Meeting HIPAA's vast array of regulations isn't enough to secure patient data in today's connected healthcare environment. Protecting against healthcare cybersecurity threats and unauthorized access to patient medical records requires a comprehensive, scalable approach that addresses how an organization's evolving IT infrastructure impacts electronic protected health information (ePHI).
For Sharp HealthCare, that means investing in technologies that monitor information entering and exiting their network, said Bryan Kissinger, CISO and vice president of IT risk management at the San Diego-based institution.
With 18,000 employees, 3,000 physicians and more than 30 separate locations, Sharp's primary external ePHI risk is email -- specifically phishing emails containing malicious software. Kissinger plans to allocate at least $1 million of his $4 million FY2017 budget -- a 33% increase over 2016 -- on security incident and event management, database monitoring, privileged account management and multifactor authentication.
Similarly, Children's Mercy Kansas City in Missouri needs a scalable, reliable way to perpetually monitor and scan the six million daily hits on its server, as well as all outgoing traffic, said Vice President and Chief Information and Digital Officer David Chou. He opted to outsource their security operations, and, effectively, the role of a CISO, to a security operations center that can take immediate action to halt or mitigate an attack.
"We're in the business of providing care. I don't want to be in the business of enterprise security," he said. "It's too expensive to do ourselves, and we can't staff the talent." A third-party vendor performs continuous web application and vulnerability scans to assess computers, computer systems, networks and applications for weaknesses. These "white hat" scans operate similar to a hacker looking to gain unauthorized access.
So far, they've successfully foiled attempted logins from Asia, Brazil and the Middle East. "We had no idea how many hits we were receiving," Chou said. "We didn't have the tools in place."
He also hired a director of information security to help build upon and implement their security program and will hire security and access management engineers as well. Staffing these key positions could take several months or longer since finding the right talent is challenging. Chou needs security specialists who can keep up with the fast-changing technology landscape and balance healthcare cybersecurity with the unique needs of providers, staff and patients.
Chou spent about 10% of his $60 million IT budget in 2016 to bolster internal and external data security, and he will likely spend more in 2017.
"It's a very healthy budget to ensure we're able to afford the right security tools," said Chou, who joined the organization in May 2016. "Security is top on my radar and should be the organization's top priority and investment."
Security is quickly replacing data analytics and population health as a top concern among healthcare CIOs, with healthcare organizations dedicating an average of 12% of their health IT budgets to internal and external cybersecurity protection, the Ponemon Institute estimated. It found that nearly 90% of healthcare organizations experienced a data breach during the last two years. And while most of the breaches involved 500 or fewer records, the average cost was more than $2.2 million.
Cyberthreats from within
Like many healthcare organizations, Sharp HealthCare's biggest internal HIPAA threat is its own workforce -- "snooping" by staff or employees who access patient records without a legitimate reason.
"Once you're internal to the network and have the credentials, moving laterally from system to system or accessing information resources" isn't as difficult as it should be, Kissinger said. He'll pilot a scalable auditing system in 2017 that employs user behavior analytics to track and identify patient record access and maps the clinical or operational reasons for it. This third-party tool tracks user-specific trends to quickly spot anomalies and unauthorized access to medical records. It's designed to not only weed out snooping, but to also identify users who may have been hacked.
In fact, more data breach incidents (57) were reported in November 2016 than in any previous month of the year -- and more than half (54%) of them were caused by employees, according to Protenus, which publishes a monthly report of incidents reported to the Department of Health and Human Services or first disclosed in the media.
"Hacking pales in comparison to insider breaches," the company stated in December. Forty-five percent of the insider breaches were due to intentional wrongdoing and compromised nearly 265,000 records. Fifty-five percent were due to error or accident and resulted in far fewer exposures (about 17,000).
Education should play a key role in your IT strategy
Sharp HealthCare has hired a full-time training and awareness coordinator to engage staff and build awareness of their critical role in Sharp's cybersecurity program. This key staffer has already mapped out a comprehensive education plan for 2017 that targets different groups of employees throughout the year, Kissinger said.
Gila Regional Medical Center includes prank phone calls and mock phishing emails as part of its healthcare cybersecurity training, said John Little, enterprise system architect at the organization, which is based in Silver City, N.M. For example, employees may receive a phone call from someone calling from an outside line who claims to work for IT.
"They'll say, 'I'm going to send you an email, and you need to click on the link and log into our portal so I can update your account,'" Little said. If the staff member falls for it, Little provides them with additional training. "A hacker only needs one person to click that attachment, and they're in."
CIOs offer tips for healthcare cybersecurity
Network monitoring is a key component of healthcare cybersecurity
Healthcare cybersecurity awareness is integral to preventing attacks