The scope of healthcare data is remarkable. It’s no wonder healthcare cybersecurity is a growing concern as security professionals are challenged by managing and protecting the immense amount of personally identifiable information (PII) and protected health information (PHI) housed in their systems.
Introduce a public health pandemic to the threat landscape, and the healthcare data management and security challenge grows exponentially. In 2020, more than 29 million healthcare records were breached due to the 25 percent year-over-year increase in healthcare data breaches, according to HIPAA Journal’s analysis of the U.S. Department of Health and Human Services healthcare breach data figures.
During the 2021 Cyber Security Hub Healthcare Summit, NetSPI managing director Nabil Hannan and RxMx senior director of engineering Jesse Parente sat down to discuss the world of healthcare data management – notably, how to manage sensitive data securely. They explore the healthcare industry’s regulatory pressures and share insights on how to collect, store, and manage healthcare data securely and look at your data security program holistically using threat modeling and design review initiatives. Additionally, with the pandemic as a catalyst for digital transformation in the healthcare industry, cloud adoption has soared. Nabil and Jesse discuss the benefits of the cloud for data management, along with its security considerations.
Continue reading for highlights from the discussion or watch the full session online here.
In a compliance driven industry, such as healthcare, why is risk-based security so critical?
Jesse Parente: Risk-based security in general, regardless of the industry, is critical. At the end of the day, security is about managing risk. The easiest, and the most obvious answer in healthcare is, it can cost you if you’re not focusing on risk. I was looking into the 2020 breach analysis report by IBM and Ponemon Institute and healthcare breaches were the costliest. That’s mostly due to the fact that it’s a very regulated market. You’ve got laws like HIPAA, which was formed and assigned in 1996, so it’s rather old now. And it’s actually a fairly low bar if you think about it. For example, encryption was considered an optional item back then. But in 2009, the HITECH Act was signed into law, and that gave HIPAA some teeth: Breach notification requirements and additional fines for non-compliance. There were almost 730 reported breaches in the last two years. If you do some simple math, that’s about a breach a day… reported breaches. Now, the average cost per record is about $150-$200 and the average number of records exposed or lost was over 3,000. It’s costly to not focus on risk.
Nabil Hannan: Speaking of breaches and the data involved, ultimately securing personal data is important. People understand why their personal, non-public data should be kept private. If someone else has that information, they could easily impersonate you and ruin things like your credit, or your records, or even steal your identity. And that’s a problem. But we also want to think about healthcare data and the complexities that surround it. For example, there are a lot of children whose data go into medical systems because they go see the doctor. But for a lot of non-adults, when that happens, their parent’s information is also associated with that record. Now you have multiple people whose information is available, their insurance information, home address, financial information in many cases. The importance of securing personal data, especially in the medical field, becomes exponentially more important because of the complexities of your family and relatives whose data may also be associated with your personal records. And the challenge there too, is personal information is something that you can’t easily change. If you, for example, were part of a breach where an attacker accessed your credit card number, you can call up the company and immediately change that number and a new card sent to you. If your social security number gets breached, you can’t change that. Or if your home address is breached, you’re not going to move in order to change that. There are certain data types that are permanent and cannot be changed, data that presents a higher risk if breached – data that is often found in healthcare systems.
How can healthcare IT and security leaders securely collect, store, and manage data?
Jesse: Before you even collect data or store it or manage it, it’s really important to understand what the data is. Also, there’s a concept of minimum necessary. Do you need this data? You have to do an analysis to understand what the data is and if it is sensitive. Classifying data is a really important piece when you’re going to collect and store it. Additionally, pay attention to where that data goes downstream. This is the management aspect of it. Do the vendors that you work with need or have access to some of this data? In 2013, there was a final Omnibus ruling, which was an addition to HIPAA, and this essentially held business associates or vendors that you work with, accountable for non-compliance as well. So, you also have an obligation to make sure that your vendors are doing the right thing, when it comes to collecting, storing, and securing healthcare data.
Nabil Hannan: There is the actual safe way to store and manage data and then there’s the part of making sure you have the data that’s relevant, and you’re only storing and managing the data that you truly need to maintain your business functionality. A significant amount of breaches lately, over the last five years or so, happened because of simple misconfigurations of data storage. So often we see that you may have data stores, such as Amazon S3 buckets, that are meant to be private and internal, but because of the misconfiguration, they’re publicly available to the internet. Understanding what you’re collecting and how it needs to be stored and, then, have automation and processes regularly checking to ensure that the attack surface that your data is exposed to is managed correctly is really important. That’s ultimately the first step: Making sure you have processes in place to ensure that you’re not inadvertently making a configuration change that leaves you exposed.
What can healthcare organizations do now to evaluate their current security posture?
Nabil: There are a lot of common security tactics that healthcare organizations are using today. They are performing regular security scans using automated tools, making sure that their external attack surface is not easily reachable by script kiddies that are also running similar tools on the internet, performing penetration tests with manual humans testing and breaching systems to identify exploitable areas. To take these initiatives to the next level, start looking at things that tools and automation cannot identify, which is design flaws. To describe this, I typically use home inspection as a parallel. If you’ve bought a house, you’ve probably completed a home inspection. A person shows up and they inspect the house at a basic level, checking the locks, windows, insulation, furnace, roof, etc. to see if they work. But looking at a home from the outside in, you cannot truly determine if the house was designed properly. To understand if the load bearing wall has enough support or not, or to understand if the studs are spaced correctly or not, they have to look at the blueprint and look at the internals of how the house was designed. Similarly, for any system, you have to look at the threat model and how the different components of a system interact with each other. Threat modeling is so important because it is a manual process. Tools are not able to tell you what the greatest risks are. It requires a human to think critically and be clever. With threat modeling, you’re identifying what the assets are in your systems and the threat actors that you should care about. Based on that, you define the threat vectors that the attackers would use to try and get to your assets. With this information, you can start assigning trust zones within your systems and determine how those interactions occur and review whether you have the right controls in place, like authentication, authorization, encryption, error handling and logging and things of that nature. I think threat modeling is the next step we need to take as an industry because there is a whole different classification of vulnerabilities and issues that come from the design side. Empirically, we see 50 percent of security issues are at the design level and 50 percent are what we call bugs. We have to start doing threat modeling to uncover the inner workings of how our systems are working and interacting together and whether they pose a threat.
Jesse: I think what organizations can do to evaluate their posture is get a baseline. There are tons of ways to do this with frameworks and certifications. One of my favorites is the Cloud Security Alliance, an organization that’s purpose built to support the transition to the cloud. They have something called the Cloud Controls Matrix that helps organizations align to various frameworks, whether that’s NIST, ISO27001, or HIPAA. When it comes to data, oftentimes the software world is pushing these activities to the left, or the idea of shifting left, and that means doing these security-based activities earlier on in a software development lifecycle. A great example is threat modeling. In the design phase, understand what your threats are and figure out ways to mitigate them. In the cloud, we’re shifting, too. The four walls and the castle approach of securing a perimeter, those days are gone. There is this shift in the landscape changes as well, as we now see a lot of organizations operating partially in the cloud. Because the data is potentially publicly available, we have to find ways to identify where the data is, where the data is going to go, and how to secure it. There are many cloud providers out there, and with that there are many services to help you manage the data and have visibility into the cloud. And for me, that visibility is one of the key things that has helped my organization manage healthcare data securely. Organizations not leveraging the cloud do not necessarily have that visibility. The last thing to remember is that we need to hold our vendors accountable, understand their security posture and what activities are they doing to help secure the data we share.
How has the pandemic triggered the increased adoption in the cloud?
Jesse: Almost overnight, many organizations were forced to have data and resources available remotely and externally accessible. VPNs were overloaded and people scrambled to find a physical space to work outside of the office. The cloud was – and is – an opportunity to make things available. As we saw in our viewer poll, 42 percent of participants are operating partially in the cloud. It’s clear people are experimenting with the cloud and this comes with its own challenges, as organizations haven’t had the opportunity to fully vet and evaluate the cloud. Remember, we should consider cloud providers vendors and need to evaluate them as such – and that requires time. That’s the challenge that’s missing from this rush to make things available and it can create serious problems.
Nabil: There is another gap in our knowledge as employees don’t necessarily know how their organization manages its data. It may be completely invisible to us on whether an organization increased adoption of the cloud. And that’s how it should be. The whole purpose of cloud-based systems is the ability to scale as needed and have elasticity. Teleconferencing systems are a good example of this. The reason Zoom could support the huge demand of users as the pandemic started was because of the cloud. If they were not using cloud infrastructure for their systems, they would not have been able to support the large number of users because it was not expected or planned. And then there are security considerations to think about too. Just because you’re in the cloud and the cloud providers are providing you with certain baseline of security controls and protection, that doesn’t mean that you don’t have to think about security anymore. Ensure you understand the implications of your transition from a traditional data center deployment to the cloud, and ensure you’re maintaining regular best practice initiatives around things like configuration reviews, design reviews, and threat modeling. Be sure to understand the risk implications of the decisions you’re making.