Why hackers love health apps

That handy health app on your phone—the one with access to your medical history, your doctor’s name, even your home address—may be vulnerable to hackers. The fast growth of information technologies in the health care sector has outpaced the industry’s efforts to safeguard them. A report by IMS Health, a research and service provider for health care professionals, showed that more than 165,000 mobile health (or mHealth) apps were available. Many of the apps offer access to users’ electronic health records from doctors or hospitals. 

Hackers particularly love the kind of medical information stored in health apps because it’s harder to change. A stolen credit card number can be cancelled, but medical histories, and the home addresses and Social Security numbers that often go into medical records—these things are hard to change and can therefore be sold for a higher price on the black market.

Few privacy policies and no regulation

Health apps are popular, but not very private. One-fifth of mobile devices in the United States have a health app installed. A study in the March issue of the Journal of the American Medical Association in March, however, showed that of 271 apps studied, 81 percent did not have privacy policies. Of the 19 percent (41 apps) that did have privacy policies, only four specified that they would seek permission before sharing data with third parties. 

The act of selling of data collected by the apps isn’t regulated. Health apps also are not subject to privacy and security regulations in the Health Insurance Portability and Accountability Act (HIPAA).

Federal regulatory agencies need to step in and create patient-information protections for the apps. The most disruptive mobile health apps are those that are patient-facing, referring to apps where information is directly available to users. Such a direct app-patient relationship lacks any professional buffer between the user and the information. As a result, traditional regulation of safety, quality, and confidentiality suffer.  Patient privacy should be well addressed and stressed for mHealth app users, it’s a case of buyer beware.

Here's one ray of hope: Data saved in individual devices may be safer than data saved to clouds. Your phone can store securely when it’s encrypted. It’s in your hands and under your control.

Ransomware is a Chronic Superbug Disease

Look out, healthcare organizations: Ransomware is infecting your facilities. It’s your IT and other data systems — not your patients — that are getting sick. Think of ransomware as a chronic superbug threat that simply won’t go away. Antivirus tools won’t work. Firewalls won’t stop the disease. In fact, because ransomware is mutating and evolving rapidly, there’s no single surefire way to stay safe – or even minimize the harm.

Medical professionals, such as doctors, nurses, orderlies and lab technicians, are trained in hygiene to protect their own health against a patient’s illness or infection – and to avoid spreading diseases from one patient to another. There are practices designed to protect against human contact, either directly (such as by touching an infected patient) or indirectly (such as by touching a doorknob). There are other practices for protecting against droplets (like coughs) and airborne risks.

The same should be true of anyone in a healthcare organization that touches any computer equipment that’s connected to a network. Bad digital hygiene can result in not only infection of the user’s computer, but can potentially spread infection to the organization’s data center, servers, databases, security systems and even cloud storage services.

The threat is real, and ransomware is the Methicillin-resistant Staphylococcus aureus (MRSA) of today’s infectious malware. When a system loads the ransomware code, most often the malicious software does many things, such as:

• It investigates the system and its network to look for vulnerabilities and other systems to infect
• It encrypts the user’s data — rendering the computer unusable and its data inaccessible
• It demands a ransom (payable in an untraceable currency like Bitcoins) to decrypt the data
• If the data is paid, the data is decrypted… but the malware itself still remains on the system in a dormant state (at least for awhile)

There is no guarantee that this is all that will happen. It could be worse. There is nothing to prevent the ransomware from installing a keylogger to capture passwords to secure resources for example. The malware could spy on the network or provide remote access to IT resources for remote hackers. It could steal patient data or other protected information. And… there’s no guarantee that even if the organization pays the ransom that the data will actually be decrypted. It’s not like you can call the hacker’s tech-support line and ask for assistance or a house call if the decryption process fails.

Healthcare organizations are huge targets for ransomware. While there are indications that this is deliberate, the vast number of users of hospital systems, the poor computer-security training of those users, and a focus on spending money on new lab equipment instead of new security equipment, can exacerbate the problem.

Preparing Against Current Healthcare Cybersecurity Threats

The old school hack attacks tended to be one-offs, measuring sticks for bragging rights as to who had the best skills. Today there is an entirely different motivation: money.  This is especially true when it comes to healthcare cybersecurity threats, as covered entities are often holding numerous amounts of sensitive data that third-party attackers find extremely valuable.

Ransomware is the current hot button issue, but other threats such as stealing PHI and siphoning off or secretly redirecting reimbursements in the background, are also profit-driven.  Estimates are that cybercrime will cost businesses more than $2 billion globally by 2019; four times what it is today. And therein lies the problem.

Now that there is money in it, the heads of cybercriminal organizations can afford to hire armies of hackers to use technology or social engineering to find a way into healthcare provider or payer networks. Or they can purchase software on the Dark Web that does it automatically.  There are all sorts of avenues cybercriminals can take to gain entry. Which means IT can’t protect the entire enterprise alone.

The battle can essentially be broken into two fronts: technology and user.

The technology front

Obviously, this front is primarily IT’s responsibility, although users still have a role to play in it.

At this point, most organizations have their networks and internal technologies pretty well locked down. They are largely able to control what happens within their four walls.  The real threats generally come from outside the core IT infrastructure, beginning with the devices we all carry in our pockets.

If the business supplies smartphones or other devices such as tablets to users, IT can dictate whether (or which) apps can be downloaded, whether PHI can be stored on them and other critical aspects of use.  It can also dictate to users that if a smartphone is lost its contents will immediately be wiped.

Increasingly, however, we are living in a BYOD business atmosphere. While less expensive and more convenient for the business in some aspects, allowing BYOD creates a significant loss of control over which devices are used, how they’re set up, whether they have sufficient security provisions, and how users use them.

Some best practices on the technology side include:

• Stipulating that if a personal device with access to the network is lost or stolen, IT will immediately wipe it clean. While users may worry about losing personal information, wiping the device will also protect against stolen passwords and credit card information.
• Disable all external ports (USB ports in particular) that can be used to transfer data onto an external hard drive or thumb drive or malware from an external drive to the device. IT may even want to disable data transfer capabilities of charging ports on mobile devices, at least for users who travel frequently. Fake charging stations (known as juice-jacking) can quickly download all of the contents off a device, capturing valuable data, saved passwords and other information.
• Prevent PHI from being downloaded into a device’s storage. That may mean changing technologies, which can be painful but not as painful as a data breach. Look for applications that enable users to view PHI remotely but do not download it onto the device.

The user front

The technology front is the easier one to manage. It is rules-based, and for the most part, IT has control over all the elements within it.  Getting users to become aware of healthcare security requirements and educating them on how to protect themselves (and the enterprise) is far more challenging.  It’s not just a matter of neophytes or technophobes versus experts.

Recently, a cybersecurity expert told a story on the radio about finishing a lecture on that topic. As he walked off the stage he saw a short message asking him to look over a document. He said he was about to click on the link when his Spidey-sense started tingling, and he then realized it was an example of spear phishing.  If an expert can be nearly fooled, it can happen to anyone.

The key to preventing these types of attacks is user education, especially about email and the use of mobile devices. Tell users:

• Be very careful about opening emails or texts with messages such as “Hey check this out” or “Can you look this over” with no other context. Techniques such as spear phishing play on our natural tendencies to connect or to help others. When in doubt, users should ask a co-worker to review. They should also forward fake messages to IT to make them aware of the issue.
• Never connect to an unsecured Wi-Fi network in a public location. It may be more convenient to connect directly than to go to the counter and ask for a password, but it’s not uncommon for cybercriminals to set up a Wi-Fi connection that appears to be provided by the business. Once users log onto that network, cybercriminals can see/capture all the data that passes through them and use key loggers to capture passwords for future intrusions.
• Don’t react or respond to messages claiming to be from the IRS, FBI or some other government agency – especially if there is an urgent time factor attached to it. That’s not how government agencies operate. Again, the proper reaction is to either delete the email or ask a co-worker to give it a look and forward to IT so they can address any security holes.
• Never leave downloaded PHI on any device. Lost or stolen devices with PHI become a cornucopia for cybercriminals. Users should close all sessions when they are finished, preferably before they leave the facility. If they are reviewing data remotely, be sure to close the session and the application.
• Never store passwords on a device. Yes, it’s inconvenient to have to enter a password each time users want to access an applications, but better that than leaving a wide open entryway into the network.

Finally, when it comes to security, users should be pessimistic in their approach. Assume any unusual emails or texts are attempts to breach the network, and any unsecured Wi-Fi networks are being used to steal data.

HHS to fund cybersecurity information exchange

HHS will fund an organization for cybersecurity professionals to exchange information about threats to the healthcare industry's information technology systems.

The goal is to allow healthcare and public health sectors and HHS to share information “about cyberthreats and provide outreach and education that improves cybersecurity awareness,” according to a statement accompanying an HHS request for grant applicants on a federal website. By exchanging information, the statement said, providers and public health agencies will be better equipped to respond to cyberthreats.

The funding level anticipated, $250,000 the first year, with the possibility of an extension to cover a five-year period, is not expected to be sufficient to run the center absent outside financial support.

The money is to come from the Office of the National Coordinator for Health Information Technology at HHS and the department's office of the assistant secretary for preparedness and response.

“This coordinated resource will focus on sharing the most up-to-date threat information across the health and public health sectors and will better equip health systems to identify potential threats and further protect electronic health information,” said ONC chief Dr. Karen DeSalvo.

More than eight in 10 respondents (81%) to a recent Modern Healthcare survey of healthcare executives on information technology issues indicated they expect there will be more cybersecurity attacks in 2016 than there were last year, which was the worse since public records of healthcare data breaches have been kept starting in 2009.

A recent analysis of healthcare breach data on the “wall of shame” kept by the Office for Civil Rights at HHS determined that since September 2009, Health Insurance Portability and Accountability Act-covered entities have reported 1,560 medical-record breaches that exposed the records of 500 or more individuals. These breaches compromised the records of 158.3 million individuals. Only about 12% of those breaches involved hacking, but those that did exposed more than 111 million records, federal data show.

Leveraging the Human to Break the Cyber Kill Chain

A kill chain is a term used by the US military to describe the steps or stages an adversary takes to attack you. However one thing that organizations have failed to do is leverage their employees to break the Cyber Kill Chain. To date, every diagram or paper I have seen on a Cyber Kill Chain leverages technology to stop attackers, from firewalls and anti-virus to HIDS and SIEMs. Do not forget people, they are a powerful resource to help you and your team. Here is how your employees can help break a Cyber Kill Chain.

• Reconnaissance: The first step most advanced attackers take is research. Their goal is to learn more about who they want to target and how. Employees often make this too easy by posting a huge amount of information about themselves, including hobbies, travel schedule and their network of family and friends. Quite often the information they post in only small snippets, but when aggregated together, bad guys can build an entire dossier on their targets. Teach people, especially those that are targeted, to limit what they post. Every new item they share makes it that much easier for bad guys. In addition social media alone is not the only resource bad guys leverage. Teach employees the proper destruction of information (kill the impact of dumpster diving) and effective use of encryption. The harder we make information to find, the more likely we break this stage.
• Weaponization: This is where bad guys develop their attack/payload, not much we can do here.
• Delivery: Lockheed Martin identified the three most common delivery methods as email attachments, websites and US removable media. Train staff to identify, stop and report phishing. Train people on the proper usefor USB media (such as only using authorized devices). The more you train people on all the different methods of social engineering attacks, the more likely they can identify and stop the delivery of these attacks.
• Exploitation: Even if people fall victim to an attack, their behaviors can stop actual exploitation. First, by keeping systems patched and current employees make it that much harder for any exploits to work. This is not just for work computers but mobile devices or even their computers at home (who says APT can't target people on their personal computers). In addition, even if attackers are successful, what if people detect the exploit and quickly report it. By creating Human Sensors you can react and stop an intrusion before an attacker can moves onto other stages.
• Installation: Same as exploitation, if your devices are patched and properly secured, this can go far in stopping an exploit from installing any malware. Once again, teach employees indicators of compromise AND how to report them, building out your network of Human Sensors.
• Command / Control: Not much employees can do to prevent this stage, but once again if we develop the Human Sensor they can identify and report this stage.
• Actions on Objectives: There are so many behaviors that employees can follow that help break this stage including; proper use of encryption, destruction of data, unique passwords for all accounts, using only proper systems for sensitive data, and secure use of Cloud. Finally, at the risk of sounding like a broken record, develop that Human Sensor.

There is no single solution when dealing with targeted attacks. However, by leveraging people, you can increase your chances of breaking the Cyber Kill Chain at numerous stages.

Why Healthcare Should Sweat ‘The Small Stuff’ When it Comes to Health Data Security

In the years since the passing of the 2009 HITECH Act, more than 30 million people in over 900 various cases have been affected by breaches of secure healthcare data.  The HITECH Act requires that HHS disclose to the SEC any incidents affecting more than 500 patients, but these numbers alone do not tell the whole story.  In a report to Congress, HHS disclosed that approximately 165,000 additional victims had been involved in ‘smaller incidents’ that fell below the 500 victim threshold.

The Ponemon Institute calculated that data breaches are costing the healthcare industry roughly $5.6 billion annually ─ and the Identity Theft Research Center reported that healthcare data breaches accounted for almost half of major incidents reported across all industries (the first time healthcare has topped their list).

• The turbulent rollout of public health insurance exchanges with many questioning the amount of focus dedicated  to ensuring their security
• Discovery of the Heartbleed bug, which caused massive vulnerability across the Internet and sent millions of consumers scrambling to change their online login credentials
• The theft of 4.5 million patient health records from Community Health Systems (CHS) made possible by Heartbleed.  This was the second largest breach of health records ever in the U.S. and has many in the healthcare industry fearfully anticipating future attacks made possible by information stolen through the vulnerability
• Hackers successfully breach the Healthcare.gov website and leave behind malicious software.  Though no patient data was believed to be taken, many are worrying about further attacks as a new enrollment period approaches and the exchange is flooded with new patient information

What are criminals stealing?

• Criminals are targeting social security numbers (which in turn are used to steal identities) and creating fraudulent credit cards, passports, and bank accounts
• In other instances, the goal is electronic Protected Health Information (ePHI) or Electronic Medical Records (EMRs) which provide criminals with the information needed to fraudulently receive healthcare services under the guise of being insured – an $80 billion per year problem for the public insurance sector alone

A Large Target Just Got Larger

In December, HHS proposed a new rule that would widen the amount of information shared as part of the Medicare Shared Savings Program (including ACOs) and “streamline access to such data to better support program and ACO function and goals…”  As shown below, this new rule includes not only the beneficiary’s name, date of birth, health insurance claim number and sex, but four other categories of information, including:

1. Demographic data, such as enrollment status
2. Health status information, such as risk profile and chronic condition subgroup
3. Utilization rates of Medicare services
4. Expenditure information related to utilization of services

Industry Regulators and Other Healthcare Stakeholders Take Action

• In 2015, the HHS Office for Civil Rights (OCR) began a random audit program not only of covered entities, but also business associates – expanding their focus from providers to the broader healthcare landscape
• The Financial Services Department of New York announced it will introduce stringent cybersecurity standards and will begin performing targeted assessments and reviews of insurance companies (which will likely impact healthcare payers)
• The National Health Information Sharing & Analysis Center (NH-ISAC) and Center for Internet Security (CIS) announced a partnership to improve and strengthen nationwide cybersecurity measures for the healthcare industry, including a focus on medical devices

Stand alone, these measures will not be sufficient to combat this criminal threat, but are the beginnings of an alignment between regulatory and technology-based solutions that will mature over time.

Cybercriminals Target Healthcare for Higher Returns

Healthcare is a major target for cybercriminals as medical information is 10 times more valuable in the black market, a report says.  According to the 2015 report, the healthcare industry sees 340 per cent more security incidents and attacks than the average industry.

The proliferation of electronic health records creates a data-heavy environment, while networks comprising thousands of providers present an enormous attack surface.  The report said one in every 600 attacks in the healthcare sector involves advanced malware.

Also, the sector is 74 per cent more likely to be impacted by phishing schemes as lack of effective security awareness training and employee security awareness programs often compounds the danger of increased attempts, resulting in more security incidents.

Many health organizations lack budget and administrative, technical or organizational skills that are necessary to detect, mitigate and prevent cyber-attacks, advanced malware.  This presents a significant threat to healthcare infrastructure, the report said.

The rapid digitization of the healthcare industry, when combined with the value of the data at hand, has lead to a massive increase in the number of targeted attacks against the sector.  While the finance and retail sectors have long honed their cyber defenses, research illustrates that healthcare organizations must quickly advance their security posture to meet the challenges inherent in the digital economy - before it becomes the primary source of stolen personal information.

HealthCare Security

Healthcare Security: Moving Forward

Following the recent data breaches, data security is back in the national spotlight. Healthcare data breaches not only create financial vulnerabilities for companies and consumers, but they can also pose serious medical threats due to tampered medical histories of affected patients.  While healthcare data breaches have not received as much media attention, healthcare breaches could potentially have much greater personal affect than hacks perpetrated in other industries.

What Makes Healthcare Data so Vulnerable?

Although data breaches in any industry pose great threats, healthcare data breaches have the potential to inflict greater financial and personal consequences on clients and companies. Here are some of the main concerns when it comes to healthcare breaches.

1. Health companies face unique challenges in transferring health records securely.

Many healthcare companies are still inexperienced in upholding and maintaining the secure transfers of their Electronic Health Records (EHRs), and subsequently their records may be more vulnerable. While these healthcare companies may have the necessary technology to create secure records, others are still inexperienced in the necessary security practices to withstand trained hackers.

2. Healthcare companies need to refocus their infrastructure to protect against breaches.

Many healthcare companies are still learning how to protect and prevent against data breaches. Unlike credit card companies and banks that have established measures of quickly recognizing fraudulent activity and putting a stop to it, healthcare companies can take months to notice errors—if they notice them at all.

Cybercriminals tend to think of healthcare organizations as soft targets. Historically, they haven’t invested much in IT, and security specifically. Knowing that healthcare companies are seen as easier targets should give these companies the necessary motivation to improve their security practices.

3. The consequences of healthcare breaches are much more severe.

While the consequences of identity theft can be expensive and frightening, the impact of healthcare data breaches are often more expensive and may even have the potential to be lethal. According to estimates found in CSO’s recent article, “The average profit [for healthcare identity theft] per record is $20,000—compared to just $2,000 for regular identity theft.” This estimate is just one of the reasons that healthcare data breaches pose more threats to individuals.

In addition to the financial threat, many hackers of healthcare records are tampering with these medical records in order to make a higher profit (mostly through the reselling of prescription drugs). While the consequences of hacks related to accessing and selling drugs seem obvious, there is also potential for these hacks to lead to life-threatening changes on medical records (including past surgeries, allergies, and drug interactions) posing a great threat to your medical care in an emergency.

What Can Healthcare Providers Do?

Healthcare companies have sometimes neglected to deploy even the most basic enterprise security measures. Without proper security checkpoints, these companies make themselves more vulnerable to hacks and potentially put their clients’ most important data (social security numbers, medical records, credit card information) at great risk.

Calling All Healthcare Organizations

The healthcare industry is generally about 10 years behind the financial services sector in terms of protecting consumer information.  This severe security lag causes healthcare organizations to lose credibility and client trust—not to mention the immense financial costs of devastating attacks.

In order to avoid these attacks in the future, healthcare organizations must take this opportunity to begin prioritizing better security practices and improve the face of healthcare security from here on out.

A Primer on Risk and Security Awareness

We talk a lot about human risk in the world of security awareness, but rarely have I seen it defined, especially at a high level that anyone can understand. As such, I wanted to take a step back and give you a simple overview of what exactly risk is, and the role security awareness plays in enabling organizations to manage it.

1. Security: Let's start with the basics, what exactly is security? Simply stated, security is managing risk.
2. Managing: So, what do we mean by managing? There are three ways you can manage risk; you can reduce risk, you can accept risk or you can transfer risk (insurance). Security vendors help you reduce risk. Acceptance of risk is primarily an internal process, while transfer of risk is an entirely different field (insurance). One thing you can never do is eliminate risk.
3. Risk: So what is risk? At the most general level risk is defined as the probability of an incident times the harm of an incident. The greater the likelihood something bad will happen, the greater the risk. The greater the impact from an incident, the greater the risk.
4. Cyber Security Risk: In the world of cyber security we use the same model but break it down one-step further. Specifically we define risk as Vulnerabilities x Threats x Impact. Its the same model, all we did is break down probability into two variables, vulnerabilities and threats. The more vulnerabilities you have, the more likely you will have an incident. The more threats you have, the more motivated they are, the more skilled they are, and/or the more resources they have the more likely you will have an incident.
5. Security Awareness: So where does security awareness fit in? Security awareness is the specialty of managing human cyber risk. Instead of using technology to manage risk, we leverage employees. Keep in mind, security awareness does not only address deliberate threats but also accidental threats, in other words trusted employees and staff that accidentally cause harm.
6. Behaviors. So what do we train people on, how does security awareness manage human risk? By changing peoples' behaviors. Through behavior change you can reduce any one of the three variables that create risk. For example, teach people how to identify a phish, they become less vulnerable. Teach people how to spot an insider, you reduce threats. Teach people how to use encryption, you reduce impact. The goal of awareness is to reduce human risk, and we do that by changing peoples' behaviors.
7. Culture: Where does culture fit in to this? Culture is not just how people behave, but their attitudes, perceptions and norms. This is not only more difficult to change, but more difficult to measure. Ultimately you want an organization that has both secure behaviors and secure culture. However focus on behaviors first. Not only are behaviors easier to change and easier to measure, but changing behavior is the path to changing culture. Finally, just because an organization has a secure culture does not mean it has secure behaviors. For example, you can have employees who believe and understand that security is important, so they focus on locking the front door to the building while happily sharing passwords with the person from 'tech support' on the phone.

So there you have it, a short, simple primer on what security awareness is and the role it plays in helping organizations manage risk.

Partnering With HR to Prevent Breaches

To help prevent breaches involving insiders, Health System's IT team works closely with the organization's human resources department and various business managers. Together, they determine who needs access to patient information and other sensitive data based on their precisely defined role.

Partner with human resources department to clearly establish job roles and titles that are consistent across our enterprise.  That helps ensure that, for instance, someone in the job category of "nurse level 1" in one part of the organization has exactly the same job and function as someone in the same category who works in another section of the organization especially if they encompasses several medical centers as well as a variety of specialty care clinics.

Work closely with HR and clearly define those job roles, then it's a much easier proposition to enact role-based access control. So, when someone is hired at a "nurse-1" level, the access they get "is pre-defined, embedded in the business, that is appropriate for a nurse 1".  Any additional access outside of that has to be requested from their manager. That request is then passed on to the identity and access management team, which logs any additional access granted into the organization's systems as an exception.

Taking all these steps helps  avoid situations we've had in the past, where someone's hired and the hiring manager asks for the new hire to have the same level of data access as a more senior or higher level nurse who's been working at the organization for many years. Carefully controlling data access based on pre-determined job roles can help avoid, for example, a new hire gaining access to patient data that's more appropriate for a nurse manager.

Security professionals also must work with various business unit managers to adjust data access privileges based on a workers' changing roles.  In the past that was viewed as an IT activity. We're starting to pivot on that now, and partner with the business and make them understand that they are responsible for the access levels of their employees.

Managers now must, on a periodic basis, conduct data access reviews for each of their employees. If any data access is determined to be inappropriate, the IT provisioning team takes action to make access commensurate with actual job duties.

A Successful Security Awareness Organization Architecture- Identifying Key Behaviors

Identifying Top Three Problems within an Organization

The first step in making a security awareness organization architecture is to identify what the top three user behaviors are that present the most risk and vulnerability to an organization. Think about it, if your car broke down on the side of the road with a flat tire, a broken sunroof, and a missing cup holder are you going to fix the cup holder first? Of course not! Same applies when revamping your security awareness architecture. Start with the biggest problem and then work your way through the list.

The 12 Key Behaviors Analysis

Over the years these seem to be the top problem behaviors are within their organization. While some unique, and sometimes amusing, answers have come up, more often than not they fall within one of the12 following categories.

1- Call help desk more quickly to report a potential problem or possible attack.

2- Properly handle and dispose of PII

3- Stop visiting unapproved / potentially dangerous sites while at work.

4- Stop using email for abuse or inappropriate purposes.

5- More resilient to phishing attacks

6- Create stronger passwords

7- Be aware of abnormal or suspicious behavior in the workplace

8- Be secure when working remotely

9- Be more aware of mobile devices, laptops, and/or tablet security threats

10- Give out less information online and on social networking sites

11- Be more aware of secure settings and computer behavior when browsing the internet

12- Be more aware of shoulder surfing and making sure doors are properly shut behind them.

Each of these categories represents a very real, and very fixable problem within any organization but the key is identifying the top three. Identifying the top three enables you to prioritize and get the most out of your efforts rather than trying to take on the whole world at once. Also, some of the smaller problem behaviors may be a side effect of larger issues and thereby will decrease when the larger issue is resolved.

Who To Evaluate

Now that we know what we need to ask, the next question is who has that answer and how do we make sure we don’t get a biased response/get sent on a wild goose chase? For example, image that Bob had a horrible experience with identity theft and happens to be the head of IT. When you ask him what the top 3 problems are you get the following:

1-    Properly handle and dispose of PII

2-    Give out less information online

3-    More resilient to phishing attacks

Later you find that the real issues are

1-    Create stronger passwords

2-    More resilient to phishing attacks

3-    Call Help Desk

This is a problem with any survey type analysis but the way to resolve it is to ask more than one person. For the purposes of our task we want to ask the stakeholders. The stakeholders give you an idea of what the top 3 overall- not department specific- problem behaviors are within the organization. Furthermore, as a group, the influence of one persons bias/bad experience is minimized for a more complete overall picture.

Now that the top 3 have been narrowed down it’s time to go to the CISO to ask (1) why those problems present a major issue to the company (2) what is the current training environment doing to address them and (3) what measurements are in place to look at the success or failure of them?

Five Healthcare Security Training Expert Tips

The need for wholesale data security training changes in healthcare evident, irrespective of whether it’s educating non-IT clinical staff members on HIPAA basics or further education for IT professionals. Most healthcare pros will agree that the usual methods, such as annual training classes, aren’t well-suited for current technologies and compliance requirements.  There isn’t a proverbial silver bullet to fix the security gaps within healthcare organizations, but there are some success stories that experts have shared. These five lessons learned can be helpful for those looking to just tweak or even revamp their security training procedures.

1. Top-down approach improves user awareness

To ensure that her staff abides by required protocols and procedures regularly educating and updating staff members on the importance of appropriate BYOD practices. And the seriousness of safeguarding sensitive data needs to be conveyed from the top down:

Maybe on a quarterly basis, roll out the program again, remind people what the protocols are that they should be following, and reward people for improving procedures in their departments but making it a visible part of the organization so that everybody knows that the company takes security very seriously so they should, too.

2. Have a training model in place

Having an educated workforce that’s aware of cybersecurity risks is critical to mitigating risk. Since getting that awareness and education out there is incredibly important NH-ISAC is developing a national healthcare and public health cybersecurity education framework that will provide training and education. It’s using the National Institute of Standards and Technology (NIST) cybersecurity framework as a foundation to help define healthcare, role-based cybersecurity education. Regardless of whether you’re an informatics nurse or an X-ray technician, you make the security roles and responsibilities relevant to their jobs instead of a broad approach.

3. Engage the user to help avoid human error

Another aspect in helping staff members in a healthcare organization avoid human error is consistent engagement.  Focus on educating non-IT people such as doctors and nurses as healthcare has it the worst when it comes to securing data.  In healthcare, so many different people have access for so many varying reasons to protected health information (PHI) from various locations.

4. Continual training is necessary

The healthcare industry needs greater awareness among users dealing with protected health information and a different training model because the current “class” model isn’t working.

The problem with security training is many of the techniques are focused on orientation training or an annual refresher or computer-based training (CBT) module. For the most part, one-time or yearly training isn’t very effective in changing workforce behavior on a day-to-day basis.  Users don’t tend to learn in a one-time scenarios and instead incorporate best practices into their habits or workflow when they see the learning points on an ongoing basis or in some continuous way.

HIPAA includes points about periodic training or offering security best practice reminders and that’s why the Office for Civil Rights (OCR) focuses on what kind of training organizations are doing. OCR says that annual training that shows documentation [is good]. But if you really want to make a difference in your organization in terms of the human errors that people make or how people think about security as part of their workflow. And that comes down to providing a constant stream of security awareness and reminders throughout the year so that it becomes second nature.

5. Train the security pros early on

Universities need to focus on is the talent shortage out there and trying to find a good way to train and teach people security basics – not only from an end user perspective, but how to take all these different controls and put them into practice. As cybersecurity education core pieces as they relate to healthcare there are a few different focuses.  Cover healthcare and the regulations, which is part of it, but we also teach how to create the next generation of workforce to ensure these cybersecurity students understand the technology and how it actually works so they can make judgment calls when they use a risk-based approach and are more effectively securing critical infrastructure fall all types of industries such as healthcare. Everyone needs to know what’s going on in the industry.

6 Most Common Types of Healthcare Data Security Breaches

With all of the media hype around breaches, and pressure from your stakeholders to avoid being the  next headline, it is easy to focus too much on one or another type of breach, perhaps the one that caused the latest headline. This risks missing many other common types of breaches, and being blindsided by a breach you did not anticipate, and therefore are unprepared for. These are six of the most common types of data security breaches in health and life sciences organizations.

1. Cybercrime Hacking: in this type of breach an external hacker accesses your organizations network and obtains unauthorized access to sensitive patient information. A common example of this type of breach starts with the hacker spear-phishing a worker in your organization, resulting in that worker clicking on a malicious link, and leading to drive-by download of malware. The malware then proliferates inside your intranet and key-logs the database administrator database credentials, at which point it turns into a bot that logs into your database containing sensitive patient data and exfiltrates this data "low and slow" to evade detection.
2. Loss or Theft of Mobile Device or Media: in this type of breach a worker either loses or has stolen a mobile device or media containing sensitive patient data, resulting in potential unauthorized access to that data and a breach.
3. Insider Accidents or Workarounds: in this type of breach a worker performs a well-intentioned action that results in unauthorized access to sensitive patient information. A common example of this type of breach involves a worker emailing unsecured sensitive patient information, resulting in potential unauthorized access to this information, and a breach. This type of breach can involve the use of either corporate or BYOD devices by workers.
4. Business Associates: in this type of breach a third party organization contracted by your organization experiences a breach event involving unauthorized access to sensitive patient information. In this case the patient information impacted originates from your organization and was previously shared for the purpose of the third party organization fulfilling its contractual obligations. In the United States these entities are known as Business Associates, while in Europe they are typically referred to as Data Processors.
5. Malicious Insiders or Fraud: in this type of breach a worker performs a malicious action that results in unauthorized access to sensitive patient information. This could be a disgruntled worker, or done for the purpose of committing fraud. A common example of this type of this breach involves medical claims fraud where a worker files dishonest healthcare claims in order to turn a profit, or sells sensitive patient information on the black market. Prescription fraud and financial fraud are other examples of this type of breach.
6. Insider Snooping: Insider snooping involves a worker accessing the records of patients of your organization without any legitimate need to do so, for example where a patient is not under the direct care of the worker.

Security Awareness and the New Hire Process

A common problem many organizations face with their security awareness program is the new hire process. They are tasked to train and secure new hires, but often have very limited time and resources to do this (sometimes no more than 15 minutes to 'secure' each new hire during the initial on-boarding). In addition, new hires are bombarded and overwhelmed with everything else they are learning, to include healthcare, how email works, how their new computer works, expenses, etc. I have had great discussions about this challenge in the last few months and this is what I came up with to do what we are asked to accomplish.

• Do not try to secure your new hires during the on-boarding process. It’s too much information in too little time, and the new hires can’t remember it all anyways.

• Instead of focusing on policies and behaviors, focus on laying a foundation. Make sure new hires understand your organization takes security seriously, the important role they play (technology can't stop everything) and set expectations what they will learn through the security awareness program. Explain what and who the security team is, how the security team will be communicating to them, and what the new hires can expect training wise over the next six months.

• If your awareness program uses a certain brand, mascot or logo show this to the new hires and explain to them whenever they see this brand, its part of the security program.

• Finally, make sure they know who and how to contact the security team and where they can learn more.

Ultimately the new hire process is not about securing employees, but building a relationship with them, ensuring they understand the importance of security, and explaining to them what to expect in the coming months.