SAN FRANCISCO -- At face value, healthcare information security may seem like security in any other vertical industry,...
but a group of healthcare infosec experts say the stakes are higher, the pitfalls deeper and the expertise tougher to find, all of which contributes to a variety of challenges.
A discussion of those challenges Thursday at RSA Conference 2015 was buttressed by a pair of recent high-profile data breaches: Just last month Premera Blue Cross suffered a breach involving the financial and medical records of 11 million customers, and two months ago health insurer Anthem was breached, exposing personal data of up to 80 million customers and employees.
Lee Barrett, executive director of the Electronic Healthcare Network Accreditation Commission, said more than 100 million healthcare records have been confirmed breached so far in 2015, far surpassing the estimated eight million breached in 2014.
"After all these various breaches, boards of directors, CEOs and audit committees are now taking this whole issue far more seriously," Barrett said, in large part because any breach involving more than 500 records must be reported, per the HIPAA Breach Notification Rule. "It's a major shift because in the past it was the either chief privacy officer, CIO, CTO or maybe the CFO, but the issue never got to the board level."
David Finn, health IT officer with Symantec, said healthcare organizations are mandated to share data by a variety of laws, and each time data is shared, particularly patient identities, there are opportunities for data loss.
According to the panelists, one of the top weaknesses in healthcare data protection is the portal, the front-door application that is often Web-based and used by patients and providers alike to gain access to medical records.
Debbie Bucci, IT architect for the U.S. Department of Health and Human Services' Office of the National Coordinator for Health Information Technology, said one of the biggest problems today is that in the healthcare ecosystem various healthcare providers, insurers and others use so many different portals that security often takes a backseat to data availability.
Is healthcare security really different?
Attendees and panelists seemed to differ, however, on whether healthcare security is fundamentally different from infosec in different verticals. In response to a direct question from an attendee, Barrett said it boils down to the fact that healthcare data is more important and valuable than other types of data that attackers covet.
Barrett said while a breached payment card record typically sells for no more than $1 on the black market, a healthcare record often goes for as much as $5.
"Medical records have so much more information than Social Security numbers and financials," Barrett said. "If I have all of a person's medical data, then I can get into a lot more aspects of a person's life, and it's also much easier to steal that person's identity."
Another challenge, Finn noted, is that the rollout of electronic health records systems since 2009 triggered a dramatic shift in healthcare: Today, the entire industry relies on IT to perform even the most basic functions.
Because U.S. healthcare providers' profit margins are so low -- about 4% on average -- organizations don't have a lot of money to devote to IT in general, or to security in particular.
"We're not behind; we're way, way behind," Finn said in regard to health IT security. "We're catching up, making good progress, but we've got a long way to go."
Attendee Dustin Wilcox, vice president and chief information security officer of a healthcare organization he declined to name, was of the opinion that healthcare information security has more similarities with other verticals than differences.
"Bad guys monetize the healthcare data, but it's still a data protection problem," Wilcox said, though he noted one key difference -- that data protection is arguably more important than the infrastructure protection other industries emphasize.
Still, he said, with basic security processes like vulnerability management, configuration management and logging, a healthcare organization can mitigate up to 96% of security incidents.
Healthcare security essentials
Panelists suggested several other security essentials for healthcare organizations. Finn highlighted the importance of identity platforms for more effective management access to data. Too often, he noted, organizations have separate systems for access to low-security reference documents and high-security patient records, which merely adds to the difficulty of provisioning, managing and auditing data access.
Another issue, said Barrett, is the shortage of security professionals, consultants and auditors who have experience in healthcare security. It's often a struggle to find auditors in particular; he said he's seen organizations with little choice but to work with an auditor who merely checks the boxes and moves on.
Finally, Finn said, healthcare needs to develop a culture of security: At the end of that PC or server is a record that represents someone's life.
"In healthcare we're all about sharing and caring and giving, but today I could walk onto the floor of any hospital in a suit and tie and get a nurse to sign me into the EMR system of that hospital," Finn said. "That's something we have to change."