Technological advancements and healthcare go hand in hand. This is evident throughout history. While those technological advancements weren’t always embraced upon first revelation (I’m thinking of the discovery of correlation between microbes, sterilization, and secondary infections in surgical procedures), they have eventually found their place in medical practice and society has reaped the benefits. With the advent and widespread adoption of computers in professional settings, the benefits of technological advancements have drastically decreased the amount of time a patient must wait. We have gone from weeks and sometimes months between initial diagnosis of a disease and confirmatory diagnostic imaging, labs, and second opinions to days or even hours. Unfortunately, while these advances in timeliness are of great benefit to healthy outcomes for patients, it also exposes the patient’s personal data to harmful outcomes. The use of computers to communicate effectively between healthcare providers, diagnostic labs, and imaging also creates a wealth of opportunities for patient data to become compromised. This is evident through the sheer volume of ransomware attacks directed at the healthcare sector that we see in the headlines daily. While the Healthcare Information Portability and Accountability Act (HIPAA) and the subsequent Health Information Technology for Economic and Clinical Health (HITECH) Act lay out some of the minimal acceptable security standards to be deployed and the penalties for neglecting to protect patient’s data, combined they do little to instruct healthcare providers on how to meet those standards to avoid the penalties. For this Qubit, we will provide an overview of the 5 functions of an effective cybersecurity program that healthcare providers and their information technology (IT) teams should embrace to ensure that they are doing more than the minimum when it comes to protecting their patients’ data as much as they do their patients’ health.
The National Institutes of Standards and Technology (NIST) provides standards that federal governmental entities and their contractors must follow. These standards are used across multiple industries and are generally accepted as industry best practices. The upside to these federal standards is that they are publicly available. When it comes to cybersecurity, the NIST standards and controls provide frameworks that many experts in cybersecurity follow or modify to best fit their market needs. We here at Quantum Vigilance currently utilize the Center for Internet Security’s (CIS) Critical Security Controls as our preferred framework. Whether we are talking about NIST or CIS, they both look at a cybersecurity program through the lens of 5 functions; identify, protect, detect, respond, and recover. We will touch on each of these 5 functions briefly.
A good cybersecurity program cannot exist in a vacuum. It will never be a single appliance, application, or policy that will protect an entire business. Along the same vein, a cybersecurity program cannot be expected to run successfully if there is little to no insight as to what is being protected. Healthcare providers and their IT teams (combined to create a cybersecurity team) must understand the data that needs to be protected as well as the systems they can be found in and the networks they traverse.
When it comes to healthcare providers, the 2 most important streams of data related to patients are protected health information (PHI) and personal identifiable information (PII). PHI and PII can have long lasting, even devastating affects to patient’s lives if they become freely available. The protection of this information should be the top priority for a cybersecurity program. As such, a good cybersecurity team should know what systems (both hardware and software) house and process patient’s PHI and PII. Finally, the cybersecurity team should have insight into the networks that the patient’s PHI and PII traverse when interacting with those systems. By identifying the systems and networks involved, a cybersecurity team can begin to map out the IT ecosystem that needs to be protected. Without first identifying all the above, a cybersecurity program will be destined to fail.
Once the data, systems, and networks to be protected have been identified, the cybersecurity team can shift to protecting each item. For data that can mean making sure that the data is encrypted both, when not in use and when being transmitted. For systems (again both hardware and software) this means ensuring that updates and security patches are administered in a timely fashion (preferably automatically). Additionally, safeguards can be put in place to decrease the chances of unauthorized access to systems (the implementation of multifactor authentication and automatic screen locks when computers are idle). Protection of the network should include firewall rules that deny unauthorized access to network addresses and ports inside the protected network.
After the cybersecurity team has identified and protected the healthcare provider’s data, systems, and network we can walk away knowing we’ve done a good job at this point. Clearly, we can’t, otherwise we wouldn’t be at function 3 of 5.
Despite a cybersecurity team’s best intentions and perfect implementation of a cybersecurity program, cyberspace is constantly evolving with new threats and dangers cropping up daily. As such, a good cybersecurity program will have systems in place to collect and analyze information regarding data, system, and network usage and access. This often becomes a sticking point for many cybersecurity programs. They may have a system in place to collect and analyze their IT ecosystem, but they are not regularly monitored. Without active monitoring, it is hard to move on to the next function before a cyber event evolves into a cyber incident.
As I alluded to in function 3, a cyber incident can happen regardless of the caliber of cybersecurity program. The difference lies in the ability of members of the cybersecurity team to respond to the cyber incident. A good cybersecurity program should have an incident response plan ready to implement. Members of the healthcare provider management team should be working in close concert with the cybersecurity team (ideally there is a member of the C-Suite on the cybersecurity team if only as an advising member) to respond to a cyber incident. There is an ancient Greek maxim that states, “we will not rise to our levels of expectation, but instead fall to our levels of preparedness”. A business with a cybersecurity program that has an incident response plan in place, and has performed exercises based on the plan, will fair far better than the business with no plan at all.
The final function (this is a misnomer, but I will get to that in a minute) of a good cybersecurity program is the recover phase. This is the point where the cybersecurity team has isolated the cyber incident and mitigated any ill effects. The cybersecurity team must be able to bring systems back up and running so that the healthcare provider can get back to operational status. In addition to bringing systems back up, a recovery phase should also include a debriefing where members across the organization can provide feedback on what action steps worked, what steps didn’t, and what steps can be added in the future to improve future incident responses.
I mentioned that the final function is a misnomer because the entire function of a cybersecurity program is cyclical. Cybersecurity is not a one and done act. Good cybersecurity programs are constantly rotating through the functions, sometimes even switching back and forth between functions. Cybersecurity professionals need to adapt to changes as they occur in the workplace and understand that cybersecurity does not exist for its own sake. Cybersecurity needs to enable businesses to succeed - especially when it comes to healthcare providers.
Cyber incidents (I’m looking at you ransomware) and healthcare providers are becoming increasingly intertwined. While a cybersecurity program is no guarantee that medical offices won’t get hit, a good cybersecurity program can help your office survive a targeted attack. We can help your cybersecurity program with a Risk Assessment and Gap Evaluation Report (RAnGER) that will provide a solid foundation in the identify and protect functions. We can also guide your cybersecurity program as it grows and matures. We here at Quantum Vigilance want to help your business meet the challenges in cybersecurity and provide guidance you will understand.