had to meet heightened security standards. The policy has two mandatory requirements, being DHS certification and that cloud providers must use sovereign Australian onshore solutions,” he said.
“Cloud solutions can be complex and distributed by nature. By helping the industry move to new, more secure onshore secure standards, it removes the threat that one link in the healthcare supply chain could compromise sensitive data and payments for all users.”
Wallace said a secure cloud strategy policy puts in place standard processes for organisations to follow, to enable an industry-wide compliance obligation.
“Health technology is complex; products may be subject to a whole range of standards and protocols, some of which are still being defined. Getting the critical area of data storage security right enables organisations to start concentrating on the protocols in their practice.”
Medical Software Industry Association (MSIA) CEO Emma Hossack agreed with Wallace, adding that privacy of patient information is critical for healthcare providers.
“In the event that providers are using web-based solutions – and this will become increasingly common – then security of transmission and storage of health information is no longer a nice to have; it is essential. There is no privacy without security,” she said.
According to Hossack, associated problems in the healthcare space aren’t to do with software, but rather, how it’s deployed and the security protocols around it.
“It includes allowing multi parties to ‘share’ an individual’s password, which negates the benefit of access logs and weakens security and privacy,” she said.
“This comes down to training; it’s an area which the MSIA will work with the Australian Digital Health Agency on this year to encourage all health organisations to continually train staff on the use of software – both in terms of functionality and security.”
Hossack said this move is just the start of improving privacy and security in healthcare.
She suggested that various divisions of healthcare band together to educate the industry about the changes.
“Change takes time. Education about the importance of security for consumers’ privacy by the government and the whole health industry is the best way to overcome the challenge. Education by colleges and other peak bodies like the Practice Managers Association and nursing bodies responsible for accreditation and standards is also key.”
Greenlight ITC CEO Mike Smith said policy is important, but healthcare providers that aim to achieve them on their own, with limited resources and constant change, will find it challenging.
The managed service provider and cloud support partner to software companies servicing the healthcare sector has worked with medical billing experts and other healthcare software companies on compliance.
“Many healthcare users face challenges just sustaining current operations in the face of aging assets, rising costs, the war for talent and growing complexity. When healthcare providers partner with local experts for compliant solutions, everybody wins,” Smith said.
Smith said there are a number of other initiatives healthcare providers can take. They include:
Keeping abreast of new legislation or changes
Actioning on changes as soon as possible to allow as much time as possible for adjustment
Keeping customers and partners informed of changes throughout
Identifying efficiencies to offset rising costs
Incorporating other requirements like monitoring and backup when teaming up with a partner.
“New legislation, constant change and more distributed modes of care are making it harder for practitioners to concentrate on helping people. Organisations should look to offload such compliance and security burdens to specialists, so they can free resources to help more people,” he added.
This article first appeared on Healthcare IT News Australia.
How important is medical device classification in a healthcare organisation’s cybersecurity strateg…
Connected medical devices can improve patient care and operational efficiency. However, they also introduce new privacy and security risks. Healthcare providers should rethink their privacy and security practices in light of these new risks.
According to the Office of the Australian Information Commissioner’s (OAIC) latest Notifiable Data Breaches (NDB) report, the health sector accounted for 21 per cent or 54 of the 150 breaches reported between 1 October 2018 and 1 December 2018.
In addition, the global Internet of Things (IoT) healthcare market is expected to grow by 37.6 per cent between 2015 and 2020, opening up more devices to attack. That’s a frightening statistic considering that the healthcare industry already ranks second in data breaches.
Healthcare organisations face two major security challenges:
They are prime targets for hackers
Their attack surface expands every day as more and more medical devices are connected to networks.
When it comes to cybersecurity in the healthcare space, there is a need to recognise that information security and medical device cybersecurity are different, and need to be protected in different ways.
This means taking a visibility-first approach when it comes to medical devices and ensuring that the cybersecurity in place to classify and protect these devices is specifically designed to support them.
According to the Therapeutic Goods Administration (TGA), the Australian regulatory framework for medical devices already captures cybersecurity. Manufacturers have been considering security in their design, and the TGA has been assessing and regulating the security of medical devices through the Essential Principles.
However, as the number of networked devices is growing, the risk profile is changing and public awareness of cybersecurity as a risk is increasing.
This changing landscape has created new challenges for regulators of medical devices, including poor or unclear standardisation, sharing information, publication of vulnerabilities and exploits by users and security researchers, and poor transparency of expectations between stakeholders.
Clinical devices such as glucometers, electrocardiograms and drug infusion systems are potential targets for hackers despite the efforts of manufacturers to secure their products. Considering the essential role these and other devices play in delivering critical care to patients, extra measures need to be taken to protect them.
For example, in any patient care scenario, there is a mix of physical and virtual IT endpoints including IoT assets that often can’t accept agents for technical or regulatory reasons, building automation devices that are overlooked, and clinical devices that have legacy operating systems, or applications that don’t meet typical security standards.
The main considerations for healthcare providers when it comes to security include:
An increased number of medical devices on networks, often using outdated operating systems or uncommon firmware
Mobile devices, which are harder to track and secure
A wide variety of people connecting to and disconnecting from the network, meaning healthcare personnel, office staff, patients, guests and maintenance teams, all require different policies
Ensuring the integrity and security compliance of a mix of IT, IoT, medical and environmental devices without disrupting operations
Clinical engineering teams receiving mixed priorities about what they can do to their legacy equipment to maintain regulatory compliance without impacting patient care
Protecting patient records from loss and cyber incidents to maintain the integrity and confidentiality of electronic information
Third-party vendors and service providers accessing the healthcare network need oversight to prevent security missteps.
Healthcare organisations need to be able to safely expand network access to clinicians, caregivers, research organisations and contractors while securely embracing agentless medical devices.
This means finding a platform that lets them discover, classify, assess, and continuously monitor devices, including personally-owned and agentless medical devices; enforcing security posture and regulatory compliance policies; notifying users, restricting or blocking access, and automating network segmentation; as well as orchestrating and automating security among third-party security tools.
With the volume of networked devices growing and the risk profile increasing, it has become clear that medical device security standards in Australia are lacking, while public awareness of security is growing.
This means that healthcare providers need to take a proactive approach to medical device classification to mitigate the risk and prepare for potential future requirements.
Steve Hunter is the Senior Director for Asia Pacific and Japan at Forescout.
Singapore Prime Minister Lee Hsien Loong recently announced the appointment of a Public Sector Data Security Review Committee to conduct a comprehensive review of data security practices across the entire public service.
The committee will look at measures and processes related to the collection and protection of citizens’ personal data by public sector agencies, as well as by vendors who handle personal data on behalf of the government, according to a statement issued on March 31 by the Prime Minister’s Office (PMO).
Deputy Prime Minister and Coordinating Minister for National Security Mr Teo Chee Hean will be the chair for the committee, which also includes private sector representatives with expertise in data security and technology. Ministers involved in Singapore’s Smart Nation efforts – Dr Vivian Balakrishnan, Mr S Iswaran, Mr Chan Chun Sing, and Dr Janil Puthucheary – will also be part of the committee.
The committee will review how the government is securing and protecting citizens’ data from end to end, including the role of vendors and other authorised third parties. It will also recommend technical measures, processes and capabilities to improve the government’s protection of citizens’ data, and response to incidents. An action plan of immediate steps and longer term measures to implement the recommendations will be developed as well.
International experts and industry professionals, from both the private and public sectors, will also be consulted by the committee, and an inter-agency taskforce formed by public officers across the entire public sector will support the committee.
Although security measures such as the Internet Surfing Separation policy in 2016 and the disabling of USB ports from being accessed by unauthorised devices in 2017 have been implemented across the public sector to safeguard sensitive data, the PMO said that the review is “essential to uphold public confidence and deliver a high quality of public service to our citizens through the use of data.”
The Public Sector Data Security Review Committee was appointed in light of a series of four data-related incidents that occurred to the Health Ministry in the past 10 months. Notably, the Health Sciences Authority (HSA) also said in a statement on March 30 that one of its vendors, Secur Solutions Group (SSG), reported that there was more unauthorised access to the personal information of 800,000 blood donors as previously reported. The data was uploaded online and left unsecured over a period of two months.
The Committee will submit its findings and recommendations to the Prime Minister by November 30 2019.
SPONSORED
HIPAA is inextricably linked to patient privacy, but building a trusted, long-term patient relationship goes beyond HIPAA compliance and requires a deeper commitment to keep patient PHI safe and private.
