Thank you for reading this article, the second in a 3 part series on practical security for physicians.
In this second article, we want you to think about security like you think about clinical issues – as problems that need to be analyzed and treated. I hope to challenge you and would love to hear what you think. Instead of clinical issues, we’ll be talking about 4 management disconnects that make a healthcare provider organization vulnerable to patient data loss.
My name is Danny Lieberman. My firm and I specialize in helping health tech and medical device companies harden their products with strong software security in order to prevent patient data breach and comply with the HIPAA Security rule. We’ve taken the lessons we’ve learned over the past 10 years and applied them to our latest venture; Pathcare, the private social network for doctors and patients. Pathcare is a minimalistic, easy-to-use application for private messaging and content sharing that helps make physicians as effective as possible in their patient relationships, reduce stress and improve trust.
Patient data breach starts with denial
…I sleep well at night on patient data protection. We’ve outsourced our entire IT operation to a big healthcare provider’s data center and they’re up to speed on information security. I can always go back to the logs and figure it out if something happens.
Vice President Internal Audit of a medium-sized healthcare provider
Just 2 months later, the “big healthcare provider” had a major patient data loss event. Both organizations missed their earnings estimates and took a beating in the market. By year-end the smaller provider had broken out of a 5-year outsourcing contract and decided to bring EHR inhouse in order to have better control – paying a 7 figure price tag for a new EHR system.
As discussed in Part I – data loss is the unauthorized transfer of your essential digital assets – patient data, customer records. Data loss can be theft of physical records, a mistake or custom malware on a promotional USB drive installed unwittingly by an employee.
Data loss has a strange nature that stems from unexpected actions by trusted insiders in an environment assumed to be secure. For this reason, data loss prevention requires both management and technology controls. This article reviews current best practices in four business control activities; human resources, the internal audit, physical security and information security. I will highlight disconnects in each activity and recommend corrective action at the end of the article.
The human resources department
Ensuring employee loyalty and reliability starts with HR, which has responsibility for hiring and guiding the management of employees. High-security organizations (such as? defense contractors or securities traders add additional screening such as polygraphs and security checks to the hiring process. Over time, organizations may sense personality changes, domestic problems or financial distress that indicate increased data loss risks for employees in sensitive jobs.
Disconnect #1 HR isn’t accountable for your corporate brand and therefore doesn’t pay the price when trusted employees and contractors steal.
Patient data loss prevention is part of your overall internal audit process that helps you achieve your objectives in the areas of:
Reliability of financial reporting
Compliance with applicable laws and regulations
Internal auditors in the insurance industry say regulation has been their key driver for risk assessment and implementation of preventive procedures and security tools such as intrusion detection. Born in the 1960s and living on in today’s Windows and Linux event logs, log analysis is still the mainstay of the IT audit. Over the past 7 years our industry evolved to Client-Server computing, XML Web services and converged IP networks. Welcome to stateless http transactions, dynamic IP addressing and Microsoft Active Directory, where your ability to audit network activity depends on which versions of Windows run on your workstations and servers. Offline analysis of logs has fallen behind and yields too little, too late for the EDP auditor!
Disconnect #2 IT auditors have the job but they don’t have the tools.
Physical security starts at the parking lot and continues to the office, with tags and access control. Office buildings can do a simple programming of the gates to ensure that every tag leaving the building also entered the building. Many companies run employee awareness programs to remind the staff to guard classified information and to look for suspicious behavior.
Disconnect #3: An iPhone can break perfect physical and network security.
Information security builds layers of firewalls and content-security at the network perimeter, and permissions and identity management that control access by trusted insiders to digital assets, such as business transactions, data warehouse and files.
This structure lulls the business managers into a false sense of security. Let’s not forget that firewalls let traffic in and out, and permissions systems grant access to trusted insiders by definition. For example, an administrator in the billing group will have permission to logon to the accounting database and extract customer records using SQL commands. He can then zip the data with a password and extrude the file using a private Web mail account.
Content-security tools based on http/SMTP proxies are used against viruses and Spam. These tools weren’t designed for data loss prevention; they don’t inspect internal traffic, they only scan authorized e-mail channels, they rely on file-specific content recognition and have scalability and maintenance issues. When content security tools don’t fit, we’ve seen customers roll out home-brewed solutions with open source software such as Snort and Ethereal but most firms are turning to commercial products from security vendors such as McAfee, Symantec and Websense.
If you want to really know what kind of patient and billing data is exiting your network, don’t DIY.
Disconnect #4: Relying on permissions and identity management is like running a retail store that screens you coming in but doesn’t put magnetic tags on the clothes to prevent you from wearing that expensive hat going out.
The direct approach to digital asset protection
To correct the disconnects and protect your digital assets, you need CEO level commitment to management and technology controls:
The direct management method
Your company’s management should directly mandate data loss prevention:
Soft controls – Training and continuous behavior sensing
Direct controls – Good hiring and physical security
Indirect controls – Internal Audit
The direct technology method
Your technology solution must be based on classifying your key digital assets and identifying when they flow out of your network to suspect or forbidden destinations. This direct approach is deployed independently of privileged system managers, permissions and identity management systems and complex perimeter security systems. It’s simple and it’s effective.
Part III reviews legal and statutory requirements in the US and in Europe.
- Just between us - Private messaging 1 on 1, group message from doctor to patients.
- Sharing that is so simple - Share your files, your guidance, your experience, your comments.