This is part of a series of interviews with healthcare security expert Mac McMillan, CEO of CynergisTek Inc. McMillan discussed the steps organizations must take in order to safeguard against threats to critical infrastructure and to avoid a breach of electronic protected health information, while ensuring compliance with HIPAA encryption guidelines and standards. McMillan also shed light on some of the proactive changes IT leaders must make within their organizations in order to stay in front of the fast-changing healthcare IT landscape as it relates to platforms, services, security and privacy, if they want to avoid a financially crippling data breach.
President Obama unveiled the cybersecurity executive order at the State of the Union in February. What new security investments will hospitals have to make if they're declared "critical infrastructure," which several people we've interviewed think will happen?
Mac McMillan: I worked for the government up until 2000, and healthcare has always been one of the nation's critical infrastructures. So it doesn't surprise me at all that they're included or will be included.
I think where this will drive the greatest amount of investment, possibly, for healthcare organizations is in the areas of what I call more proactive security, more proactive protection and more redundancy in their infrastructure.
What I mean by that is, typically when you look at critical infrastructure, and you look at the threats to critical infrastructure, what you're primarily worried about on the physical protection side is the ability to withstand an attack or to reconstitute after an attack fairly quickly. You're going to have investments on the disaster recover side, and you're going to have investments on the redundancy side as it relates to power, transmissions and communications, etc.
And when you look at it from an integrity perspective, what they're likely to see are more proactive levels of security as it relates to incident identification and management. Things like more robust abilities to detect attacks; intrusion detection systems that are managed more robustly, 24/7; security incident event management systems that look at security events in more of a real-time perspective to be able to identify where risks are before they have a chance to do damage. And, on the other side, in terms of overall integrity of the environment, it's maintaining the security around systems at a much higher level in terms of patch management and things of that nature. So when you think of critical infrastructure and cybersecurity from a federal perspective, it's really all about ensuring availability, ensuring integrity of systems, and developing a capability to detect , withstand and recover from attacks.
What is your "bumper sticker" of the National Institute of Standards and Technology (NIST) 800-111 standard, Guide to Storage Encryption Technologies for End User Devices and Certified Services? Thoughts? Comments?
McMillan: HIPAA does not require encryption; HIPAA has encryption as an addressable standard and recommends it strongly. HITECH, under the breach notification rule, provides safe harbor, and as long as you are using an encryption technology or methodology that meets one of the appropriate NIST guidelines -- 800-111, 800-117, 800-118 -- as [they] relate to data in motion, data at rest and data at the transport layer, and is also using an approved algorithm or strength of the encryption algorithm as it relates to the FIPS 140-2, then you can avoid having to notify if that device or storage media becomes lost because you have met the safe harbor requirement for appropriate encryption. So it's not encryption or FIPS [Federal Information Processing Standards]; it's encryption and FIPS. It's an acceptable technology or methodology [that] is governed by the NIST guidelines and it's an algorithm of a certain strength that is approved and governed by the FIPS 140-2, so it's both of those things.
If you're an executive at a hospital today -- just like you do for your accounting, for your legal matters -- get an outside, certified expert to do that risk analysis for you.
CEO, CynergisTek Inc.
My bumper sticker is really simple: If you're putting sensitive information on mobile devices or on devices or media that the public could potentially access or could be lost or stolen, encrypt it. And when you encrypt it, make sure you use a technology that is approved by one of the NIST guidelines that is appropriate for that, and is using an algorithm that meets that FIPS 140-2 standard; otherwise you're wasting your money.
How do you figure out if you're in compliance with that standard, and how do you take stock of in-network devices' encryption capabilities?
McMillan: I can use virtualization for assets. I can use programs that allow me to virtually connect through a gateway to an application, but that doesn't allow the data to transfer to the device. And in those circumstances, when I'm putting the protection around the data itself and not allowing the data to reside on that device or workstation, I'm avoiding the requirement to have to encrypt.
If I chose to encrypt, though, or to use a technology that incorporates encryption that is part of its solution, then I need to make sure those solutions that I purchase, whether they are part of the solution or are something that I add on, meet those guidelines in the FIPS 140-2 requirement.
What changes should healthcare IT leaders think about making to get in compliance? What's out there now, and where does it need to go?
McMillan: There are a couple things. The first thing is that this is a lot more sophisticated than anyone ever imagined, and I think they need to adopt other industry models as [they] relate to risk assessment and risk analysis. They need to have an independent third party conduct a risk assessment so they have a more objective look at their environment.
I base this on a few things: One is the number of breaches that continue to occur at a record rate, and number two is the outcomes of OCR [Department of Health and Human Services Office for Civil Rights] audits and CMS [Centers for Medicare and Medicaid Services] audits that we had with respect to MU [meaningful use] last year. For organizations that are conducting these assessments internally, they are either not understanding it, not getting it or not doing an adequate job, and the organization does not benefit from that. If you're an executive at a hospital today -- just like you do for your accounting [and] for your legal matters -- get an outside, certified expert to do that risk analysis for you so you have a real appreciation for what it is you need to do.
The second thing they need to plan for is that they need to understand there needs to be a greater level of commitment made both financially and other resource-wise in order to do this correctly. They are not going to achieve a level of compliance or level of confidence if they aren't willing to invest in it like they do [in] other parts of their business.
Encryption is mandated in the 2014 EHR certification standards. Will this meet the FIPS certification requirements for HIPAA?
McMillan: It is supposed to. If you look at MU stage 2 -- MU stage 1 did not make any requirements with respect to methodologies or algorithms. However, with MU stage 2, they require all certified EHRs to meet both the NIST guidelines and the FIPS 140-2 standards. So by the time an organization gets a certified system by MU stage 2, they should, by definition, meet the requirements.
Continue to part two of this interview.