Global Edition
Privacy & Security

Implementation best practices: The optimal way to approach security

Three healthcare cybersecurity experts showcase the most effectual strategies CIOs and CISOs can take when erecting defenses against criminals seeking valuable patient information.
By Bill Siwicki
October 23, 2019
12:39 PM

Security technologies and strategies have never been more important in healthcare than they are today. Healthcare provider organizations are one of the top targets of hackers today. The criminals are looking for those treasured electronic patient records, which fetch a hefty price on the dark web.

Healthcare CIOs and CISOs have to erect powerful defenses to keep evildoers at bay. And there are good approaches to take to healthcare cybersecurity technology and less effectual approaches. It’s important for health IT and health security leaders and workers alike to know the best ways to implement security technologies and to think about security in general.

Here, three healthcare cybersecurity experts offer their decades of experience to help CIOs, CISOs and others when it comes to best practices for safeguarding patient data and implementing security technologies.

Right off the bat, resilience

When implementing any new security technology, it should be reviewed for how it supports the organization’s resilience posture, said David Tobar, senior cybersecurity engineer at the Software Engineering Institute’s CERT Division at Carnegie Mellon University.

“Resilience is the capability for an organization to continue to operate, even when under attack, and to recover quickly when attacked,” he explained. “Establishing resilience requires implementing not just core functional requirements that a technology might provide, but also ensuring that the practices supporting it are institutionalized such that they will continue to operate even in times of organizational duress.”

"A good place to start in establishing resilience is with hygiene practices."

David Tobar, Software Engineering Institute’s CERT Division

Institutionalization of practices is what drives resilience, Tobar continued. Establishing it involves a number of additional supporting activities, including governance, configuration management, resources, training, and involvement by stakeholders and higher level management, he said.

“A good place to start in establishing resilience is with hygiene practices,” he suggested. “Basic hygiene practices should include lifecycle management practices such as managing hardware and software assets – maintaining inventories and upgrading systems to avoid having them become unsustainable – vulnerability management practices – patching systems for vulnerabilities – and additional controls on administrative privileged accounts.”

Encryption best practices

Sean Atkinson, chief information security officer at the Center for Internet Security, advised that healthcare provider organizations need to take encryption practices very seriously when implementing new security technologies and approaches.

“Implementing new technology is both exciting and scary,” he said. “It is critical to understand the underlying threat to properly define the controls and risk mitigation strategies necessary to deploy security technology. The threat and the value of healthcare rely on data exchange, primarily the personal health information they generate, store and transmit.”

Loss of data can occur anywhere throughout the chain. If one thinks of a security technology to assist in the control of access to this data, encryption is critical, Atkinson contended. If the data is encrypted, it becomes a simple process of key management and access control based on a need to know, he said. Once the need to know is established, the ability to decipher the information will allow for controlled access to the data.

“So why encrypt? The process is twofold,” he explained. “The data should be encrypted both at rest and in transit. The storage of data should be encrypted to mitigate unauthorized access, as it is possible for misconfiguration of a storage device, which could lead to data loss. However, with the data encrypted the value of the data is minimal.”

Data in transit

Second, when the data is in transit, access will be required at the data storage location point, application interfaces (the system requesting the data) and the transmittal across a network from storage to user, he added.

"It is critical to understand the underlying threat to properly define the controls and risk mitigation strategies necessary to deploy security technology."

Sean Atkinson, Center for Internet Security

“Therefore, this connection must be secure from eavesdroppers,” Atkinson said. “With the encryption mechanisms in place, the data loses its value because it is no longer ‘plain text’ but cipher text, thereby rendering it unreadable. When encryption standards are used appropriately, the ability to ‘crack the code’ becomes a lengthy and cumbersome process and in some cases impossible. Thereby diminishing the worth of the data.”

Overall, when encryption mechanisms are in place for the storing and transmission of health data, security is strengthened and privacy is protected, he said.

Preparing for ransomware attacks

Although ransomware attacks on city and state government systems have been making headlines recently, hospitals remain a target of choice for ransomware attacks. After all, when vital hospital computer systems are shut down, patient safety is placed at risk, leaving few options for hospital administrators.

Unfortunately, if a healthcare organization is the victim of a ransomware attack, the only response then is reactive. But planning for resilience is a proactive approach that can help prepare and protect an organization for many types of attacks, including ransomware.

“Further preparations to counter ransomware attacks should include updating incident and disaster response plans to include ransomware response options,” said Tobar of Carnegie Mellon University. “The most effective way to deal with ransomware attacks is to have regular, verified data backups. Plans for reliable backups – particularly of key systems and servers – should consider restoral times based on downtime impacts.”

Backups should be tested regularly as part of response exercises and should include worst-case scenarios for operating without computer systems, Tobar added. Training staff and conducting exercises are vital to smooth operational responses, he said.

Ransomware basics

Basic activities for reducing the risks of ransomware attacks, according to Tobar, include:

  • Backup critical data regularly (and keep it offline so it isn’t impacted by an attack).
  • Keep systems updated and patched.
  • Train employees regarding ransomware and exercise a response plan.
  • Employ antivirus/spam filters to scan downloads and emails with links to ransomware.
  • Whitelists are a good way to prevent running of applications that are not approved.

"Paying the ransom should be avoided if at all possible,” Tobar warned. “It may be a quick way to resolve your crisis, but it also encourages the continuation of the criminal cycle and its spread to others. Instead, organizations should manage ransomware risk by strengthening their cybersecurity posture and improving their plans for ransomware protection, detection, analysis and response.”

It also is worth noting that some ransomware attacks may be undone by openly available encryption recovery tools. Europol has a repository of keys and applications that can decrypt data locked by some types of ransomware (available at No More Ransom, click here). And there are recommendations from the FBI (click here), and those recently released by the DHS Cybersecurity and Infrastructure Security Agency (click here).

Internet of Things device monitoring

On another front, as the Internet of Things continues to grow, device monitoring within the healthcare industry is a critical component, said Atkinson of the Center for Internet Security.

“Each connected device is uniquely complex and requires an understanding of the security controls that should be implemented,” he explained. “With the prevalence of multiple connected devices within the healthcare environment, the need to centrally log and monitor usage and access is a must. These connected devices are a weak point within the infrastructure.”

"In the rush to hold off an attack, many providers overlook the fact that healthcare networks are like computer hard drives. It’s not a question of if they will fail, but when."

Paul Cerrato, author, “Protecting Patient Information”

Because of the increasing demand of internet connectivity, the access and footprint of connected devices is part of an ever-expanding attack surface.

“The threat of privacy and data exposure becomes a concern when there is a lack of visibility into the connected devices, if a system is incorrectly configured, or when out-of-the-box solutions are vulnerable to attack,” he said. “Through functionality and utilization of the data generated from connected devices, there is no going back. It is of critical importance to ensure proper diligence in the visibility and monitoring of connected devices.”

Rapid response teams

While preventive measures are absolutely critical when implementing security technologies and strategies, it’s also important at the same time to consider the aftermath of an attack if the technologies and strategies fail.

“Emphasizing the importance of a rapid response team doesn’t imply there’s no need for preventive measures: To an adage, ‘Hope for the best, prepare for the worst,’” said Paul Cerrato, a cybersecurity expert and author of the book “Protecting Patient Information.” “One of the most vexing issues to prepare for is a medical device data breach. Securing infusion pumps, EKG machines and other hardware has become more challenging in recent years because many of them are now connected to the internet or the hospital’s computer network.”

The unending turf war between a provider organization’s IT staff and the device manufacturers makes it even harder to prevent a breach, he added.

“Both parties want to keep hackers at bay, but their priorities are somewhat different,” he explained. “Manufacturers’ main concern is keeping patients safe by making sure their software delivers the correct dose of medication or accurately transmits electrical signals from an EKG lead. To do that, many companies essentially lock out a hospital’s technicians, increasing the vulnerability to a cyberattack. That’s especially worrisome when dealing with legacy medical devices.”

Federal regulators stepping in

The situation has attracted the attention of federal regulators, including the FDA, which has issued a draft guideline for device manufacturers so that they can build strong cybersecurity into their products from the ground up, rather than play catch-up with all sorts of aftermarket security patches.

“The guidelines urge vendors to adhere to the NIST cybersecurity framework,” Cerrato said. “The device should also be designed to notify users if it detects a potential data breach, and have the ability to recover services that were compromised by the incident. Lest some healthcare providers think this concern about medical device breaches is an overreaction, the agency lists several vulnerabilities, including risks in certain Medtronic insulin pumps, wireless telemetry in implantable cardiac devices and more.”

Of course, all the advice on how to build a secure medical device does nothing to address the threat posed by legacy devices, he added. There are, however, several security firms with expertise in this area, sometimes labeled Medical Device Data Security as a Service, he noted.

Not if, but when

Common sense might suggest that closing the barn door after the horse escapes is pointless, but when it comes to health data security, that approach may actually be smarter than one thinks, Cerrato advised.

“There’s a long list of technological tools to help prevent a data breach, including new penetration testing platforms, email protection software that detects phishing threats, and mobile device management systems,” he said. “But in the rush to hold off an attack, many providers overlook the fact that healthcare networks are like computer hard drives. It’s not a question of if they will fail, but when.”

In his book “Protecting Patient Information,” Cerrato devotes a chapter to “Preparing for and coping with a data breach.” That is part of the HIPAA regulations, which include an implementation specification: “Response and reporting (Required). Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes.”

“Fortunately,” Cerrato said, “there are several vendors to help providers manage this responsibility with the latest technology, including big players and small players. The Federal Trade Commission and other government agencies also offer practical advice. Closing the barn door after a hacker compromises your patient data may not be the ideal situation, but pretending that it will never happen doesn’t make a lot of sense either.”

Twitter: @SiwickiHealthIT
Email the writer: bill.siwicki@himssmedia.com
Healthcare IT News is a HIMSS Media publication.

 Prepare for next-gen cybersecurity threats and join the #HITsecurity discussion at the HIMSS Healthcare Security Forum this Dec. 9-10 in Boston.

Health IT implementation best practices

This 20-feature series examines in-depth what it takes to deploy today's most necessary technology and tools.

Topics: 
Compliance & Legal, Network Infrastructure, Privacy & Security

More regional news

Capitol rotunda at sunset

Congress releases AI policy blueprint

By
Andrea Fox
December 20, 2024
Epic booth at HIMSS global conference

Epic files to dismiss antitrust lawsuit

By
Andrea Fox
December 20, 2024
Representatives of NUS Medicine, Kailuan General Hospital, Tianjin Medical University, and Tianjin Medical University General Hospital pose after signing their MOU

Chinese hospitals join NUS Medicine's big health data project

By
Adam Ang
December 19, 2024
Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story

Capitol rotunda at sunset
Congress releases AI policy blueprint

Most Read

Aidoc, NVIDIA intro new plan to speed AI adoption in healthcare
Winning cybersecurity warfare is the ultimate millstone for CISOs
A passwordless future for clinicians? Industry paper points to a new paradigm
White House OMB is reviewing proposed cybersecurity updates to HIPAA
HC3 alerts providers of Scattered Spider threat
New Oracle EHR promises AI-enabled reinvention

Research

White Papers

More Whitepapers

Patient Engagement
Patient Engagement
Financial/Revenue Cycle Management

Webinars

More Webinars

Imaging
Interoperability
Artificial Intelligence

Video

John Saran at Holland & Knight_Modern office buildings in London Photo by Tim Grist Photography/Moment/Getty Images
PE and healthcare investment: What's next for 2025
Sponsored by
Healthcare worker talking to patient
New infusion pumps may help lighten nurses’ workload
Dr Chien-Tzung Chen 4t Linkou Chang Gung Memorial Hospital_HIMSS24 APAC
Linkou Chang Gung Memorial Hospital eyes remote patient monitoring at home
Dan Torrens at eHealth Technologies_Blockchain in healthcare concept Photo by ArtemisDiana/iStock/Getty Images Plus
Getting providers from point A to B

More Stories

Dr. Eric Liederman, CEO of CybersolutionsMD
Q&A: CybersolutionsMD CEO on preventing cyberattacks
Change healthcare booth
Nebraska sues Change Healthcare over ransomware attack
Vijayashree Natarajan of Omega Healthcare on AI
Three for 2025: data security, cancer informatics and agentic AI
Capitol Hill
Congress looks set to extend telehealth and hospital-at-home flexibilities
Josh Di Frances at LG NOVA_Top down view of startup team Photo by NanoStockk/iStock/Getty Images Plus
What a startup pitch competition shows about IT innovation
Ravi Teja Karri of Froedtert Health on AI
Using AI and ML in predictive analytics for bed demand forecasting
Abstract image of AI brain and technology
ASTP updates HHS AI Use Case Inventory for 2024
Female doctor on laptop smiles at patient in foreground who is taking notes
Report shows overwhelming doctor support for virtual care