How to survive (if not prevent) a breach

When it comes to security risk assessments, 'I don't think we'll ever be done,' says one CIO. 'It's like a game of cops and robbers.'
By Mike Miliard
11:19 AM

Security breaches are no fun. Your organization's name is splashed all over the news. Your reputation takes a hit. Your patients' trust is eroded. And the prospect of a hefty monetary settlement is something few want to think about. But it's not the end of the world.

At the HIMSS Media/Healthcare IT News Privacy & Security Forum in Boston on Tuesday, a hospital CIO, a compliance expert and a law enforcement official offered a primer for preparing for and, hopefully, preventing a security breach. They also offered some tips for making the most of the situation should the unwelcome event occur.

In a session titled, "Preparing Now for How to Respond to the Security Breach You Hope Never Happens," Forest Blanton, senior vice president and CIO at Hollywood, Fla.-based Memorial Healthcare System; Nicole Keefe, director of IT at Santa Barbara, Calif.-based compliance consultants Novacoast; and Steve Morreale, chair of the criminal justice department at Worcester (Mass.) State University – and a former special agent at U.S. Department of Health and Human Services' Office for Civil Rights – had some advice for healthcare organizations: prepare, and don't panic.

The great danger of a security breach, of course, lies in the "the unknown unknown," as panel moderator Jon Hale, vice president of security practice at Attachmate, put it.

That's why it's of utmost importance to familiarize yourself with HIPAA and subject your organization to a rigorous risk assessment. That includes getting definitive answers to two questions, said Keefe: "Where does the data lie, and who's touching the data?"

And the key to an effective assessment is to always be assessing, she said: "We see a lot of people scrambling around to make risk assessments at the time they need to be compliant – then it falls by the wayside, it's not an ongoing process."

With employees handling data every day, we can't simply "look at an assessment just like a checklist," said Blanton – a once-and-done review to make sure that technology systems are sound and compliant.

Indeed, the most damaging security problems are often "low-tech," he said, and can happen on any given day – employees stealing copies of face sheets, for example, or taking pictures with camera phones.

Health organizations "need to be concerned about identifying problems beforehand" and then being constantly vigilant about new ones that might crop up, said Morreale. "Know what you don't know."

It's crucial, he said, to recognize "what you have that other people might find useful." Social security numbers and addresses, especially those of elderly patients, are like catnip to malefactors.

Know who who has access to data, and train everyone – right down to the interns – about the critical importance of keeping that data secure, said Morreale. "I don't care the size of the organization," he said. "Everything needs to have a risk assessment applied to it."

How do you know you're done? You probably never are.

"I don't think we'll ever be done," said Blanton. "It's like a game of cops and robbers, and technology is always moving."

He mentioned that audits at his hospitals turned up an almost never-ending trove of tools, from video cameras to printers, that posed a risk. "We end up with thousands of listings of things that are vulnerabilities, but that might not be the most important thing to put your attention on," said Blanton. "That's where the analysis of the risk, and where the threats are, becomes key. We could spend our whole lives fixing things that might not be that important."

When doing gap assessments, it's necessary sometimes to "triage," said Keefe, making a list on the areas to "focus on first," starting with the "low-lying fruit" and then planning out "different phases of remediation."

Even then, it's important not to lose sight of the big picture, said Blanton: "We need to make employees aware of the value of the information they're collecting."

Should a breach occur and OCR pay a visit, investigators' "simple approach is something we learned in 5th grade: who, what, when, why and how," said Morreale.

"I'm always going to ask, 'Tell me how this came about – who knew it? When did they know it? What did they do about it, and what are we going to do to prevent it?" he said. "I'm asking those questions to see if you've nipped it in the bud. If you've put in some steps and processes to ensure this doesn't happen in the future. That begins to placate me that that you're responding appropriately to trying to safeguard the information the government would expect you would take care of."

It's in the post-breach investigatory phase that technology – the right technology – has a key role to play.   

"Who's going to look at thousands or millions of log files?" said Blanton. "If you don't have technology to go through those files, and spot aberrant behavior, it's a big problem."

Moreover, by putting in technology for identity and access management, "you can streamline what you're looking at within those logs," said Keefe.

As they're happening, it's important to remember the reasons for these investigations, said Morreale – and to realize that a breach does not necessarily mean criminal behavior.

"OCR will usually send you a letter or make a phone call first; if they're going to come in they'll usually let you know," he said. "
And believe me, even as gun-toting federal agents, if we would walk in unannounced, I would tell my agents that not everything everyone does is fraudulent. It's mistakes, it's human error, it's lack of training, it's inadvertent. We have to give them the opportunity to explain it first, and then watch the way they react. Are they covering up? Or are they being reasonable and meeting our expectations?"

[See also: At $1.2M, photocopy breach proves costly]

Showing, not telling, is crucial when the government comes knocking, said Morreale.

"Show me the system. Explain it to me so I can understand. I'm not writing something you told me, I'm writing what I saw. I do my report that way. You can get a sense when you're walking around. They might seem nervous – and that's OK, they might be nervous that we're there – but nervous for a reason that seems other than they didn't do the job the way they were supposed to.

Post-breach, it's important to look on the bright side – or at least look for the lessons that can be learned and put into practice going forward.

"In our case, we looked where we had personally identifiable information stored and it turned out, quite frankly, to be pervasive throughout our system," said Blanton. "We spent a long time, six or eight months, figuring out where that information lies, who needs to have access to it, removing it entirely from systems if it's not necessary, finding a way to expunge the historical records.

"We did a lot of upgrades," he said. "We reviewed our password reset policies – we tightened them up. We put in processes to look at our affiliated physicians and their activity, to make sure that they're vouching that their employees legitimately have access to the information – we do that about every 90 days now."

On the technlogy side, "We're putting in network access control, loss prevention and identity management, those things that need to be in place. We continue to enhance the analysis of our usage."

Even though breaches are an unwelcome occurence for any healthcare organization, "You have to keep your spirits up," said Blanton. "In the harsh light, things that looked OK don't look so good after all."

That's a hard fact. But it's also an opportunity to learn from one's mistakes, said Keefe, and then "really buckle down with policies and procedures."

 

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.