Health care sector finds cure for digital attacks elusive

HIPAA compliance alone doesn’t make for the strongest security

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

As the health care sec­tor strug­gles with inten­si­fy­ing cyber attacks, secu­ri­ty experts say it could take the next decade for robust defens­es and effec­tive secu­ri­ty poli­cies and pro­ce­dures to become an indus­try norm.

That’s great news if you’re a cyber crim­i­nal. And it’s the rea­son high-vis­i­bil­i­ty dis­clo­sures of mas­sive data breach­es are like­ly to con­tin­ue. The lat­est is the loss of health care records for 10 mil­lion peo­ple dis­closed last week by Excel­lus Blue­Cross BlueShield.

Health care is decades behind on how they man­age infor­ma­tion,” says Michael Ebert, leader in Health­care & Life Sci­ences at con­sul­tan­cy KPMG LLP.

In a recent KPMG sur­vey of 223 health care exec­u­tives, only 53 per­cent of providers and 66 per­cent of pay­ers said they con­sid­ered them­selves ready to defend against a cyber attack.

This isn’t a three-year fix, it’s a sev­en- to 10-year evo­lu­tion,” Ebert says.

More: Three-part series: Tar­get­ing the health care sec­tor

The health care sec­tor is an attrac­tive tar­get due to the vol­ume of rich per­son­al data gen­er­at­ed in the nor­mal course of busi­ness. Com­plex data man­age­ment sce­nar­ios make secu­ri­ty even more chal­leng­ing.

The data shar­ing is 100 per­cent of the risk,” says Morey Haber, vice pres­i­dent of tech­nol­o­gy for BeyondTrust, a cyber­se­cu­ri­ty com­pa­ny that offers priv­i­leged account man­age­ment.

If only a lim­it­ed num­ber of indi­vid­u­als need­ed access to per­son­al data to admin­is­ter health ser­vice, the sys­tem would be eas­i­er to pro­tect, he says. But sen­si­tive infor­ma­tion has to be shared wide­ly and quick­ly. Myr­i­ad pro­fes­sion­als and sup­pli­ers col­lab­o­rate remote­ly across mul­ti­ple loca­tions.

This becomes an expo­nen­tial­ly more dif­fi­cult sit­u­a­tion to deal with when it comes to secu­ri­ty access to health care records and the var­i­ous tools and sys­tems that are in place,” says Travis Greene, iden­ti­ty solu­tions strate­gist for NetIQ, the secu­ri­ty port­fo­lio of Micro Focus.

An added chal­lenge is that many of those tools and sys­tems are out­dat­ed. And even the new­er tech­nol­o­gy was built with secu­ri­ty as an after­thought, experts say. The same is true of process­es that are in place to secure the infor­ma­tion.

Pri­or­i­ty isn’t put on secu­ri­ty

Busi­ness oper­a­tions are “focused on func­tion­al­i­ty and on sav­ing patients’ lives,” Ebert says. “They’re not nec­es­sar­i­ly focused on the stor­age of infor­ma­tion.”

For half of the providers who respond­ed to the KPMG sur­vey, reg­u­la­to­ry enforce­ment was a top con­cern, above finan­cial loss or rep­u­ta­tion.

Haber says that too many health care orga­ni­za­tions are sat­is­fied with sim­ply being com­pli­ant with reg­u­la­tions such as HIPAA, which should be viewed as a min­i­mum frame­work.

In the finan­cial ser­vices and retail sec­tors, com­pe­ti­tion is forc­ing an empha­sis on cyber­se­cu­ri­ty. Con­vey­ing a high­ly trust­wor­thy rep­u­ta­tion has become a dif­fer­en­tia­tor. Con­sumers are prov­ing to be less inclined to do busi­ness with a com­pa­ny that’s been com­pro­mised.

But the way the health care sys­tem is struc­tured in the Unit­ed States, Greene says, there’s not a lot of shop­ping going on for the low­est cost or most trust­wor­thy provider.

There’s no incen­tive for them to imple­ment new tech­nolo­gies and secu­ri­ties around tech­nol­o­gy,” he says.

Michael Ebert, KPMG Healthcare & Life Sciences Cyber Practice leader
Michael Ebert, KPMG Health­care & Life Sci­ences Cyber Prac­tice leader

Even if com­pe­ti­tion were tougher, Ebert isn’t con­vinced that con­sumers would change their habits en masse. They are search­ing for the best care, per­haps life-sav­ing care, and are less con­cerned with issues like breach­es.

I don’t think con­sumer pat­terns will nec­es­sar­i­ly change in health care because your rela­tion­ship with your doc­tor is com­plete­ly dif­fer­ent from your rela­tion­ship with your cred­it card,” he says.

Indus­try wak­ing up to risks

The health care indus­try isn’t com­plete­ly ignor­ing cyber threats. Ebert notes that two years ago, he hard­ly did any cyber­se­cu­ri­ty pre­sen­ta­tions and present­ly he deliv­ers sev­er­al board-lev­el pitch­es a month.

He says senior deci­sion-mak­ers are “frus­trat­ed because the answer isn’t that I can fix this tomor­row. The answer is not a tech­nol­o­gy, but a peo­ple solution—you’ve got to change how the peo­ple and the process­es oper­ate,” he says.

Still, many orga­ni­za­tions also are focus­ing on tech­nol­o­gy, an area that’s been his­tor­i­cal­ly under­in­vest­ed.

Haber, for exam­ple, says he is see­ing a grow­ing move­ment around priv­i­leged access man­age­ment. But, he says, it would take a lot more major breach­es for oth­er health care orga­ni­za­tions to take note—breaches like Ash­ley Madi­son.

If you have a com­pa­ny that crash­es and burns due to some­thing like this, oth­er exec­u­tives wake up,” he says.

Greene says it’s espe­cial­ly tough for providers to invest in new tech­nol­o­gy for secu­ri­ty when they could be invest­ing in life-sav­ing equip­ment. He says the indus­try need to look at costs more broad­ly, includ­ing the costs to indi­vid­u­als whose infor­ma­tion is stolen.

I think as health care orga­ni­za­tions mature, they’re going to real­ize that good secu­ri­ty prac­tices result in com­pli­ance, but com­pli­ance doesn’t nec­es­sar­i­ly result in good secu­ri­ty prac­tices,” he says. “It’s a learn­ing curve, and we’re just not there yet.”

More on health care secu­ri­ty:
Cloud use increas­es data secu­ri­ty risk for health care orga­ni­za­tions
Health care sec­tor not doing enough to pro­tect patient data
Will Chi­na use Anthem hack to jump start domes­tic health care?
Health­care, bank­ing com­pa­nies issue eas­i­ly spoofed emails