Healthcare Resources - Keeping Security Strategy Healthy

As the healthcare industry constantly evolves, every component of operational support must evolve as well. Security is one critical area that must strive to keep pace with industry changes, stay current with regulatory compliance mandates and utilize data to stay ahead of the curve. When intelligence is culled, analyzed and viewed as a source of continuous improvement, proactive security programs are the result.

What trends and data do healthcare security professionals need to assess?

Trade Associations: The International Association for Healthcare Security & Safety (IAHSS) and ASIS are key drivers in establishing protocol to assess measure and implement healthcare security strategy; and provide information and resources.

National Resources: Workplace violence in healthcare is a growing concern. According to the Bureau of Labor Statistics, nearly 60 percent of all nonfatal assaults and violent acts in the workplace occurred in the healthcare and social assistance industry. The Occupational Safety and Health Administration (OSHA) offers Workplace Violence Safety and Health Topics Page with information that can help security professionals effectively evaluate their workplace.

Regulatory Agencies: An effective healthcare security program must be in-tune with and apply the direction of a variety of accrediting bodies including OSHA, The Joint Commission, CMS, DNV, and NFPA, as well as state and local regulators.

Local Data: Analysis of what is happening in the community is essential. Crime statistics, population trends, community events, and anticipated weather events can help the facility’s security team be more prepared.

On-site Trends: Ongoing review of security trends can aid in the evolution of security strategy and security officer deployment that is predictive, rather than reactive. Frequent incidents in particular area of a hospital could be addressed with a change in procedure or staffing.

Security Best Practices: In addition to industry benchmarks, information and best practices shared among peers creates additional opportunities for continuous improvement and success.

A data-driven approach to security must be comprehensive and cognizant of the evolving nature of the industry and the facility. Review and then ask yourself… what additional information do I need to continue to move my security program forward?

Social Engineering in HealthCare

The weakest link in an information security program is people. Hackers have known this for a long time and have refined the art of social engineering. By convincing someone to do something that isn’t in their best interest, malicious individuals are able to launch devastating attacks on organizations.

One method in which the hackers prey on their victims is through phishing. This attack vector utilizes electronic communication that appears to be trustworthy. Through this vehicle, hackers attempt to obtain sensitive information about their victims such as credentials, credit card information, and even more coveted protected health information.

The healthcare industry has always been about helping people; however, when it comes to privacy and security, being too helpful isn’t always a good thing. Partners Healthcare realized this when a group of their employees fell victim to phishing emails. Hackers were able to convince some of Partners’ employees to engage with them through an email on November 25, 2014 allowing the hackers to gain access to the employees’ email accounts. This eventually led to the compromise of approximately 3,300 patient records.

In another unfortunate example, Texas-based Seton Healthcare Family, a part of Ascension Health System, became a victim of a compromise of protected health information on 39,000 patients when an employee opened an email that turned out to be a phishing scam. This wasn’t the first time Seton Healthcare had been breached; in 2013 the health system reported the theft of an unencrypted laptop. Since 2007, they had two additional breaches: one again involving a stolen laptop affecting 10,300 patients and a breach by a third-party vendor involving more than 500 patients where member cards were sent out to the wrong members.

St. Vincent Medical Group fell victim to a phishing attack targeting employees. A statement posted on their website indicated that they discovered an employee’s email account had been compromised around December 3, 2014. As of March 12, 2015, they uncovered the compromised email account that contained personal health information on approximately 760 patients.

With the ease of phishing and the high returns that can be achieved by using this technique, security professionals fear that these types of threats will increase in 2015. With health data becoming more valuable to hackers on the black market and the belief that the healthcare industry is not ‘up to par’ with security as other industries, the healthcare industry will continue to see an increase in attacks.