TaaSERA Blog Cyber Security for Healthcare

The healthcare industry is undergoing a radical reform from HIPAA to HITECH with the passage of legislation to (a) impose civil and criminal penalties on willful neglect, and (b) adoption of Electronic Health Records (EHI) with implications on security of electronic Protected Health Information (ePHI) across the supply chain including providers and business associates. These two key provisions will drive how CIOs and CISOs in the healthcare industry must develop processes and policies for compliance and enforcement.While a policy, by any standard, is merely a stipulation of conditions and actions to address a situation, processes require a series of enforceable steps, that are repeatable, to achieve measurable and desired outcomes. The paradigm shift in healthcare is set to break barriers - piles of paper silos will transform into electronic silos, and data that was traditionally "fenced in" is "out sourced" to on-shore and/or off-shore business associates. This shift will require critical rethinking of "security across organization silos" where providers, beneficiaries, and business associated operate across IT silos with varying degrees of threat, vulnerability and risk exposure.Cyber risks are associated with data at rest, data in flight and data in process. Each state of data requires different technologies and processes to enforce policies - e.g. encryption of data at rest to protect impermissible use of data, use of private-public keys to secure data in motion on the network, and measurable trustworthiness of the device and platform associated with the data in use.The threats that must be addressed in the healthcare sector to protect data breaches at the various touch points may be broadly categorized as insider threats (authorized users, unpermitted use), device level infection, and network level compromise. The challenges in the healthcare ecosystem, therefore, include:o Users: Administrators (Admission to Discharge), Physicians, Clinical Technicians, Nurses, Healthcare Workers & Assistants, Interns, Suppliers, Contractorso Devices: Laptops, Desktops, Servers, Network Devices, Medical Devices, BYOD, Smartphones, Virtual Desktop Infrastructure, Virtual/Cloud Serverso Networks: Remote Access (VPN), Wireless, Partner Access Networks (Business Associates, Insurance Providers, Pharmacies)The workflow necessitates that electronic health records be protected from womb-to- tomb - from beneficiary to provider and business associates. The data therefore transits multiple IT silos, managed and unmanaged realms. This requires policies and processes to continuously monitor the healthcare ecosystem for detection of risks, indicators of a breach, and analysis of a security episode for remediation and breach notification to restore business operations to a trustworthy and normal posture.The evolution of threats over the decade are clearly indicative of the diversity of methods, motives and means that hackers and cyber criminals use to conduct nefarious activities undetected. The attacks have evolved from social hacktivism, theft of intellectual property for financial gain, damage to critical assets or infrastructure, to ransomware (cyber blackmail). It is therefore critical for security stakeholders in the healthcare industry to take note and address the threats both as a technology innovation and process enhancement. The technologies of the past decade (Intrusion Detection Systems, Intrusion Prevention Systems, and Firewalls) have been reactive solutions aimed at malware detection, victim (system) analysis, malware (breach) analysis to derive well-known signatures to thwart repeat attacks. This does not solve the problem and only emboldens the cyber criminals to morph signatures and strike again without remorse.Understanding how cyber-attacks are conceived, planned and executed with precision requires analogous approaches as in the healthcare profession - connecting biological markers to clinical symptoms. The DNA of a threat characterizes the behavior model and life cycle stages of malware across the controls evaded, devices infected and network compromised. In intricate IT parlance, this translates to network dialog correlation, user-application-system action sequence correlation, and cognitive behavior recognition to analyze the evidence and identify the active risks that require counter measures as a treatment.