"It is not the strongest or the most intelligent who will survive but those who can best manage change" – a quote, often attributed to Charles Darwin, (turns out it was actually a paraphrase by some accounts), but that aside, a lesson in evolutionary biology turnsout to be incredibly useful in the realm of healthcare security.
When examining the rapid speed at which the threat landscape for healthcare is changing and combining it with the traditionally slow-to-adapt nature of the healthcare industry in general, the problem's pretty clear.Increasing frequency of cyberattacks
It's a different threat world nowadays. Think about it. Every 60 seconds, 232 computers are infected with malware; 12 websites are successfully hacked, with 416 attempts; more than 571 new websites are created; 204 million emails are sent, and 278,000 tweets are sent out into the twittosphere – all in a single minute. Combine this with the fact that on the black market, medical records are worth $60, compared to credit card data, which typically sells for $20. So, what are the implications for a healthcare security professional?
"That makes us a significant targets," said Intermountain Healthcare's Chief Information Security Officer Karl West at the Healthcare IT News Privacy & Security Forum this past March.
Indeed, Federal Bureau of Investigation officials confirmed this, after issuing a flash alert last year warning healthcare organizations that hackers are targeting them.
Today, Intermountain is able to block about 93 percent of inbound email to the health system. When compared to two years ago, when he and his team were blocking 72 percent, it seems impressive. But, keeping in mind what 60 seconds means for the cyber world, "it isn't enough," he said.
To illustrate his point even further, West showed a map depicting a five-minute snapshot of external authentication attempts into Intermountain Healthcare. There were 16 lines from various places across the globe, all leading back to the Intermountain headquarters in Utah.
Sure, one might be a patient or a physician traveling abroad. But that's not the explanation for all of them. What this shows, West explained, is the "shifting landscape" of security threats.
And if you understand this landscape, if you adapt, keep up with it, evolve alongside with it, then you're ahead of most.
Security priorities in the recent past, as West continued, were all about setting up firewalls and perimeters to surround a hospital's data center. Today, there's the now-known risk of manipulation and misuse of that data that can pose substantial financial costs for the organization and medical risks for the patients.
"We're shifting away from that traditional view of security as a firewall perimeter with detection at ingress and egress points in and out of our system," West said. "That really doesn't exist for us today because of things like social, mobile and the cloud, and for us, the collection of big data."
Ron Mehring, CISO of the 25-hospital Texas Health Resources, seemed to agree."We build huge monolithic infrastructures that are almost worthless today."
As he sees it, healthcare security nowadays is still much like the Great Wall of China – "huge, monolithic infrastructure" that works "only for short while," he said. "We build huge monolithic infrastructures that are almost worthless today." No more should healthcare security be about chasing the technology or all about compliance, he added. "We're going to step back and look at this as a threat problem."
And threat it is. A 2014 report put out by the Center for Strategic and International Studies and McAfee estimated that cybercrime costs the global economy a whopping $400 billion annually, with a potential of reaching a towering $575 billion. (That's billion with a "b.") For the U.S. alone, some 40 million people had their personal information stolen in 2013.
"As an industry we can't ignore this stuff anymore," added Mehring. "We need to think about these kinds of attacks that are meant to disrupt operations and prioritize efforts against them far more than we have done in the past."
But what about innovation? What about efficient data-sharing abilities? As West pointed out, a CISO must strike a balance between mitigating risk, while also allowing for innovation and data exchange to take place.
Does security kill innovation? Mehring wasn't having that. "If you were innovative, you'd have security built in," he said.
Cyberattacks aren't the only concern for healthcare IT security teams across the country. As more hospitals implement myriad IT systems and shift away from paper toward electronic medical records, employees are becoming a big focus for security professionals nowadays.
"Your people that work for you are a very large threat," said Cathleen A. Connolly, FBI supervisory special agent at the Privacy & Security Forum this March, speaking in the context of combatting insider threats within healthcare.
Connolly, who serves as lead of the healthcare fraud squad based in San Diego, has investigated many cases involving healthcare employees who inappropriately access patient medical records.
She described one case where a hospital assistant was copying hospital face sheets and selling them.
Indeed, IT security professionals say this problem is top of mind for them.
"The disgruntled employees are the biggest concerns," said Susan Snedaker, information security officer at the 600-bed Tucson Medical Center in Arizona.
It's easier said than done to keep track of these employees, but Snedaker and her team have a good strategy.
"We work with our managers and our directors in the clinical area and have them identify (the employees) that they're concerned about," she said, "so we can put additional controls and monitors around those folks."
And this monitoring proves essential, said Lynn Sessions, partner at BakerHostetler, who focuses specifically on healthcare operations and HIPAA.
"There is a requirement (in HIPAA) that there be some monitoring of their systems," she said in an interview with Healthcare IT News. Although it doesn't specifically require monitoring related to employee access, it's "generally the way it's been interpreted," she said.
It's clear, Sessions added, that the Office for Civil Rights "wants to know whether your employees are snooping" – whether that be for criminal reasons or negligently reasons, which may suggest the organization did not have appropriate system safeguards in place, or even that it has a "rogue employee" on its hands.
But how often are a healthcare organization's employees actually snooping? Does it really happen that often?
"Yes," said Sessions. It most certainly does.
From Connolly's perspective, one of the problems contributing to insider snooping is from a "real deficiency in (employee) training." Training is designed to check the box, if you will, for compliance purposes.
The security folks at the West Virginia United Health System have made this training piece a priority and have already seen marked success in curbing employee snooping.
Mark Combs, assistant chief information officer at WVUHS, has implemented a host of initiatives that aim to improve this problem.
For the training piece, Combs said they have a privacy officer present to all new employees about what their expectations are with privacy and security. The health system also sends out monthly security reminders from the individual's privacy and security officers.
What's more, they're not afraid to audit their employees.
There's an old adage Combs uses to describe his philosophy on this: "What's measured is what matters," he said. "So people know we're measuring and watching their access; it gives them pause when they start to consider to do something like this."
Audits are performed at the health system "almost daily," he said, amounting to several millions of accesses audited each year. The access audits from multiple applications enterprise-wide are consolidated, and then, as Combs described, WVU has an application that consolidates those and runs reports, which are analyzed by a special team.
So big takeaways, as Combs as his IT security colleagues have hit home? Next time you think your hospital or health system is secure, next time you think a firewall perimeter is all it takes, or that healthcare is not the target of cyberattacks, your organization is not a target, think again. You're waist deep in it, and how an organization prepares, how it secures, trains, anticipates and adapts can make all the world of difference for its patients and bottom line.