With cybersecurity breaches dominating the headlines — whether it’s Colonial Pipeline, Ireland’s Health Service Executive, or Scripps Health — one thing is becoming extremely clear: prevention isn’t the answer. Or, perhaps, more accurately, it’s no longer the primary weapon in battling cyberattacks. Instead, CISOs and other IT security leaders are focusing their energy on early detection and education.
“All the technology in the world isn’t going to prevent humans being humans,” said Anahi Santiago, CISO at ChristianaCare, during a recent panel discussion. In healthcare, the threats also come from the inside. But it’s not malicious actors who are most often responsible; it’s employees who unknowingly click on bad links. “That’s why I beat the drum around education, because if we don’t get that right, we don’t have a shot at getting security and privacy.”
That education, however, has to be approached the right way, and must take into account several different factors, according to Santiago, who explored the topic along with Glynn Stanton (CISO and Interim CTO, Yale New Haven Health System) and Nick Culbertson (Co-Founder and CEO, Protenus).
One of those factors is the set of regulations governing who can — and who cannot — access a patient’s record, noted Culbertson. “What’s interesting about security and privacy in healthcare is that HIPAA is a rule of exclusion. Unlike other industries where you can set up more robust, role-based access controls, in healthcare you need to audit every access to determine whether there’s an appropriate level of control,” he noted. “That puts a lot of pressure on privacy and security individuals to make sure those are in place.”
A Growing Ecosystem
Further complicating matters, according to Santiago, is the fact that “the ecosystem of individuals that need access to our EMR is growing more and more.” And it’s not just the EMR, but anywhere data are stored, including email, SharePoint sites, and file shares, to name a few. Making sure users understand that is a core component of a successful security strategy, she added. “They need to know where data reside. They need to know that we are auditing access to information, and that they have a duty to ensure they’re only accessing information for treatment, payment, and other healthcare related operations.”
This is where education and awareness play a critical role. “Information security professionals need to stop being the agent of ‘no,’ and start being the agents of ‘know,’” Santiago said. “We need to promote patient safety by allowing that access and then putting guardrails in place to really flush out what we believe to be nefarious activity.”
Making It Personal
Of course, it isn’t just about education. Another piece that has become increasingly vital is training, said Culbertson — but it can’t be one-shot deal. Much like the approach used to stave off phishing attacks, training needs to happen continually. And when someone does click on the link during a simulated attack, security teams must provide “personalized, on-the-spot training,” he added. “That’s so much more effective.”
The same holds true with HIPAA violations or security breaches. “If someone is doing something that’s outside of their role or responsibility, early warning signs can detect that they’re going down a bad path and help deter that.”
Organizations can also leverage mechanisms like data loss prevention to help monitor and control patient health information. This, however, can be a slippery slope, according to Stanton. “One thing that makes healthcare very different is that patient care is always going to be the priority. Based upon that, we have to be very careful about implementing preventive controls and making sure they don’t interfere with patient care.”
Culbertson agreed, cautioning that if a physician can’t access patient data during an emergency, the system that blocked the information will be circumvented, if not removed altogether. “There’s no margin of error on that front.”
Augmenting the Human Eye
It’s precisely why Stanton’s team has steered away from real-time alerts, choosing to focus more on detection and auditing. Protenus’ system, which leverages an artificial-intelligence platform to generate alerts, has been “a real benefit,” he noted. By using analytics to learn what types of access Yale New Haven considers to be malicious, it has helped create higher-quality alerts, which in turn has reduced the workload.
The demand for that type of knowledge, according to Santiago, is only going to grow, particularly as more organizations adopt continuous auditing and monitoring strategies. “Having machine learning and the ability for automation to augment the human eye will become increasingly important.”
What’s encouraging, according to Culbertson, is that the vast majority of incidents are isolated. According to Protenus research, the likelihood that an individual will repeat an offense after being reprimanded and educated is around 2 percent. That means “if you’re catching it, you’re curtailing it,” he said. “If you don’t catch them, it goes undetected.”
The final piece involves something that can never be overlooked, especially when it comes to security: having the right processes in place. “You can’t just throw technology at a problem and expect all patient records to be protected,” said Culbertson. “You need to think about the workflow around the solution you’re using, and you have to have very clear policies and processes in place so you know what to do if there’s an incident.”
Doing so requires close collaboration among different groups, including IT, security/privacy and human resources. Without that partnership — and without ensuring all stakeholders have a firm grasp of the steps that need to be taken to remediate the problem, “it can be very difficult to solve it in a timely and efficient way,” he noted. “Building out those policies and procedures in advance and building a program around the technology is the best practice when trying to solve this problem.”
To view the archive of this webinar — Grappling with Security and Compliance-Related Challenges in the Age of COVID (Sponsored by Protenus) — please click here.