Whether it's guarding against "malicious insiders" or ensuring C-suite execs are scared straight about the risks and regs they face, the coming year poses big challenges to healthcare, according to Kroll's annual Cyber Security Forecast.
The newest report takes a look at a shifting social and legal environment and spotlights seven trends all industries should pay attention to as they guard against legal, monetary and reputational risk.
Those are outlined below, followed by a Q&A with Kroll's Senior Managing Director Alan Brill, who answered some questions from sister publication Healthcare IT News about the industry's preparedness for a new year filled with new security threats.
- NIST and similar security frameworks will necessarily become more common. These standards should start to drive organizational decision-making, according to Brill, who notes in a press statement that the trend "will move the U.S. in the direction of the EU, where there is a greater recognition of privacy as a right. As new laws evolve that reflect the NIST guidelines and look more like the EU privacy directive, some U.S. companies will find themselves ill-prepared to effectively respond to the regulations."
- The data supply chain will pose continuing challenges. While it's increasingly common to store data with third parties, those vendors' security preparedness (or lack thereof) is often little understood until there's a breach, according to Tim Ryan, Kroll's managing director and cyber investigations practice leader. "Companies should know who they are giving their data to and how it is being protected," he said in a statement. "This requires technical, procedural and legal reviews."
- Malicious insiders remain a serious threat – but will become more visible. Information technology may make it easier to access unauthorized data, but it also means that, as the federal government and individual states add muscle to privacy breach notification laws and enforcement regimes, the hidden nature of insider attacks will become more widely known. "The insider threat is insidious and complex," said Ryan. "Thwarting it requires collaboration by general counsel, information security and human resources."
- Corporate boards and C-suites will take more interest in security preparedness. With more data breaches splashed across the headlines, higher-ups are taking seriously the connection between cyber security and an organization's reputational and financial well being. "Organizations recognize that it's their duty to protect against the loss of information and its associated risks," said Brill in a statement. "The challenge they face is determining what is a reasonable level of security and response, and who should make that call – is it their IT team, an industry expert, an independent third party?"
- IT will help uncover data breach details and make for faster reactions. Even the best firewalls can't stop all attacks, but technology can help organizations see with near-real-time clarity what's happened to their data and how much damage has been done. "Most organizations have invested in preventative security technologies, but remain unprepared to launch an effective response to a leak or intrusion," said Ryan. "We've seen a dramatic improvement in response technology over the last year...There's no reason not to be prepared."
- New standards for breach remediation are finding favor as threats evolve. "The notion that credit monitoring is a panacea for all data breaches is misguided," said Brill. "When you couple the myriad types of sensitive information with the multitude of ways an identity can be stolen and used fraudulently, there are many instances where credit monitoring will not be helpful to a breach victim at all, including medical identity theft, criminal impersonation, employment and tax fraud, etc."
- With the cloud and BYOD on the rise, smart policies must follow. IT departments are "scrambling" to deal with these technologies, which are developing at a "whirlwind" pace, according to Kroll. In 2014, IT leaders will need to work closely with senior leadership and legal counsel on strong and clearly stated policies. "Up until now, cloud and BYOD adoption has been like the Wild West – uncharted, unregulated and few restrictions," said Brill in a statement. "Companies that have integrated these technologies into their corporate policies, IT security and risk management plans will be much better prepared to fulfill their legal obligations."
Kroll's Senior Managing Director Alan Brill offered his thoughts about the special problems posed to the healthcare in the coming year.
Q: What's the biggest security challenge facing healthcare organizations in 2014?
A. Probably the biggest challenges will be keeping up with the requirements set by HIPAA/HITECH as HHS gains more experience through its OCR audit programs. We see that many organizations need to take some time to make sure that their policies and standards are in line with the specific wording called for in the final omnibus rule. This is a way of avoiding problems that are easily avoided. The second part is asking the question: "How do we know we are actually doing what we say we're doing in our policies and procedures?"
That's a question that the auditors will almost always ask, and to the extent you have a way of collecting the evidence that you're complying with your rules, not only will you be ready, but you will know you're operating in compliance with the rules.
It also looks like a lot of healthcare organizations still have a fair number of machines running Windows XP. With that operating system hitting end-of-life, it means that as of next April, there will be no more patches, not even for critical security problems. You don't want to be in that situation, so in the few months between now and then, you should be planning to evolve off of the XP platform. Start by making an inventory of all machines so that you know how much work you'll have to do.
Q: How does healthcare stack up to other industries when it comes to keeping data safe? Can it even be compared to other industries?
A: It's our experience at Kroll that one difference between healthcare and other industries is that patients and their families really expect PHI to be protected. That seems to be independent of the HIPAA and HITECH laws. We think this is one reason why healthcare organization boards of directors report that the threat of data breaches keep them up at night, and they are increasingly focusing on data security and privacy issues, and with HIPAA compliance.
Aside from the actual penalties, healthcare providers are acutely aware of the value of their reputations, built over decades in many cases. Protecting that reputational value is important, and board audit committees are looking to the risk managers, IT directors, compliance managers and similar specialists to help them sleep better at night.
Q: How does the new HIPAA Omnibus rule, with its increased penalties and broadened scope, change how healthcare organizations and their business associates should be thinking about patient data? Are enough organizations, on both the provider and the vendor sides, aware of the new rules, and the enforcement actions they could be facing in the event of a breach?
A: We are seeing that a lot of organizations' senior management are focusing on the risks associated with data security, privacy and data breaches, and they are looking to get some assurance that their standards, policies and procedures not only mirror the specific requirements of the final omnibus rule, and that they have 100 percent compliance from a policy and documentation standpoint, but that they are also doing what they are supposed to be doing.
If you have great policies but don't carry them out or enforce them, it's going to look bad if there's an incident that could have (and should have) been prevented, or if there's an audit and the auditors find that your standards just sit on a shelf and are never really implemented in practice.
I think its also fair to say that healthcare organizations are, or should be, reaching out to every single business associate to make sure that they are compliant as well. If there's a breach at a BA, you can't just point a finger at them and disclaim responsibility. So take the time to find out whether their threat assessments, security programs and privacy/breach notification policies are in line with both HIPAA/HITECH and your policies as well.
Q: Your report mentions the risk of a "malicious insider." What are some strategies for creating a culture of security – steps an organization might take to foster an environment where all employees take patient privacy seriously, and that minimize the risk of a data breach?
A: That culture has to start at the top. Senior managers have to make it clear that you can provide the highest quality of service while protecting sensitive information. By the way, don't forget that healthcare organizations typically have a lot of sensitive information that does not constitute ePHI. Financial information, donor listings, employee files, confidential plans and many other documents or databases can be just as sensitive. Simply protecting ePHI is not enough, you have to understand what the sensitive data is for your particular organization, where it's stored, how it's processed and how best to protect it.
As you look across organizations, you see various ways of creating the culture of security. It's often stated as a basic principle of the organization's operations -- it can be tied into the code of ethics. Organizations with effective programs usually have ongoing information security awareness programs, so that people know what's expected of them.
Interestingly, one of the things that seem to differentiate really good programs from others is the recognition that people will have questions or issues they need to discuss with someone. Providing a point of contact for information security and HIPAA/HITECH questions – which could be an email address that gets distributed to the right people – where no question is off limits, is important.
Another strategy to consider is having a couple of questions about the protection of PHI and other confidential information integrated into employee performance reporting systems. Having coverage of security and privacy protection in a document that can have an effect on a staff member's compensation and advancement makes it real, and can provide an early warning of problems.
Finally, we often use the concept of "trust but verify" in our work. We want to trust our team members to do the right thing, and to know when to call for assistance or information. But there are tests that can be performed as part of information security reviews, internal audits or other internal reviews that will help to understand that people are doing what you expect them to do.
Q: How much of a risk does hacking pose to healthcare IT? Is it on the rise? Could you see a day where black-hats as interested in personal health information as they are in bank account and Social Security numbers?
A: With the exception of state-sponsored hackers looking for health intelligence on specific persons or activists going after an institution because of some political or social stand that the institution took, most hackers are after money or things they can turn into money. To the extent that healthcare institutions deal in things like credit card data, they are targets, just as anyone else with such data.
But patient data can also be of value for things like medical care fraud. Someone that can get data that enables them to impersonate you and tap into your health insurance, for example, can be motivated to steal it, and to seek treatment while impersonating you or a family member. We've seen cases where this has been a serious issue.
Also, hackers know that many institutions accept credit cards, and we've seen them diligently search networks looking for credit card numbers in files. If you need to store this information, you're probably well aware of the PCI DSS regulations from card issuers, as it's another set of rules you have to follow, and, like HIPAA/HITECH, they've been recently updated.