Recurring Risk AssessmentsEver-changing Health IT Environments Call for Increased Resilience
The risk assessment has to look very broadly across the environment and the data. IT security professionals should always know what assets they have, so they can protect them; understand who has access to them; and know if the assets are available during a crisis, such as a tornado or flood.
And the assessment shouldn't be performed just once or even annually. "You have to do it every time you've made your process changes, system changes or even key personnel changes," Finn says.
The business of healthcare, the threat landscape and technology have all changed over the years, and IT professionals can no longer be restrained by old models. "We need to look at new solutions and new ways of doing things, or we're simply going to repeat the old mistakes with new tools."
The worst thing an organization can do in terms of storing and protecting health data is "nothing," Finn says. "At the pace of change today, not moving forward is the same as moving backward."
In an interview about healthcare data protection strategies, Finn discusses:
- The evolving threat landscape;
- Why current point-security solutions are insufficient;
- Ways that healthcare organizations can improve how they store and protect data.
Prior to his current role, Finn was the Chief Information Officer and Vice President of Information Services for Texas Children's Hospital, the largest pediatric integrated delivery system in the United States. He also served as the Privacy and Security Officer for Texas Children's. Prior to that, Finn spent seven years as a healthcare consultant with IMG, Healthlink and PwC, serving last as the EVP of Operations for Healthlink.
Finn has 30 years experience in the planning, management and control of information technology and business processes. He is focused on enabling operating efficiency and deriving business value through the optimization and control of technology. His key skills include IT Governance and Control, Project Management, Systems Selection and Implementation, Business and IT Partnering, and IT Audit, Control and Security.
Protection of Electronic Health Data: Today's MisconceptionsTOM FIELD: What's most misunderstood today when it comes to storage and the protection of electronic health data?
DAVID FINN: The biggest problem around protecting electronic PHI, frankly, is knowing where it is, who is using it and for what purpose. That sounds kind of strange, but here's how it happens. You put in your EMR, and you have good controls around that, and then some of the data is moved to your warehouse or an analytics system. And let's say you're doing a good job with that in terms of protecting the data, but that's where the fun begins. A doctor, for example, has copied something from the EMR and put it in an e-mail to a patient or an insurance company. Or a researcher has taken some data that he needs from the warehouse and placed it in a spreadsheet that he is using. Or a department has downloaded something from the EMR to do reporting for their professional association. Or a provider puts some of the data on notes he's taking for a presentation on his laptop, and his laptop is stolen at the airport. And worse, it's a personal laptop that the hospital doesn't control.
All of those may be legitimate uses of the data, but pretty quickly you lose track of where the data is, who is using it and what they're using it for. You can store it very securely in your EMR or in a warehouse, but the minute you grant access to those sources, you need to have the tools in place to track, manage and restrict the use of the data beyond those sources. And today, providers are under a lot of pressure to share that data beyond their own walls or networks, which just further exacerbates the problem.
FIELD: My understanding is that the threat landscape has changed. Can you tell us how it's evolved?
FINN: Evolution is a good word. The cyber world is a much different place than it was even three years ago, and it's not a better world for healthcare providers. We're witnessing significant changes in the threat landscape and the underground economy, and these trends really need to be understood by providers and taken into consideration when they're laying out an enterprise security strategy. The data stored in your EMR or your patient financial system is much more comprehensive, useful and lucrative for the bad guys than any other industry's data. In fact, we know that healthcare is the number two targeted industry for the bad guys. And the trends in cybercrime and underground economy have changed the threat landscape, and it's becoming an increasingly difficult situation. Today's cyber criminals are no longer motivated by fame and getting their picture on the front page of the paper. In fact, that trend has been completely reversed. The attacks today are much more stealth, and they're increasingly difficult to detect. The attackers use strategies that slowly penetrate IT infrastructures and take their time to find the most valuable assets, which is the data.
Today, for example, Symantec estimates that one in every 200 computers in western countries is part of a botnet, and some of these botnets can include over one million individual computers. And these computers are actively, usually unknown to their owners, contributing to the distribution of spam and malware, not to mention the collection of this very prized and expensive data.
And finally, in the last several years we've seen political activists, even government, involved in the use of cyberspace as a battleground, from the Stuxnet worm, for example, to China's battles with Google. What we've seen is the attacks shift from these mass distributions of a few threats to micro and targeted distribution of millions of distinct threats. The bad guys are using servers to generate new malware strains every few minutes or hours. Just to give you some idea of the scope and scale, in 2003 Symantec found about five virus signatures a day in the wild. In 2009, only six years later, the number of new signatures daily was 20,000. It's a huge threat out there. And historically, the measure for antivirus vendors has been those signatures. In 2010, the number of signatures grew so large. Because of the issue with variance and the self-morphing malware, the metric changed from signatures to threat variants. Today we're tracking about ten million signatures. Using this variance software and the self-morphing software, that ten million translates to about 286 million threat variants.
FIELD: We're throwing an awful lot at our healthcare information security professionals. Where do you find, within their organizations, that they're going wrong with their risk assessments in this threat landscape?
FINN: It's not so much as wrong as it is that we limit the scope of our risk assessments, and that's because we don't think about the data. We tend to think about where we hold the data and assess that device or that point. I remember when I was a CIO and the video iPads had just come out. We were bemoaning the fact that they had these video iPads. I remember sitting around with our security team and we didn't even know why it was going to be a bad thing. Then one of my PC support staff shows up in my office with one that he had found connected to a doctor's PC, which was a violation of our policy.
But it turns out the doctor had found a great way to transport full motion studies to conferences without a laptop or storage device. He was solving his problem, and I applauded him for it and we secured his device. But in IT, we were thinking about the devices and where the data was residing, and the doctor was thinking about how he needed to move and use that data. And we need to think, in IT, about where the data is, who uses it, how and why. The scope of our risk assessment has to be as broad as our users' needs. Today we have virtualized environments. We use the cloud. People want access to hospital resources via not only their corporate assets, but they want to use their own devices when they're away. This is going to be an expansive effort to take that broad a view, but I think that's what it's going to take.
FIELD: It strikes me that many of these security strategies are built around point security solutions. Why are these insufficient today?
FINN: That's a very good point. We're thinking about solving a problem at a point, and we do that pretty well. But going back to my earlier comments, data rarely stays at a point. Data, like the care that it supports, is a continuum. We check the patient's ID every time we give them meds, take them for a test or to therapy in the hospital, and we need to think the same way about the continuum of the data.
This is an example of a doctor coming into the network. "Yes that data is here. Why do you need it," the system is asking. This isn't a questioned response, but embedded logic that gets processed as you're connecting and going through the process. The system is saying, "The data is here. Why do you need it and who you are again? Prove it." There's going to be an authentication process. And then the system is going to say, "Okay, that isn't what you usually do with this kind of data. Why do you want to put it on a jump drive?" And then the system is going to say, "We'll put it on the jump drive, but we're going to encrypt that data in case you lose the jump drive." And then the next day the doctor comes in on his Android phone instead of his desktop, and the system is going to say, "You're coming in on an Android phone rather than your PC. Let me make sure it's really you." And you're going to go through an authentication process. Point solutions work great on the one point problem you're solving, but that isn't how clinicians or even other users in the hospital use or need the data today.
FIELD: Let's take a step back for a minute and take a look at regulatory and business continuity concerns. When you're thinking about healthcare data security, what are the regulations or the business continuity issues that you really need to weigh?
FINN: That does have to factor into whatever you do in health IT today. There's no doubt that healthcare is highly regulated, particularly around privacy and security aspects. But we have to remember that HIPAA was intended as a floor for protection, and HITECH as well doesn't really get the best practice in many other industries, but we're trying to raise the bar for everyone. Encryption, for example, seems like a pretty simple solution and would have solved a lot of the problems, including many of the device loss issues on the "wall of shame". That's the site that HHS maintains to report breaches.
And yet, encryption still isn't a requirement, it's an addressable element of HIPAA. We've come a long way in a short time, but we have to do better. We're looking at organizations that have virtually no digital technology to very advanced organizations. You have to raise the bar for everyone, but you're going to have to do that a little more slowly to get everyone to that same level before you can really start doing what you need to do.
On the other hand, too much regulation can have an adverse effect. You have federal requirements. You may have state requirements that are stricter or conflict with federal law. And if you're a multi-state provider, you may have conflicts across the state laws you're trying to comply with. So the regulatory area can get pretty complex, and you have to take that into account.
And then as we move to the EMR, a provider's ability to keep seeing and treating patients is only as good as the ability to access the EMR and other clinical systems. Disaster recovery and business continuity isn't an option anymore. It has to be designed and built into these systems at the front end before you're up and running and then having a catastrophe. Emergency procedures are required under HIPAA and the joint commission, but they're so vague that they're really less than helpful unless you've already done something and have things in place. They're really guidance, not rules. The good news is we have more technology, better technology, to help with those problems. But the bad news is that typically IT is looked to for business continuity. IT may own the disaster recovery piece of an IT outage, but the key word in business continuity is business. I can assure you that a storage manager can't tell you what a doctor needs in order to keep seeing patients in a clinic if the PACS (Picture Archiving and Communication System) is down, but he might be able to get you access to any images or reports in the cloud if you've planned right, in advance and engaged the business in the business impact analysis and finding solutions. And the solutions have to address short term, midterm and long term outages.
Advice for Healthcare Organizations TodayFIELD: We've talked about a lot today. We've talked about the evolving threat landscape, about risk assessments, point security and now regulatory concerns. With all of these different topics as our context, what would you offer, in some specific ways, healthcare organizations today so that they can improve how they store and protect critical data?
FINN: I wish there was one simple solution or one simple idea that every organization could take and use, but every organization is different. Not only is the architecture and computer environment different, but the risk tolerance is going to vary, and the available funding and staff skills available will vary from organization to organization and even change over time within an organization. It has to start with the risk assessment, and that has to be an ongoing process. You can't do it once. You have to do it every time you've made your process changes, system changes or even key personnel changes. The risk assessment has to look very broadly across the environment and the data. You have to know what you have in order to start figuring out how to protect it, how to access it and assure it is available in any number of various scenarios that could impact the organization - tornados, floods and fires for example.
And the other thing we need to look at in IT is we can't be restrained anymore by old models and the way we used to do things. The business of healthcare, the threat landscape and technology have all changed so much in the last few years that we need to look at other industries, we need to look at new solutions and at new ways of doing things, or we're simply going to repeat the old mistakes with new tools. I'm not advising anyone to jump into new technologies or new ways of doing things without proper protections, controls and planning, but we can't be afraid to try new approaches with less important data. We need to see how it works, figure out the strengths and weaknesses and move ahead. I think the worst thing an organization can do in terms of storing and protecting data is nothing. You lock down, you avoid new devices and you avoid new service models. It's going to be very hard for many reasons, but at the pace of change today, not moving forward is the same as moving backward.