HIPAA mandates and meaningful use audits tighten up the security rules that healthcare providers must follow. At the same time, a fledgling mHealth landscape heightens the risk of data breaches. All the while, next-generation threats to the security of patient data are beginning to emerge, forcing healthcare CIOs to take a longer, harder look at upgrading patient data security.
Healthcare organizations can recognize and potentially evade patient data security threats by using gap analysis and security information and event management (SIEM) software, as well as log management, said three security leaders during a recent eiQnetworks-hosted webinar, "Unified Situational Awareness for Compliant and Secure Healthcare."
Data security is something I don't think you can ever check the box for.
director of information security, Virginia Hospital Center
"Data security is something I don't think you can ever check the box for," said Ken Beasley, director of information security and information security officer at Virginia Hospital Center in Arlington. "It's always going to be changing. It's something you'll always have to watch."
Beasley said that after he and his team saw a few cost assessments from initial HIPAA audits reported in the news -- including fines that ranged from $100 to $1.5 million -- they immediately hired a security risk analysis consultant, a step most practices are apt to begin with.
The analysis forced Virginia Hospital's security team to critically evaluate how secure their patients' protected health information (PHI) really was. They asked, were there PHI data points left unsecured on file servers, mobile devices or laptops? Who had access to those files? And did those employees have the ability to move secure information from those locations out of the organization? "It sparked good questions, but our answers weren't all that great," Beasley said.
To decide where to start, Virginia Hospital commissioned a gap analysis to determine which systems were on lock, which practices needed improvement and how big a gap lay between the two.
After examining policies and procedures and other current administrative controls, risk management plans, and executive support, as well as risk-deterrence practices and technical controls at data centers, it was obvious Virginia Hospital's security plan was deficient, Beasley said.
One area that especially stuck out was activity monitoring in the hospital's EHR system and other systems storing patient data. Virginia Hospital had only limited ability to see what its users were doing, and security officers had to log in separately to each system a user had accessed to determine what he or she had done with the data. Beasley acknowledged that the hospital's activity monitoring could be inefficient in the event of a HIPAA compliance audit.
In addition to ramping up security, the hospital also wanted to implement SIEM solutions and real-time analysis of security alerts that could provide meaningful information about potential threats and generate reports for compliance purposes.
Most healthcare facilities design their security plans to be reactive, not proactive, when it comes to combating attacks, said Joe Partlow, director of technical services at ReliaQuest.
Partlow listed several technologies that healthcare organizations can employ to monitor data access and identify potential threats: Web proxy logs, firewall router logs, configuration data, antivirus and antimalware, NetFlow, and intrusion detection systems.
It's hard, however, to look at activity across different logs and devices and find meaningful patterns, Partlow said. That's where SIEM systems come in. He also suggested that IT teams cull data logs for logins or traffic spikes at odd hours -- which could indicate foreign hackers in different time zones -- and pay special attention to individual remote users, who are usually the first to get hit. "Logs are key," he said, adding that IT managers should be able to track traffic at least 90 days back in order to keep long and slow attacks on the radar. "These [hackers] are coming in multiple ways, using multiple methods. [Organizations] need to take a holistic view at the network."
There are still accidental data losses to consider as well, such as misplaced or stolen mobile devices, which result in HIPAA penalties and mandatory public disclosures that make headlines.
Healthcare organizations should begin to mitigate the risk of a data breach by encrypting mobile devices, said Brian Mehlman, senior director of product management at eiQnetworks. They should take the additional step of using security software to aggregate devices to see when and where they were last accessed. Encryption is often a baseline requirement in security configuration audits or risk analysis, he added.
As organizations continue to use security software to analyze data access logs, get threat alerts and increase visibility, they'll be able to home in on other contextual security factors as well, things like user identity and network flows that can help detect potential threats even earlier in the process, Mehlman said.