After we dispatched Estonian hackers as a threat to patient privacy, let’s discuss how to mitigate the threat of trusted insiders in a modern healthcare organization.
There are multiple places where patient data can leak or be stolen – to name a few: nursing stations, information kiosks, interfaces between healthcare IT systems that store the data in temporary files with public access, medical devices with hospital network access and tablets and smart phones that staff and visitors bring to work themselves.
In order to prevent breaches of patient privacy – we first need to establish baseline business requirements for the hospital, clinic or healthcare provider organization.
There are 6 business requirements for preventing patient privacy breaches – these are “must items” for any healthcare business unit manager:
- Prevent data leakage directly of ePHI (electronic protected health information) from the device itself, the management information system and or the hospital information system interface. Data loss can be protected directly using DLP (data loss prevention) technology from companies like Websense, Verdasys or Fidelis Security Systems.
- Ensure availability of the medical device or EHR application. When the application goes offline, it becomes easier to attack via maintenance interfaces, technician and super-user passwords and copy data from backup devices or access databases directly while the device is in maintenance mode.
- Ensure integrity of the data stored in the networked medical device or EHR system. This is really ABC of information security but if you do not have a way to detect missing or manipulated records in your database, you should see this as a wake-up call because if you do get hacked, you will not know about it.
- Ensure that a networked or mobile medical device cannot by exploited by malicious attackers that exploit software bugs.
- Ensure that a networked or mobile medical device cannot by exploited by malicious attackers to as backdoors to enter the enterprise hospital network and breach patient privacy.
- Ensure that data loss cannot be exploited by business partners for financial gain. Contracts are important but not enough – they need to be enforced by strong outbound ePHI monitoring.
The best defense against patient data loss is outbound ePHI monitoring with DLP ( data loss prevention) since it does not rely on access control management and can detect outbound movement of ePHI in real time.
Why does patient data leak?
Just like stealing jewelry, patient data is leaked or stolen because it has value to someone, otherwise the employee or contractor would not bother.
There is no impact from leakage of trivial or universally available information like a phone number of a patient.
An employee who mistakenly sends a report of how bad the food is in the hospital’s cafeteria by mistake to a competiting healthcare organization will obviously not cause much damage to patient privacy.
The financial impact of a patient data breach is directly proportional to the value of the digital asset.
Imagine an insurance company obtaining PHI under false pretenses, discovering that the patient had been mistreated, and suppressing the information. The legal exposure could be in the millions.
Now consider a data leakage event of patient names without any clinical data – the impact is low, simply because names of people are public domain and without the clinical data, there is no added value to the information.
Why people steal patient data
The PC term is “unauthorized disclosure” but at the end of the day – patient privacy breaches involved theft of someone elses data.
The key attack vector for a patient data loss event is people – often vendors and business partners working with employees.
People handle electronic data and make mistakes or do not follow policies.
Today – people are increasing conscious that information has value – that information has some value to someone and that someone may be willing to pay or return a favor.
This is an ethical issue which is best addressed by direct managers leading from the front and by example with examples of ethical behavior.
People also maintain healthcare information systems and make mistakes, leave privileged user names on a system or temporary files with ePHI on a publicly available Windows shares.
Preparing for tomorrow’s attacks on patient privacy today
Following the attack on RSA – there is increased interest in APT (Advanced Persistent Threat Attacks) as an attack vector for stealing protected health information and breaching patient privacy.
It’s people who design business processes – people make mistakes – creating a business process for customer service where any customer service representative can see any customer record creates a vulnerability that can be exploited by malicious insiders or attackers using APT (Advanced Persistent Threat Attacks) that target a particular individual in a particular healthcare organization business unit – as seen in the successful 2011 APT attack on RSA, that targeted an HR employee with an Excel worksheet containing malware that enabled the attackers to steal SecurID token data, and then use the stolen tokens to hack Lockheed Martin.
APT attacks utilize traditional attack vectors such as malware and social engineering, but blend more advanced attacks such as satellite imaging. It’s a low-and-slow attack, designed to go undetected. There is always a specific objective behind it, rather than the chaotic and organized attacks of script kiddies.
It will not get better if you ignore the problem or complain about the government and the weather
While most attacks on patient privacy today are performed by trusted insiders; as the US HITECH Act promotes bigger and juicier targets with HIE (healthcare information exchanges) and networked EHR systems, we can expect to see more and more attackers jump on patient privacy. Whether it’s malware injected into tablet devices running medical apps, or APT attacks on big healthcare databases or organized crime, you can be sure that we will see more and more breaches of patient privacy in the US.
Judging from the credit card industry, the situation of patient privacy will probably reach saturation within 3-5 years when basically everyone’s healthcare records will be out there for brokering and resale.
The best thing any healthcare organization can do – whether a private practice or a big healthcare conglomerate – is to take the 6 business requirements for protecting patient privacy and break them down into business objectives and key results, translating them into specific security and patient privacy countermeasures.
A good starting point is the HIPAA Security Rule CFR. 45 Appendix A list of controls – but don’t stop there. Walk around your office or hospital and think like an attacker – or insurance investigator…
Cross-posted from Pathcare