Risk
2/10/2014
09:05 AM
Kate Borten
Kate Borten
Commentary
100%
0%

Healthcare Information Security: Still No Respect

More than a decade after publication of HIPAA's security rule, healthcare information security officers still struggle to be heard.

When I first was introduced to the infosec subculture in the1990s, there seemed to be very few of us in healthcare provider organizations with official security roles. And we were mostly "stuckees" who just fell into the job. (You know, someone in charge pointed at you and said, “You’re now our security person.”) 

You’d think patient privacy, and, thus, security, would be embraced, but it wasn’t so. Doctors and nurses swore they already were privacy sensitive. And, after all, we weren’t banks holding money to be stolen… Who’d want to steal our databases with a few million boring medical records? 

Photo credit:  Flickr
Photo credit: Flickr

We struggled to be heard in our organizations, to implement policies and strengthen passwords. But we were often thwarted and viewed as obstacles, if not threats, to patient care. Where else would you be told that patients might die because you made doctors memorize their own secret, six-character passwords? Or were made to feel audacious asking for staff while nurses were being laid off?

My own IT co-workers openly shared their passwords and laughed at my raised eyebrows. (OK, so I was an easy target with my earnestness and zeal, but still…) When the system administrator of our token authentication server left for another job, he handed in his token with his PIN taped to the back. He didn’t even try to hide the fact that he’d completely undermined the token’s purpose. 

My healthcare infosec colleagues and I did have a smattering of support from sincere leaders who got it. These champions understood the risks and the value of an infosec program to mitigate them, at least theoretically. One of my favorite doctors reported chiding medical residents for failure to log off their exposed hallway computers before walking away, and he routinely logged off any open computer he found. But when it came down to requiring managers to take time to review lists of users, for example, or, most challenging of all, enforcing security policies across the organization, support withered.

We stuckees consoled each other at healthcare security and privacy conferences. We attended sessions where we shared ideas for getting leadership buy-in and for running an infosec program on a tiny budget. But, to rephrase Rodney Dangerfield’s famous line, we lamented, "We don’t get no respect."

So what’s changed in healthcare security since the 90s? HIPAA’s security rule has definitely heightened awareness, and the word "security" pops up a lot more now. Healthcare organizations and their business associates have security policies, they talk about security at workforce training sessions, and they have designated security officials -- all required by HIPAA.

But here we are, more than 10 years after the security rule’s publication, and not nearly enough has changed. Yes, some organizations have recognized that this isn’t simply about regulatory compliance; it’s a business risk issue. And to do the job right, there needs to be a formal infosec program with a visible structure, real security expertise, and support at the top.  

Where are the CISOs?
From what I see, security savvy organizations are in the minority. Too many organizations’ infosec programs are still very immature. The glaring signs are: 1) lack of internal security expertise; and 2) insufficient resources to carry out security functions.

HIPAA requires healthcare organizations and their business associates to designate an information security official or ISO. But time and again I see the ISO is either a maxxed-out CIO with no security background or experience, or else a network administrator stuckee who may have some notion of network security, but no training, and little time for this extra responsibility. 

It continues to be unusual to see a full-time ISO with security credentials, much less staff, in other than the largest healthcare networks. Yet even in smaller organizations, reasonable security programs are by definition complex, require awareness of good security practices, and require people to implement and monitor security processes. Never mind the question of regulatory compliance. It’s just not possible to have such a program without expertise and resources.

Even mature infosec programs can’t eliminate all risk. But too many breaches today -- not only in healthcare but in other sectors -- aren’t due to zero-day attacks exploiting previously undiscovered vulnerabilities. They are avoidable events that are frequently tied to lack of security expertise and resources to implement security controls.

In healthcare, and elsewhere, lost and stolen laptops, hard drives, USB drives, and the like with unencrypted patient information are the biggest sources of breaches. To be sure, with today’s wide use of a variety of tablets and smartphones, mitigation strategies such as encrypting all end-user devices and media can be challenging financially and technologically. But slapdash security will keep us in a breach-a-week muddle.

We need to appoint ISOs with security knowledge and experience, and then give them enough clout and staff to accomplish the processes required by HIPAA and good practice. It’s time for senior leaders to finally recognize the essential business value of infosec and provide the necessary resources to make it happen. We need  R-E-S-P-E-C-T!  

Kate Borten, CISSP, CISM, provides her clients with expertise in security, privacy, and health IT from over 20 years inside the healthcare industry. In the 1990s she led the enterprise-wide security program at Massachusetts General Hospital, and as Chief Information Security ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
jetskibaby
50%
50%
jetskibaby,
User Rank: Apprentice
8/20/2014 | 2:42:22 PM
Re: Typical ISO role in healthcare?
I appreciate your expansive sound advice. I especially appreciate the idea of making the Top 20 (at least the first few) on the high priority list. The discussion will help management gain trust in me, too. Thank you!
aws0513
50%
50%
aws0513,
User Rank: Moderator
8/20/2014 | 10:59:32 AM
Re: Typical ISO role in healthcare?
I have recently stepped into a similar situation at a state government health department.
Same situation as you.  The only new sheriff in town.  But this is not my first rodeo.

I have been involved with several federal level projects where I also had to assist in standing up and establishing a security program.  I wasn't the CISO or CIO, but I was "The Hand" in the effort to implement a security program that followed established frameworks with attention to any and all regulatory concerns associated with the project.

Some key points of advice...  things that have helped me be successful in my ISO roles.

1) Know what your regulatory concerns are.  In a hospital, HIPAA is pretty much king.  But there could be others.  My experiences with audits regarding HIPAA systems has been that NIST standards become the compliance framework used to support HIPAA policy enforcement.  So get yourself some copies of NIST 800, grab a few favorite cold drinks to keep you awake, and begin reading.  My favorite is 800-53 because it is becoming common for audits to reference security controls from this publication.

2) Determine a roadmap that will help you get what needs to be done first, regardless of regulatory compliance.  If you look at much of the regulatory requirements, none of them will provide a plan on how to get everything covered and maintained.  For regulatory stuff, everything is important and it is up to the organization to figure out what is important.  I use the Critical Security Controls (CSC) framework to establish that roadmap.  This framework provides "what works" and "what needs to happen first" guidance that is straightforward and easy to relate to management.  The CSC controls do map out quite well to most of what is in NIST 800-53 and in turn support requirements for HIPAA.
Note: As you work through the CSC, make sure that items 1 and 2 are fully operationalized before diving too deep into anything else.  CSC items 1 and 2 are foundational and need to be rock solid for any other security controls to be marginally useful.  My favorite link in this regard is http://www.sans.org/critical-security-controls/

3) Educate your supervisor.  If your supervisor is already a security professional, this may be already done.  But in the common chance that your supervisor is not a security pro, you will need to get them on your page.  Either way, show them your plan.  Educated them on what you feel is a good road map to stablishing and maintaining necessary security controls.  Get buy-in from your supervisor on your plan, whatever it may be, first.  Your supervisor should be able to help you identify resources to help you implement the controls necessary for a good security program.  I actually demand an hour of time every week from my supervisor to talk through the CSC and it's relevance to NIST and HIPAA.  During this time, I also bring them up to speed on those things I am challenged with.  A good supervisor should be able to identify a plan to mitigate those challenges so that the right things can be accomplished.

4) Educate organization management at all levels where you can.  This is similar to what you are doing with your supervisor, but broader in scope.  All the security controls necessary for a good security program require everyone to be in on the effort.  Not just IT people...  EVERYONE.  The management understanding of the problem will greatly help in this effort.  New policies or changes to existing policies will work better if the management fully knows the answer to the classic "Why" question for any security control or policy.  I find it most effective when can talk through things in person with managers.  Small settings where brainstorming and inputs are more easily shared.

5) My favorite line as an ISO: "How can we get to yes?"  It is common for people to attribute the security pro as the person who likes to say "no".  I try to avoid that by learning exactly what the goal of the customer may be and, working with everyone involved, try to find a way to "yes".  If you can establish that reputation and still keep all the necessary security control in place, you will do very well in your career.

The rest... well.  Your a CISSP.  You should know the rest.  :-)

Best of luck.  I hope this was helpful.
jetskibaby
50%
50%
jetskibaby,
User Rank: Apprentice
8/19/2014 | 7:13:02 PM
Typical ISO role in healthcare?
I am a[female] HIPAA ISO of a 2,600 bed community hospital in California. I have a BS in IT, the CISSP and PMP certifications and I report to the CIO/CISO, who is two steps above my level. This position has been in existence less than a year and I am the only security person. We are attempting to determine what roles I should play in the organization and who I should report to. I often work directly with supervisors and managers in my department, and managers in other departments. Do you have any recommendations, example cases, job description, etc. that could help us? Thanks, Jeannette
anon5450533792
50%
50%
anon5450533792,
User Rank: Apprentice
4/18/2014 | 6:42:31 AM
Re: Exceptions to the rule?
We found in our recent independent research that hospitals, care providers and medical insurers experience twice as many internal security breaches in comparison to other sectors. As we are seeing more and more patient data being stored digitally, it's important that the appropriate steps are being taken to ensure that that data is secure from both malicious attack and accidental breaches.

More information from this report can be viewed here:

http://www.isdecisions.com/blog/it-security/healthcare-suffers-double-the-average-amount-of-internal-security-breaches/

 
asksqn
50%
50%
asksqn,
User Rank: Ninja
3/27/2014 | 2:56:12 PM
Preaching to the choir
The weakest link in the HIPAA chain will always be the human one as far too many medical personnel are too self important (cough doctors cough) to even remember their own passwords.  To a lesser extent, nursing personnel also don't have a clue.  The bottom line is that security is not afforded a whole lot of respect (despite tremendous lip service to it by CEOs) because the cost of hiring competent personnel to implement (and train users) cuts too deeply into corporate healthcare profits.
J_Brandt
50%
50%
J_Brandt,
User Rank: Apprentice
2/14/2014 | 10:33:43 AM
Inconvenience and expense
"From what I see, security savvy organizations are in the minority." So true.  Security is intrusive on the end user.  It clogs up workflows.  It is expensive.  Many measures can be circumvented by an uninformed and disinterested user.  To the uninitiated it's just an inconvenience.  Is it any wonder that senior executives and management would rather avoid it?  Too many people want the barest minimum, (which is often below the true bare minimum), not realizing that route often ends up being much MUCH more expensive.
Kate Borten
50%
50%
Kate Borten,
User Rank: Apprentice
2/13/2014 | 6:12:47 PM
Re: EPHI Data Breach - One lost laptop or 10,000 recycled computers?
I agree that recycling is a risky business.  However, under HIPAA those companies are "Business Associates" and subject to government penalties for noncompliance.  That includes responsibility for destruction processes - such as per NIST Special Publication 800-88 - that prevent accidental disclosure of ePHI.  Even if the small healthcare organization fails to get a signed BA contract, HHS says "if it walks like a duck..."  These companies are HIPAA BAs.
Gary Scott
50%
50%
Gary Scott,
User Rank: Apprentice
2/13/2014 | 6:01:55 PM
EPHI Data Breach - One lost laptop or 10,000 recycled computers?
The biggest source of data breaches is not the one or two stolen laptops we hear about in the news but, the 100,000's of PCs and loose hard drives that organizations donate or send out for recycling. 

Small healthcare organizations continue to rely on electronic recycling companies to destroy hard drives and other digital media which may contain 1 million EPHI records each.  These unvetted recycling companies are allowed full access to EPHI - computer hard drives - from the time they leave the healthcare organization until the drives are finally destroyed.  

Organizations should insist that electronic recyclers physically shred hard drives (EPHI) prior to leaving the organizations custody.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/13/2014 | 3:00:23 PM
Re: Funding or structure?
"People don't know what they don't know." 

Kate, I really think that is true on so many levels. On the medical side, I think doctors' training is to diagnose a condition through medical tests. In many cases, rule out things to discover what a patient doesn't have. Figuring out what you don't know is much much harder... That's true in medicine, InfoSec and most everything we do in life!
Kate Borten
50%
50%
Kate Borten,
User Rank: Apprentice
2/11/2014 | 3:17:48 PM
Re: Funding or structure?
It's not inconsistent for CIOs to say their job is to keep the organization out of the papers (and really mean it), and yet not have good infosec programs in place.  They often don't know what a strong program looks like.  This is a big problem since, in my experience, many organizations of all sizes - but especially small - are not compliant.  They don't know what they don't know.  I'm sympathetic to the regulatory burden in healthcare, but good security is good business.  I think the real issue comes down to money.
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4807
Published: 2014-11-22
Sterling Order Management in IBM Sterling Selling and Fulfillment Suite 9.3.0 before FP8 allows remote authenticated users to cause a denial of service (CPU consumption) via a '\0' character.

CVE-2014-6183
Published: 2014-11-22
IBM Security Network Protection 5.1 before 5.1.0.0 FP13, 5.1.1 before 5.1.1.0 FP8, 5.1.2 before 5.1.2.0 FP9, 5.1.2.1 before FP5, 5.2 before 5.2.0.0 FP5, and 5.3 before 5.3.0.0 FP1 on XGS devices allows remote authenticated users to execute arbitrary commands via unspecified vectors.

CVE-2014-8626
Published: 2014-11-22
Stack-based buffer overflow in the date_from_ISO8601 function in ext/xmlrpc/libxmlrpc/xmlrpc.c in PHP before 5.2.7 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code by including a timezone field in a date, leading to improper XML-RPC encoding...

CVE-2014-8710
Published: 2014-11-22
The decompress_sigcomp_message function in epan/sigcomp-udvm.c in the SigComp UDVM dissector in Wireshark 1.10.x before 1.10.11 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted packet.

CVE-2014-8711
Published: 2014-11-22
Multiple integer overflows in epan/dissectors/packet-amqp.c in the AMQP dissector in Wireshark 1.10.x before 1.10.11 and 1.12.x before 1.12.2 allow remote attackers to cause a denial of service (application crash) via a crafted amqp_0_10 PDU in a packet.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?