Solutions for mitigating health care investigation complexities and risks
June 27, 2017
By Shane Whitlatch
A large hospital group with 60,000 users experiences a data breach.
Patient records are offered for sale on the “Dark Web” and the provider has to track down the source of the breach. Management at the provider starts an investigation, which requires a team of staff to review potentially hundreds of different applications and the access rights of countless vendors and other third parties.
Traditionally, health care data breaches and the ensuing investigations were managed reactively. For example, an outside agent accesses information in a criminal manner, offers it for sale, and the company finds out about the issue from the authorities. Or maybe their internal IT discovers irregularities, but it’s well after the theft occurs, so the company has to piece together what happened.
An industry shift from a reactive to proactive approach is key to reducing breaches.
Overcoming challenges
Contrast the challenges facing health care providers with banking institutions.
With a bank, there is typically a core application that manages transactions between both the customer and the bank. There might be some other related applications, but the main application provides structure and accountability to various processes. In a health care setting, such as a larger hospital group, there could be hundreds of applications in use simultaneously. Each one might have different data set standards, and there may be little to no interconnectedness between the solutions.
The IT capabilities of hospitals and providers have evolved over time, but not at the same speed as other industries. Whether they are confronting ransomware or managing breaches, these IT departments need to oversee a multitude of applications that might all contain private patient information. It’s fundamentally a breadth issue, as health care requires specialists, various departments and outside referrals to all work together for patient care. This breadth means the efforts taken to manage and catalog user identities are a massive problem in health care. User names are not typically connected between applications, so can the organization be sure “Steven Ray Reynolds” is also “srrreynolds” on another application? Security risk analyses are worthless unless all of the users are properly identified.
Another health care-specific challenge is the ability of clinical applications to provide investigators with usable information. These applications are designed to provide fast and accurate clinical care, and many of these systems were not originally built to provide an audit trail for forensics. They’re technologically challenging and outdated, which puts additional pressure on IT. Regulations such as HITECH and Meaningful Use force EHR providers to produce audit logs if they are going to be reimbursed, so many providers are now offering audits as part of their technology.
Regulation is another challenge for conducting data security investigations. When health care providers are dealing with potential lawsuits and/or federal investigations, they need to be 100 percent certain of their investigation’s findings. There simply must be accurate data before bringing a case to court or in front of regulators.
Implementing proactive responses
Health care providers can move beyond their typical reactive style by implementing several best practices. Here are five ways firms can transform their data security processes:
• Health care providers can take several steps to proactively improve their security risk exposure, and make it easier to conduct fast and accurate investigations. A first step is to aggressively invest in security programs that go beyond the bare minimum that might be required by regulations. Providers must bring in expertise in terms of both upgrading of the security staff and their capabilities. It also requires thorough and continuous review of acceptable use and identity access policies. After some health care breaches, it comes to light that the affected organization did not perform identity access audits or change policies for years.
• Shoring up the organization’s information data security can also mean bringing in third parties. This can mean adding the latest technology for monitoring and data protection, and utilizing third-party consultants and managed services providers. Third-party firms offer advanced monitoring tools and can help organizations identify users across all platforms, and then set access rules to limit breaches.
• Health care providers and third parties can’t protect against the unknown, so there must be an evaluation of where all of the at-risk information resides. Organizations must catalog where the sensitive information is held, whether it’s protected health data, financial records of patients or internal information or personal employee information. The cataloging should not only look at where the information resides, but also who can access the data, and how restricted (if at all) is that access. Performing a risk analysis is essential so that organizations can better match up new technology tools and new security employees to the most pressing need. Compiling all of an organization’s data also gives it an opportunity to delete unneeded information (assuming that fits within regulations), which can further reduce their risk exposure.
• An aggressive data-user monitoring program provides health care organizations with automated data about user behaviors. It helps IT to quickly answer questions. Is the employee who accessed 1,000 records last week engaging in a new management-approved project and their access is simply part of their job? Or should the employee be considered a potential breach suspect? Real-time monitoring provides IT with immediate data, so they can proactively stop potential breaches and also quickly train employees who are not following protocol but are not engaging in criminal behavior.
Advanced monitoring tools have workflows built in, so management can set role-specific monitoring. Real-time monitoring also enables firms to assign investigations at the corporate level, so investigators have an immediate “head start” on which users committed the breach, and the records that were accessed.
• Monitoring provides an opportunity for employee training, which must be frequent and thorough. Organizations should find ways to reward positive behaviors when it comes to data security. Perhaps a staff member raises a concern with management before allowing a third-party vendor to use access information. Reinforcing positive actions will prove more effective than only punishing offenders.
Moving forward
Without advance preparation, performing a data breach investigation is an arduous process. It can involve paying massive fees to security forensic specialists who have to develop a “chain of custody” for the information by wading through thousands of users and potentially millions of records. The potential liabilities are extraordinary, as the providers risk losing the public’s trust and will likely need to offer expensive services such as credit monitoring to the exposed patients. And with U.S. regulations requiring the public media disclosure of any breach involving 500 or more patients, organizations can cast away any dreams of breaches not becoming nightmares.
The costs can reach tens of millions of dollars for larger organizations, but thankfully the risks can be greatly reduced by following best practices. Implementation of monitoring and user identity tools as well as intensive training can develop a “culture of security” where potential risks are proactively stopped in their tracks.
About the author: Shane Whitlatch is enterprise vice president at FairWarning, and is responsible for oversight and management of programs and organizations that bring customers to FairWarning and create measurable business value for customers. He is responsible for the operation and strategy of FairWarning’s strategic partnerships as well as its largest global customers. During his time at FairWarning, the customer community has grown from 20 to over 300 enterprise customers across six countries.
A large hospital group with 60,000 users experiences a data breach.
Patient records are offered for sale on the “Dark Web” and the provider has to track down the source of the breach. Management at the provider starts an investigation, which requires a team of staff to review potentially hundreds of different applications and the access rights of countless vendors and other third parties.
Traditionally, health care data breaches and the ensuing investigations were managed reactively. For example, an outside agent accesses information in a criminal manner, offers it for sale, and the company finds out about the issue from the authorities. Or maybe their internal IT discovers irregularities, but it’s well after the theft occurs, so the company has to piece together what happened.
An industry shift from a reactive to proactive approach is key to reducing breaches.
Overcoming challenges
Contrast the challenges facing health care providers with banking institutions.
With a bank, there is typically a core application that manages transactions between both the customer and the bank. There might be some other related applications, but the main application provides structure and accountability to various processes. In a health care setting, such as a larger hospital group, there could be hundreds of applications in use simultaneously. Each one might have different data set standards, and there may be little to no interconnectedness between the solutions.
The IT capabilities of hospitals and providers have evolved over time, but not at the same speed as other industries. Whether they are confronting ransomware or managing breaches, these IT departments need to oversee a multitude of applications that might all contain private patient information. It’s fundamentally a breadth issue, as health care requires specialists, various departments and outside referrals to all work together for patient care. This breadth means the efforts taken to manage and catalog user identities are a massive problem in health care. User names are not typically connected between applications, so can the organization be sure “Steven Ray Reynolds” is also “srrreynolds” on another application? Security risk analyses are worthless unless all of the users are properly identified.
Another health care-specific challenge is the ability of clinical applications to provide investigators with usable information. These applications are designed to provide fast and accurate clinical care, and many of these systems were not originally built to provide an audit trail for forensics. They’re technologically challenging and outdated, which puts additional pressure on IT. Regulations such as HITECH and Meaningful Use force EHR providers to produce audit logs if they are going to be reimbursed, so many providers are now offering audits as part of their technology.
Regulation is another challenge for conducting data security investigations. When health care providers are dealing with potential lawsuits and/or federal investigations, they need to be 100 percent certain of their investigation’s findings. There simply must be accurate data before bringing a case to court or in front of regulators.
Implementing proactive responses
Health care providers can move beyond their typical reactive style by implementing several best practices. Here are five ways firms can transform their data security processes:
• Health care providers can take several steps to proactively improve their security risk exposure, and make it easier to conduct fast and accurate investigations. A first step is to aggressively invest in security programs that go beyond the bare minimum that might be required by regulations. Providers must bring in expertise in terms of both upgrading of the security staff and their capabilities. It also requires thorough and continuous review of acceptable use and identity access policies. After some health care breaches, it comes to light that the affected organization did not perform identity access audits or change policies for years.
• Shoring up the organization’s information data security can also mean bringing in third parties. This can mean adding the latest technology for monitoring and data protection, and utilizing third-party consultants and managed services providers. Third-party firms offer advanced monitoring tools and can help organizations identify users across all platforms, and then set access rules to limit breaches.
• Health care providers and third parties can’t protect against the unknown, so there must be an evaluation of where all of the at-risk information resides. Organizations must catalog where the sensitive information is held, whether it’s protected health data, financial records of patients or internal information or personal employee information. The cataloging should not only look at where the information resides, but also who can access the data, and how restricted (if at all) is that access. Performing a risk analysis is essential so that organizations can better match up new technology tools and new security employees to the most pressing need. Compiling all of an organization’s data also gives it an opportunity to delete unneeded information (assuming that fits within regulations), which can further reduce their risk exposure.
• An aggressive data-user monitoring program provides health care organizations with automated data about user behaviors. It helps IT to quickly answer questions. Is the employee who accessed 1,000 records last week engaging in a new management-approved project and their access is simply part of their job? Or should the employee be considered a potential breach suspect? Real-time monitoring provides IT with immediate data, so they can proactively stop potential breaches and also quickly train employees who are not following protocol but are not engaging in criminal behavior.
Advanced monitoring tools have workflows built in, so management can set role-specific monitoring. Real-time monitoring also enables firms to assign investigations at the corporate level, so investigators have an immediate “head start” on which users committed the breach, and the records that were accessed.
• Monitoring provides an opportunity for employee training, which must be frequent and thorough. Organizations should find ways to reward positive behaviors when it comes to data security. Perhaps a staff member raises a concern with management before allowing a third-party vendor to use access information. Reinforcing positive actions will prove more effective than only punishing offenders.
Moving forward
Without advance preparation, performing a data breach investigation is an arduous process. It can involve paying massive fees to security forensic specialists who have to develop a “chain of custody” for the information by wading through thousands of users and potentially millions of records. The potential liabilities are extraordinary, as the providers risk losing the public’s trust and will likely need to offer expensive services such as credit monitoring to the exposed patients. And with U.S. regulations requiring the public media disclosure of any breach involving 500 or more patients, organizations can cast away any dreams of breaches not becoming nightmares.
The costs can reach tens of millions of dollars for larger organizations, but thankfully the risks can be greatly reduced by following best practices. Implementation of monitoring and user identity tools as well as intensive training can develop a “culture of security” where potential risks are proactively stopped in their tracks.
Shane Whitlatch