Do you talk to your neighbor? This is a question which should be asked of every CISO within the healthcare community (and for those entities which don’t have a CISO, ask the question of the individual to whom you have entrusted the architecture or support of your network).
No longer is it an option to ‘go it alone.’ Your IT team may indeed by the brightest, most creative and energetic team on the face of the earth, but they aren’t experiencing everything. Learning from the experiences of others is key. Keeping abreast of the changing land upon which your infrastructure is built is a requisite.
In the United States, the Health Insurance Portability & Accountability Act of 1996 (HIPAA) rules and regulations, accompanied by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 lay down the bare minimum in security and privacy expectations. These are table stakes to handle patient information.
And in 2017, the US Department of Health and Human Service (HHS), Office for Civil Rights (OCR) has shown that HIPAA has teeth. But before we get into how big a bite the OCR may take out of your hide if you have a breach and are found to be out of compliance, let's take a brief look at what’s happening around us right now.
Ask yourself this: have you discussed internally the ramifications of running your practice or hospital with machines and operating systems which long ago reached their end of life (EOL)? Amazing as it may sound, there remain thousands of Windows XP systems in use, yet XP reached EOL more than three years ago - April 8, 2014, to be exact.
On Friday, 12 May 2017, the UK National Health System (NHS) was debilitated when a known vulnerability (with a critical patch made available 14 March 2017) was exploited by an as-yet-unidentified ne’er-do-well, with the explosion of the WannaCry/WanaCrypt0r ransomware which is based on the EternalBlue exploit and DoublePulsar backdoor developed by the U.S. National Security Agency (NSA). In December 2016, 90 percent of the UK NHS was still running Windows XP.
According to Europol, more than 200,000 victims in 150 countries have been compromised at the time of writing, and that number will climb as more unpatched systems are identified.
Not a week goes by that we don’t read of yet another healthcare provider losing, misusing or otherwise compromising their patient’s data. A recent example: according to HHS, Memorial Herman Health Systems( MHHS) violated HIPAA when they published a patient’s name in a press release. The circumstances were as follows: a patient presented themselves with fraudulent identification. The hospital staff contacted law enforcement and the individual was arrested. The revelation of the individual’s information to law enforcement is of course permissible. The subsequent press release containing the patient’s name was not.
Another example: once again according to HHS, CardioNet found themselves informing 1391 patients that their information may have been compromised with an employee’s laptop was stolen from a vehicle at the employee’s home. The OCR review showed the entity had insufficient risk management processes and lacked adequate policies and procedures.
Then there is the case of Bronx Lebanon Hospital Center, which according to the HIPPA Journal, misconfigured a backup server and for the past three years had unintentionally made patient data available in an unencrypted form. Misconfiguration of servers and other storage devices happens with regularity, and many times is documented in local media. These writeups should serve as a reminder to all that health care providers need to be meticulous in the configuration of devices and environments.
Then of course, there are those entities who find themselves becoming victims of malevolent behavior by nefarious third parties. For example, entities which fall victim to ransomware may be surprised to be found noncompliant with respect to HIPAA and HITECH.
What about phishing? Metro Communality Provider Network (MCPN) were recently breached via a phishing incident. OCR found that even though the entity did an assessment post-breach, they could produce no evidence of having performed a risk assessment prior to the breach, and they did not conduct the post-breach analysis and risk assessment in a timely manner.
There are lessons for all in these incidents.
When the rubber hits the road, nothing good comes from your system being compromised, be it due to an outside entity or your own employees/personnel being lackadaisical about handling sensitive patient data.
What is the financial cost to a business who neglects to safeguard themselves from such a fate? OCR fined the MHHS $2.4 million for publishing that patient’s name in a press release. CardioNet likewise found themselves faced with a fine of $2.5 million for “failure to implement mobile device security.” MCPN was fined $400,000 for failure to implement risk management plans.
One does not have to experience this all first hand to learn from the experiences of others; instead, leverage these experiences to adjust your own security footprint and infrastructure.
Sadly, many entities are repeat offenders. The data is often lost not because the entity was being specifically targeted, but rather, because individual employees were circumventing the infrastructure and losing patient data along the way. It is up to the individual organization to provide the training and security awareness so sorely needed to prevent these losses becoming more commonplace than they are currently.
CISO’s need to ensure that event amnesia doesn't become the norm within their teams and client base. As the George Santayana adage goes, “those who do not remember the past are condemned to repeat it.”
When dealing with patient data, don’t collect what you can’t protect.
About Christopher Burgess
About Christopher Christopher Burgess (@burgessct) is an author and speaker on the topic of security strategy. Christopher served 30+ years within the Central Intelligence Agency. Upon his retirement, the CIA awarded him the Career Distinguished Intelligence Medal, the highest level of career recognition. Christopher co-authored the book, Secrets Stolen, Fortunes Lost - Preventing Intellectual Property Theft and Economic Espionage in the 21st Century (Syngress, March 2008).