Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

2/10/2014
09:05 AM
Kate Borten
Kate Borten
Commentary
100%
0%

Healthcare Information Security: Still No Respect

More than a decade after publication of HIPAA's security rule, healthcare information security officers still struggle to be heard.

When I first was introduced to the infosec subculture in the1990s, there seemed to be very few of us in healthcare provider organizations with official security roles. And we were mostly "stuckees" who just fell into the job. (You know, someone in charge pointed at you and said, “You’re now our security person.”) 

You’d think patient privacy, and, thus, security, would be embraced, but it wasn’t so. Doctors and nurses swore they already were privacy sensitive. And, after all, we weren’t banks holding money to be stolen… Who’d want to steal our databases with a few million boring medical records? 

Photo credit:  Flickr
Photo credit: Flickr

We struggled to be heard in our organizations, to implement policies and strengthen passwords. But we were often thwarted and viewed as obstacles, if not threats, to patient care. Where else would you be told that patients might die because you made doctors memorize their own secret, six-character passwords? Or were made to feel audacious asking for staff while nurses were being laid off?

My own IT co-workers openly shared their passwords and laughed at my raised eyebrows. (OK, so I was an easy target with my earnestness and zeal, but still…) When the system administrator of our token authentication server left for another job, he handed in his token with his PIN taped to the back. He didn’t even try to hide the fact that he’d completely undermined the token’s purpose. 

My healthcare infosec colleagues and I did have a smattering of support from sincere leaders who got it. These champions understood the risks and the value of an infosec program to mitigate them, at least theoretically. One of my favorite doctors reported chiding medical residents for failure to log off their exposed hallway computers before walking away, and he routinely logged off any open computer he found. But when it came down to requiring managers to take time to review lists of users, for example, or, most challenging of all, enforcing security policies across the organization, support withered.

We stuckees consoled each other at healthcare security and privacy conferences. We attended sessions where we shared ideas for getting leadership buy-in and for running an infosec program on a tiny budget. But, to rephrase Rodney Dangerfield’s famous line, we lamented, "We don’t get no respect."

So what’s changed in healthcare security since the 90s? HIPAA’s security rule has definitely heightened awareness, and the word "security" pops up a lot more now. Healthcare organizations and their business associates have security policies, they talk about security at workforce training sessions, and they have designated security officials -- all required by HIPAA.

But here we are, more than 10 years after the security rule’s publication, and not nearly enough has changed. Yes, some organizations have recognized that this isn’t simply about regulatory compliance; it’s a business risk issue. And to do the job right, there needs to be a formal infosec program with a visible structure, real security expertise, and support at the top.  

Where are the CISOs?
From what I see, security savvy organizations are in the minority. Too many organizations’ infosec programs are still very immature. The glaring signs are: 1) lack of internal security expertise; and 2) insufficient resources to carry out security functions.

HIPAA requires healthcare organizations and their business associates to designate an information security official or ISO. But time and again I see the ISO is either a maxxed-out CIO with no security background or experience, or else a network administrator stuckee who may have some notion of network security, but no training, and little time for this extra responsibility. 

It continues to be unusual to see a full-time ISO with security credentials, much less staff, in other than the largest healthcare networks. Yet even in smaller organizations, reasonable security programs are by definition complex, require awareness of good security practices, and require people to implement and monitor security processes. Never mind the question of regulatory compliance. It’s just not possible to have such a program without expertise and resources.

Even mature infosec programs can’t eliminate all risk. But too many breaches today -- not only in healthcare but in other sectors -- aren’t due to zero-day attacks exploiting previously undiscovered vulnerabilities. They are avoidable events that are frequently tied to lack of security expertise and resources to implement security controls.

In healthcare, and elsewhere, lost and stolen laptops, hard drives, USB drives, and the like with unencrypted patient information are the biggest sources of breaches. To be sure, with today’s wide use of a variety of tablets and smartphones, mitigation strategies such as encrypting all end-user devices and media can be challenging financially and technologically. But slapdash security will keep us in a breach-a-week muddle.

We need to appoint ISOs with security knowledge and experience, and then give them enough clout and staff to accomplish the processes required by HIPAA and good practice. It’s time for senior leaders to finally recognize the essential business value of infosec and provide the necessary resources to make it happen. We need  R-E-S-P-E-C-T!  

Kate Borten, CISSP, CISM, provides her clients with expertise in security, privacy, and health IT from over 20 years inside the healthcare industry. In the 1990s she led the enterprise-wide security program at Massachusetts General Hospital, and as Chief Information Security ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
WKash
50%
50%
WKash,
User Rank: Apprentice
2/10/2014 | 6:07:22 PM
50 Reasons Why We Need Better EHR Security
Depending on what report you read, a stolen medical ID number and record currently sells on the black market for $50 (and as much as $100), whereas a stolen credit card number is only worth $1.  The reason: In gaining access to a person's health records, a hacker has – in one fell swoop – acquired almost full reign of a person's identity, and the opportunity for prolonged fraud against the medical establishment. Yet it's clear the medical community is no where close to having the security controls of say, the banking industry, or the federal government.
zcobb
50%
50%
zcobb,
User Rank: Apprentice
2/10/2014 | 3:25:56 PM
Breaching misperceptions
Thank you so much for this article. Sheds light on a serious problem. Not enough organizations realize any PII is fair game for cyber crooks, the fact that it might be PHI doesn't enter the equation for many of them. And this is so true: "But too many breaches today -- not only in healthcare but in other sectors -- arent due to zero-day attacks exploiting previously undiscovered vulnerabilities. They are avoidable events that are frequently tied to lack of security expertise and resources to implement security controls." Agreed! Stephen Cobb, CISSP
Laurianne
50%
50%
Laurianne,
User Rank: Apprentice
2/10/2014 | 2:37:52 PM
Funding or structure?
This paints quite a different picture than what I have heard from top hospital CIOs, who say things like "It is part of my job to keep us out of the newspaper." Those CIOs speak of a crushing regulatory burden right now. How are the smaller healthcare organizations keeping up with it, if the lack of expertise is this extreme?
David F. Carr
50%
50%
David F. Carr,
User Rank: Strategist
2/10/2014 | 11:13:44 AM
Exceptions to the rule?
Kate,

Frightening that you see this as such a strong pattern, despite all we hear about HIPAA.

You must have seen some exceptions, right? What organization would you hold up as the positive example to follow?

 

 
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
2/10/2014 | 9:44:50 AM
Re: R-E-S-P-E-C-T
If healthcare is anything like retail, it's going to take a dozen high-profile breaches and significant financial losses for security to be taken seriously.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/10/2014 | 9:42:39 AM
Re: R-E-S-P-E-C-T
I'm taking a wait-and-see position on whether the recent data breaches at Target etc will trigger an ephiphany in the retail industry. My guess is that security officers in that industry don't get any respect either. And that's with PCI-DSS regs to contend with.

In terms of healthcare, it's a sad commentary that 10 years after HIPAA, hospitals and other organizations talk the talk, but still don't walk the walk. What will it take for business leaders to empower security officers in the post ACA-era? I wish I knew. It certainly seems like it should be an urgent prioritiy to me. 
RobPreston
50%
50%
RobPreston,
User Rank: Apprentice
2/10/2014 | 9:16:39 AM
R-E-S-P-E-C-T
I'm sure there's new found respect for information security in the retail industry -- at least I hope there is -- following the recent high-profile breaches at Target and other outlets. Will it take a major breach at a major private sector healthcare provider to wake up that indusry?
<<   <   Page 2 / 2
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-30477
PUBLISHED: 2021-04-15
An issue was discovered in Zulip Server before 3.4. A bug in the implementation of replies to messages sent by outgoing webhooks to private streams meant that an outgoing webhook bot could be used to send messages to private streams that the user was not intended to be able to send messages to.
CVE-2021-30478
PUBLISHED: 2021-04-15
An issue was discovered in Zulip Server before 3.4. A bug in the implementation of the can_forge_sender permission (previously is_api_super_user) resulted in users with this permission being able to send messages appearing as if sent by a system bot, including to other organizations hosted by the sa...
CVE-2021-30479
PUBLISHED: 2021-04-15
An issue was discovered in Zulip Server before 3.4. A bug in the implementation of the all_public_streams API feature resulted in guest users being able to receive message traffic to public streams that should have been only accessible to members of the organization.
CVE-2021-30487
PUBLISHED: 2021-04-15
In the topic moving API in Zulip Server 3.x before 3.4, organization administrators were able to move messages to streams in other organizations hosted by the same Zulip installation.
CVE-2020-36288
PUBLISHED: 2021-04-15
The issue navigation and search view in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before version 8.13.4, and from version 8.14.0 before version 8.15.1 allows remote attackers to inject arbitrary HTML or JavaScript via a DOM Cross-Site Scripting (XSS) vulnerability caused ...