Why Security Awareness Training in Healthcare Must be Part of Your Security Strategy #7

A Healthy Team

Over 112 million individuals had their personal data records breached via a healthcare industry breach. According to Experian, the financial losses to the healthcare industry were around $5.6 billion. But it isn’t just about the financial costs of lost data and the fines imposed. This is about patient care and the ethics that the healthcare industry is bound by. Of all industries, healthcare is, by the very nature of the job, a caring industry. Creating a culture of security through education will improve the standing of the industry as well as ultimately protect against financial losses.

But the security landscape is constantly changing. Cybercriminals are always upping their game to find new and innovative ways of exposing our data. Security awareness training is an ongoing exercise; it is about continuously improving the knowledge base of your extended team and giving them an understanding of what they are up against. A healthy security awareness program will create a healthy industry. Security awareness is a team effort. It gives us the tools to create a highly educated workforce where cyber-security threats can be dealt with by all as a team, before they become a breach.

Why Security Awareness Training in Healthcare Must be Part of Your Security Strategy #6

Getting Results and the Analysis

No security awareness program is complete without analysis of the training program and the outcome. Collating metrics and analyzing the results will show you how effective your campaign has been. This will give you the insight into any changes you may need to make to the program to improve the training; for example, changing the modules used.

Reporting can also provide evidence of return on investment that can be used to justify your use of security awareness training to C-level executives.

Why Security Awareness Training in Healthcare Must be Part of Your Security Strategy #5

5. How to Set Up a Security Awareness Program in a Healthcare Environment

Now you have the buy-in from your extended team, you need to think about the co-ordination and setting up of your training program. Security awareness programs don’t have to be complicated to arrange. Automation is the key to success in managing these types of operations. Security awareness is a program that has to cater for a wide demographic. To ensure the effectiveness of security awareness training it needs to be palatable – with usability and accessibility of the training modules being key. It also has to have to have a high degree of reinforcement through continued and regular training sessions that closely mimic real-life security scenarios. Security awareness programs specifically designed to help you make the process of on-boarding and engagement in your awareness training as easy as possible. Enrollment and customization are key features of an effective program. Being able to enroll your users and start security awareness training from a centralized cloud management interface makes it easy to set up a training program. It also gives you effective administration for continued training.

Automation then kicks in and starts the training, serving the training modules to your user base in a way that is easily digestible and that engages, even the least technical of your team. To summarize, the prerequisites for setting up an effective security awareness training program are:

• Easy enrollment
• Good choice of modules to create tailored training packages for staff
• Automation of training packages to user base
• Continuation and repetition of the tailored packages
• Reporting and analysis to continually improve education

Why Security Awareness Training in Healthcare Must be Part of Your Security Strategy #4

4. How to Sell Security Awareness to Your Stakeholders 

We all know members of staff who grumble at anything outside of their immediate job remit. But because of legislation and the increasingly threatening nature of modern cyber-security, being security-aware is part of the role of a healthcare worker. All of us have the duty of caring for patient data. So how do we engage staff in the process of security awareness?

Security awareness training packages, if done well, will be configured to engage staff—engagement results in better understanding. Security can be a dry area, difficult to drum up interest in. However, a well-designed security awareness training package can be configured to work within the context of your organization to create tailored training campaigns—specific to your needs.

One of the ways that you can make sure that your team is benefiting from the sessions is to make the training interactive and unobtrusive. People can get irritated when their workday is interrupted, so offering ‘security over lunch’ or “brown-bag training”, which is an informal and less intrusive way of learning about security, can be highly effective. Another area that helps to focus training and make it highly relevant is to tailor the training campaigns to a person’s role in the organization.

Keeping security relevant and making it part of the normal program of workplace on boarding and training in your organization, will make it an easier all-round sell to your extended team.

Ultimately, security threats need to be accepted as a serious issue across healthcare. This means engagement across your organization: from your top-level management, across all major departments, and ultimately by the people who will be trained – your workers. Bringing them onboard with the message that, understanding how cyber security is a threat, how that threat works, and how to mitigate that threat as an individual, will benefit both themselves and the organization as a whole, is a fundamental message.

Why Security Awareness Training in Healthcare Must be Part of Your Security Strategy #3

3. Who Are the Stakeholders Involved in the Training?

Security is about people. The human touch point is often the weak link in the chain. Cyber-threats take advantage of this by utilizing social engineering, as seen in the rise of phishing as a vector for attack. Security awareness is your tool in the fight against social engineering. But security awareness is also much more than this. It creates a level playing ground for your entire workforce and beyond, creating a ‘culture of security’.

With the addition of HITECH Section 13407, the number of stakeholders that need to be incorporated into a security-aware environment has been extended to cover all business associates that may have an interaction with personal data and PHI. This creates a highly diverse group, or eco-system, of stakeholders who are required to have a good understanding of the healthcare security landscape. This knowledgebase then allows adherence to the tenets of HIPPA and HITECH security rules. The end result of a security awareness program that encompasses all the possible players is an umbrella of security and privacy respect that will have positive outcomes across the entire eco-system.

Identifying who your key stakeholders are is the first part of the exercise in security awareness training. As mentioned previously, this has become a highly extended eco-system of players, brought into place by changes in the legislation governing information security in healthcare. Setting out your store in terms of who is a player will help guide your training exercise. However, the following list gives you an overview of the types of people involved in training:

• Front desk workers
• Administrators
• IT and tech staff
• Medics, including nurses, consultants and related roles such as social workers
• Transcriptionists
• Healthcare call center workers and managers
• Medical claims handlers
• Laboratory technicians
• Researchers

Don’t forget: There needs to be a specific plan for bringing new employees on board, rather than waiting for the next security awareness training exercise. This will get them quickly up to speed and create a mind-set of security and privacy as they enter their post.

Why Security Awareness Training in Healthcare Must be Part of Your Security Strategy #2

2. Why Do You Need Security Awareness Training in Healthcare?

Security and privacy cut across a number of legal frameworks within the USA. There is a good deal of general legislation and guidelines that cover data protection and privacy and some that are more focused on healthcare. The USA has a mosaic approach to data protection with no overarching federal law to cover the security issues surrounding personal information. There are two main areas of healthcare legislation that cover the protection of personal data or protected health information (PHI): the Health Insurance Portability and Accountability Act (HIPPA), and Health Information Technology for Economic and Clinical Health (HITECH). The two acts work in unison to cover the security expectations of the whole healthcare eco-system, extending outwards to healthcare providers business associates. Together, the acts set requirements to disclose data breaches, which are:

HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414: The rule requires that any breach of PHI must be disclosed to both patients and the government (breach meaning unauthorized data being used or disclosed). There are some nuances around the formal classification of a breach, but with the introduction of the HIPPA “omnibus rule,” which requires a risk assessment to set a breach as “low probability” for exposure, the chances are you have to declare the breach.

HITECH, Section 13407 is enforced by the Federal Trade Commission (FTC). The act allows the data protection rules to be extended to all entities not specifically covered by HIPPA: for example, extended business associates of healthcare providers, business associates being anyone, such as contractors and sub-contractors who are involved in any health-related data handling.

Security awareness in healthcare cuts across many layers. As well as the legislative drivers that demand security awareness, a healthcare team approach to security is driven by:

Ethics: Healthcare has by definition a layer of ethics attached to the practice. Healthcare data and in particular PHI are part of the ethical layer that all of us expect to be respected. We all, at some point, share health information with medical practitioners, so there is a personal element to the ethics of data protection as well as an organizational benefit.

Risky behavior is very common: A study by Cisco found that risky security behavior was almost the norm in an organization, with many respondents admitting to putting data at risk at work. Improvement of behavior towards security as an issue is a key selling point, especially to C-level executives who need to oversee a company-wide security strategy.

Benefits of security awareness: The whole organization and individuals benefit from being security-aware. Individuals workers can “do their bit” by thwarting cyber-attacks. As cyber-threats against healthcare become more prevalent, the inclusion of all into the security equation is ever more important.

The climate of increasing threats against healthcare coupled with the need for legislative compliance makes healthcare a key industry for security awareness training. Creating an educated workforce that understands the implications of cyber-security on them and the industry is part of the overall healthcare security strategy. This is only compounded by the human element present in the most successful security threats, which are based on social engineering, e.g., phishing.

Why Security Awareness Training in Healthcare Must be Part of Your Security Strategy #1

1. What is Security Awareness Training?

The healthcare industry is arguably one of the most information-intensive. Personal health data is part of a critical pathway that impacts our everyday lives and health. The integrity and confidentiality of these data is paramount, not only for individual well-being but for continued innovation within the industry.

Being part of the big data revolution, at a time when the landscape of cybercrime has never been so threatening, has meant that the healthcare industry is a prime target for cyber attack. The FBI gave out a warning that the healthcare industry was neglectful in its attitude to cyber-security threats when compared to other industry sectors. The result of this is borne out in evidence which shows that the healthcare industry was the most frequently attacked industry. This is likely due to the unique position that the healthcare industry finds itself in: Healthcare faces a gap between handling the massive data generated by the wider industry, and understanding and mitigating the threats posed by cybercrime.

The situation is also compounded by the speed at which technology is changing. New ways of generating sensitive information are entering the information arena. According to research by PWC, 86% of clinicians believe that mobile apps will be an important part of patient health management in the next few years. And the entry of the internet of things into healthcare adds a new layer of data protection previously not experienced.

With all of these variables coming into play, we need to take a pro-active stance and build a program of security awareness. Security awareness uses education and knowledge to tackle the specter of security threats, in all its forms. Security awareness covers the whole gamut of security and builds up a knowledge base across your extended workforce around security issues that they can call upon to help mitigate risks. Security awareness training brings everyone in the organization together under an umbrella of training. It ensures that the playing field of knowledge around cyber security threats is level. Security awareness is about:

• Creating a culture of pro-active security—understanding what is happening in the wider security landscape, such as the significance of phishing
• Creating a respect for individuals’ privacy
• Knowing what protected health information (PHI) actually is and why it needs to be protected
• Understanding that security is part of the whole organization and impacts everyone
• Knowing which security and privacy rules apply to healthcare and what impact they have

Done well, security awareness training can become as integral a part of your overall security strategy as the technology you use to prevent the cyber attacks.

Healthcare Blockchain

Many healthcare organizations are currently experimenting with blockchain. As use cases are defined, and prototypes created a key step is to decide what sensitive data goes on chain (types of information and volume) and what doesn't. Healthcare security teams need to be an integral part of this process.

One of the merits of blockchain is immutability of blocks on the chain, or in other words built in protection of the integrity of information stored in blocks in the blockchain. Any removal of a block, or tampering with the information stored within a block is easily detectable. This ensures that the information on the blockchain is accurate, or as least as accurate as what was submitted for storage on the blockchain. Combined with timely and complete submission of accurate information into new blocks added to the blockchain this ensures that the information on the blockchain is accurate, complete, and up-to-date. It also ensures that once information is added to the blockchain it cannot be removed, changed, or redacted.

Blockchain also brings availability benefits in the form of decentralized ledgers with no single point of failure, ensuring timely and reliable access to information on the blockchain, and no disruption from single points of failure.

However, in general blockchain does not automatically provide protections to confidentiality, or unauthorized access to information stored on the blockchain. In the extreme case of public blockchain all information stored on the blockchain is visible to anyone that cares to look. While this may be suitable for certain public health use cases, most healthcare use cases involve highly sensitive and lucrative information that is vulnerable to abuse, and therefore access to this information must be strictly controlled and limited to authorized organizations and individuals only. Supplemental strategies such as private and permissioned blockchains, encryption, and other safeguards can help control access to the blockchain and information stored on it, and mitigate risk of unauthorized access. However, like any security safeguard none of these are bulletproof or a panacea, and all have residual risks. Consequently, any sensitive information stored on blockchain is at some increased level of risk. We must minimize this risk through the application of effective, holistic, and multi-layered security safeguards.

In security, risk / reward is often used to help make trade-offs. The idea is that the higher the reward or benefit sought, the higher the residual risk that can be tolerated. An accompanying principle is that the more PII (Personally Identifiable Information) and PHI (Protected Healthcare Information) involved, the higher the risk. Blockchain is essentially a new type of B2B middleware. Even in a case of a private and permissioned blockchain the sensitive data put on the blockchain is still effectively going outside the firewall and perimeter of any healthcare organization that participates, and is at increased risk of unauthorized access. One of the most important decisions you can make to enable benefits while minimizing risk is the decision of what sensitive data goes on the blockchain and what doesn't. A proven strategy in healthcare security is to minimize risk while still enabling the complete benefits and rewards sought from a healthcare business or patient care standpoint.

As many healthcare organizations get to the point of prototyping a use case on blockchain, and deciding what types and volume of sensitive information will be stored on the blockchain, several strategies are possible. One simple strategy is "let's put everything on the blockchain and figure out later what we can do with it". This strategy of putting all sensitive information on the blockchain will generally significantly exceed the minimal but sufficient information required to realize the benefits and rewards sought based on blockchain use cases, and therefore simply represents unnecessary additional risk. An additional non-security side note: there can also be major performance impacts of this approach, keeping in mind that any data put on the blockchain must get replicated across all instances of the decentralized ledger, present on all endpoints of the blockchain. Considering medical images, genomic data, and many other types of massive data sets this approach risks grinding the blockchain to a halt.

A better strategy for deciding what goes on the blockchain in terms of minimizing risk, while enabling full benefits of the defined use cases, is to take the use cases and the specific associated data required, and store only that information (type and volume) and no more. In cases where there is additional related sensitive information that may also be large in volume and impractical or too risky to store directly on the blockchain, pointers and hashes can be put on the blockchain that point to the source of the data, and the associated hash code can be used to verify the integrity of the data retrieved from the source. Further, the source of the data can have access control to ensure that only authorized individuals have access to it. Such off-blockchain sources of data must be fault tolerant and not introduce a single point of failure, so as not to degrade the availability benefits of blockchain discussed previously.

With this strategy healthcare security teams working proactively with healthcare business teams can enable the full benefits, rewards, and ROI of blockchain to improve patient care, while mitigating risk of breaches and other security incidents that could quickly tarnish the major potential benefits of blockchain.

Healthcare Ransomware Attacks – Don’t Be Part of the Statistics

In 2017, six of the top ten HIPAA breaches reported to the U.S. Department of Health and Human Services (HHS) stemmed from ransomware.  In a typical ransomware attack, important data is encrypted and “held for ransom” until the victim pays a designated amount in exchange for gaining access to the keys to decrypt the data once again. In addition, the cyber-criminal might steal important data before encrypting it and deleting potential backups.

Threats due to ransomware and other types of malware have become commonplace as cyber-criminals become stealthier, more skilled, and zealous in their desire to breach corporate security defenses. The healthcare industry is a prime target for ransomware attacks because organizations with health data, including third parties, often have less mature security postures compared with other companies such as financial firms. What’s more, the enduring data of people’s health records tends to be more valuable than transient data like credit card numbers.

Ransomware attacks of medical facilities are particularly onerous. When critical patient records and imaging files like x-rays and MRIs are unavailable, lives can be at stake, so restoring access to data at all costs is paramount.

Following ransomware attacks in 2017, some hospitals were forced to cancel planned patient procedures due to vital information being unavailable. For any industry – not just healthcare – the aftermath of a single attack can be enormous, including the loss of sensitive data, clients, brand and reputation, intellectual property, trade secrets, and finances.

Here are just a few examples of the many significant breaches involving ransomware/malware reported to HHS in 2017.

500,000 individuals affected – Airway Oxygen, Inc, learned that unidentified criminal(s) had gained access to their technical infrastructure and installed ransomware in order to deny Purity Cylinder and Airway Oxygen, two affiliated companies, access to their own data. The types of protected health information that were involved in the breach include some or all of the following data regarding their customer/end users and payment sources: full name, home address, birth date, telephone number, diagnosis, the type of service being provided, and health insurance policy numbers.

300,000 individuals affected – Women’s Health Care Group of PA discovered a virus/ransomware was installed on a server/workstation, preventing the hospital from accessing patient data. The types of data exposed – and potentially stolen – included names, addresses, dates of birth, lab test orders, lab test results, blood types, race, gender, pregnancy status, medical record numbers, employer information, insurance details, medical diagnoses, physicians’ names and Social Security numbers.

279,663 individuals affected – Urology Austin was the victim of a ransomware attack that encrypted the data stored on their servers. The investigation indicated that personal information may have been impacted by the ransomware, including name, address, date of birth, Social Security number, and medical information.

There are many steps that a CISO can take to minimize the likelihood/impact of a malware/ransomware breach.

• ·       Ensure anti-virus/anti-malware software is installed and up to date across all endpoints within the business.
• ·       Backup the data and store it off your network. Create the backups as frequently as you can afford and test to ensure that a full restore can be done using the backups.
• ·       Use Group Policy Objects (GPO) restrictions.
• ·       Patch your systems and keep them as current as you can.
• ·       Restrict administrative rights on endpoints.
• ·       Remember that reducing privileges will reduce the attack surface.
• ·       Use the local user account as your primary account.
• ·       Use a Secure Internet Gateway on and off the company network.
• ·       Block users from install anything themselves.
• ·       Go through a helpdesk system (with change control) and have a system administrator only install software that is on the approval list.
• ·       Use a Data Loss Prevention solution and actively monitor it for incidents.
• ·       Use Endpoint Protection and actively monitor it.
• ·       Invest in your Information Security program.
• ·       Tools are great but it takes a team to properly manage and monitor them.
• ·       Establish security awareness campaigns.
• ·       Stress the avoidance of clicking on unknown or unexpected links and attachments in email messages.
• ·       Train often and in a variety of methods (e.g., in person, emails, newsletter, training classes, posters, swag, brown bag lunches, etc.).

Ransomware attacks have caused serious damage worldwide. All organizations should take steps now to avoid becoming the next victim company. Don’t let your company become part of the statistics!