REPRINT FEBRUARY 2013 healthcare financial management association hfma.org a new approach to IT security
FEATURE STORY REPRINT FEBRUARY 2013 healthcare financial management association hfma.org a new approach to IT security Information object-level controls have the potential to better protect hospitals from data breaches by building security controls into the information itself. AT A GLANCE > More than 60 percent of healthcare data breaches occur due to the loss, theft, or misuse of portable devices. > Using a common application programming interface across applications and platforms to build and enforce object-level controls in information itself can help providers better protect ephi and other types of digital data. > Information objects can be engineered to be decrypted only when a legitimate user on a known device using an approved application opens them, and to control what the user can do with the information. Historically, protecting electronic personal health information (ephi) in hospitals and health systems has been based on the notion of perimeter security: building a wall around the information so that people who are not supposed to have the information cannot get to it. When people talk about information security, they usually use the phrase protecting our networks, wherein the network is the perimeter. But there are three problems with the perimeter-only approach to managing ephi security: > With the increasing adoption of mobile technologies and applications in health care, the perimeter has become impossible to define, much less protect. > Perimeter-only security ignores the inside threat that exists when a hospital s own staff or others with access to the organization s ephi maliciously or nonmaliciously access or leak protected health information. > IT security tools, which are expensive, are not always designed to prevent ephi from being leaked; rather, some of these tools alert organizations to a potential data breach after the fact or protect only a portion of the perimeter, so that the cost-benefit ratio is less than desired. What we really want is to control the distribution of ephi in hospitals. We want the right information to get to the right users and no further. And we want to be able to control what these users can do with the information they have accessed, so they cannot inadvertently or intentionally deliver it into the wrong hands. And since information has to move from person to person and device to device to be useful, we need persistent distribution control. Information object-level control can enable hospitals to achieve these goals. Defining and Protecting the Perimeter Let s examine why a perimeter-only security approach to protecting ephi is no longer sufficient in today s hospitals and health systems. It used to be that the perimeter of a hospital s IT system was easy to define and protect. The perimeter consisted of a mainframe with directly attached dumb hfma.org FEBRUARY 2013 1
terminals. Unauthorized people were not allowed in the building or given an account to use the system, and access was limited. Now consider what the IT perimeter of hospitals looks like in 2013: What is the perimeter of a desktop computer or a mobile device that is connected to both the hospital network and the Internet? Mobile technologies make perimeter security even harder. As reported in Ponemon s Third Annual Benchmark Study on Patient Privacy and Data Security (December 2012), 81 percent of healthcare organizations permit employees and medical staff to use their own mobile devices to connect to their organization s networks or enterprise systems. However, 54 percent of respondents say they are not confident that these personally owned mobile devices are secure. Another study, released in November 2012, reports that more than 66 percent of nurses use their personal smartphones for clinical communications (Healthcare Without Bounds: Point-of-Care INSIDER NEGLIGENCE CONTINUES TO BE AT THE ROOT OF DATA BREACHES Nature of the Incident (More than One Choice Permitted) Lost or stolen computing device Unintentional employee action Third-party snafu Criminal attack Technical systems glitch Malicious insider Intentional, nonmalicious employee action 2012 2011 2010 8% 9% 10% 14% 14% 15% 20% 33% 30% 46% 49% 41% 42% 41% 45% 42% 46% 34% 31% 33% 31% Source: Third Annual Benchmark Study on Patient Privacy and Data Security, Ponemon, December 2012. Computing for Nursing 2012, Spyglass Consulting Group). However, 95 percent of nurses in the study say that hospital IT departments won t support their use of smartphones, fearing security risks ( Nurses Turning to Unauthorized Smartphones to Meet Data Demands, Network World, Dec. 21, 2012). We buy and use laptops, tablets, and smartphones because they make accessing information from outside the perimeter easy. Almost all constituencies that hospitals serve want their slice of healthcare information and they want it on their mobile devices. The second problem with perimeter-securityonly is the insider threat. We d like to believe that the human nature of healthcare workers mitigates insider risk; however, real-world PHI data breach risks and events reveal a different story ( Top Cause of Data Breaches? Negligent Insiders, Help Net Security, March 22, 2012). The unseen assumption behind perimeter security is that everyone you ve let inside is trustworthy. But honest people with access to hospital networks may not understand or remember information security policies and procedures. They can get conned by an outsider looking for a way in, or they can use computers that are compromised without their knowledge. Worse, not all insiders are honest. We must acknowledge that insider includes anyone (e.g., healthcare workers, contractors, business associates, janitors, patients) with potential access to PHI, regardless of intent. A casual glance at industry surveys and news articles confirms that PHI data breach risks and events originating from insiders are a significant and costly reality within health care. As reported in Ponemon s December 2012 study, the top three causes of a data breach are: > Lost or stolen computing devices (46 percent) > Unintentional employee mistakes (42 percent) > Third-party snafus (42 percent) Moreover, five of the top seven root causes of data breaches are linked to authorized individuals, according to the study. 2 FEBRUARY 2013 healthcare financial management
The significance of the insider threat is further validated by a 2011 report that found that 71 percent of healthcare organizations suffered one or more ephi breaches in the course of a year most of which originated from insiders in one form or another (Survey of Patient Privacy Breached, Veriphyr). Employees who snooped at other employees medical records were the most common source of a breach (35 percent), followed by employees who peeked at medical records of friends and relatives (27 percent), loss or theft of physical records (25 percent), and loss or theft of equipment housing patient data (20 percent). Additionally, a May 2012 article by Erica Chickowski notes that more than 60 percent of breaches reported to the U.S. Department of Health and Human Services in response to HIPAA mandates occur due to the loss or theft of portable devices, such as laptops, smartphones, and external drives ( Health Care Unable to Keep Up with Insider Threats, Dark Reading, May 1, 2012). Chickowski cites three major healthcare breaches in April 2012, which alone disclosed nearly 1.1 million healthcare records. The common thread in each was the role of insiders both nonmalicious and malicious in causing the incidents. Human (insider) error was responsible for the loss of 315,000 patient records at one organization when 10 backup disks went missing from a storage facility. In another of the incidents, an employee emailed 228,000 Medicaid patient records to himself. These examples underscore the need to acknowledge that anyone with potential access to ephi could pose a threat to the security of this information. The third problem with a perimeter-only security approach is that as the perimeter expands and becomes more complex, so do the number of security tools required to protect the IT perimeter and the cost of acquiring and operating such tools can be high. Additionally, it s often hard to make a financial case for the ever-growing number of security tools because even when they function perfectly, they do not directly secure information; instead, they reinforce some aspect of the perimeter or alert the organization of a breach after the breach has occurred. This is not a call to abandon perimeter security; it is still needed. However, it is not sufficient or economically feasible for providers to rely on a perimeter security approach as the only approach to securing information. That being said, as a practical and legal matter, it is critical for health care to pay attention to the general computing controls emphasized in the Office of Inspector General report Audit of Information Technology Security Included in Health Information Technology Standards. The U.S. Department of Homeland Security also offers a free cyber security evaluation tool for assessing the security posture of cyber systems and networks related to industrial controls and business IT systems (www.us-cert.gov/ control_systems/satool.html). How Information Object-Level Controls Can Help Healthcare providers should establish rules to control who can access information and what can be done with the information, regardless of how or where it is distributed or what type of device the information is stored on. Such rules should work across the many applications and edge devices used by providers. Information object-level controls that are built into applications could help providers better protect ephi and other information. An information object encapsulates any form of digital content along with control information about the content. Information objects can include distribution controls designating who can access the information, rules dictating how the information may be used or manipulated, and audit data (e.g., when changes were made to the content, and by whom). This is where today s computing power comes into play. If properly engineered to include the processing power of new edge devices, there is more than enough capacity to protect information in motion and everywhere it is stored. It is critical to include edge-device capacity in any approach hfma.org FEBRUARY 2013 3
QUESTIONS TO ASK IN PROTECTING ephi In addressing ephi security concerns, providers should ask the following questions of their IT vendors: > How will you help our organization retain control of our information, regardless of the platform that the information is located upon? > How will you help our organization prove where information goes, who has used the information, and for what purpose the information was used? > How will you help us interoperate within an industry at the information level to retain control of our information, regardless of the application we are using? > How are you going to help simplify the control of our ephi and make it less expensive to operate? to cybersecurity because increasingly sophisticated edge devices: > Are where most information lives > Have in/out parts for exporting information > Are often portable and easily stolen or captured > Are what users are using and will continue to use Information objects can be separately and distinctly encrypted and kept continually encrypted. They can be engineered so that they are only decrypted when a legitimate user on a known device using an approved application opens them. Contrary to what is sometimes portrayed on television and in the movies, cracking encrypted information is extremely difficult and expensive, especially when there are many information objects, each with a different key. What is the risk of a security breach if all it yields is hundreds or thousands of distinctly encrypted information objects? What is the risk of a stolen laptop, tablet, or phone that contains thousands of distinctly encrypted objects? How much stronger are a provider s ephi controls if applications rather than people are enforcing information security policies, and if access to and use of the information is audited? How much more difficult will it be to inject false information into hospital industrial control systems if the attacker is required to somehow continually replicate distinctly encrypted commands? Making the Transition Moving beyond traditional security controls will require changes in thinking and industry practice. Information security vendors have, for the most part, treated the increase in edge computing power as a problem to be solved rather than an opportunity to be leveraged. Application vendors have, for the most part, assumed that information security was somebody else s problem. The healthcare industry has not invested a great deal of work toward adopting a common information object-level security architecture. That s understandable: Such architecture has only recently become possible. However, this type of information security support is becoming a necessity for healthcare providers. The risks and costs of PHI breaches continue to rise. Healthcare organizations are increasingly being audited for potential and actual security breaches involving ephi. Ninety-four percent of healthcare organizations surveyed for a recent study stated they had recorded at least one data breach from 2010-12, while 45 percent reported that they had experienced more than five data breaches during this two-year period (Third Annual Benchmark Study on Patient Privacy and Data Security, Ponemon, December 2012). With an estimated annual cost of $7 billion to the healthcare industry, the average economic impact of a breach over a two-year period has increased to $2.4 million, a 20 percent increase since the study was first conducted in 2010, according to researchers. Meanwhile, a 2011 report stating that of the top 10 industry sectors that have experienced data breaches, the healthcare industry ranked first in data breaches recorded, with government education, and finance being the next closest at 14, 13, and 8 percent, respectively (Internet Security Report: 2011 Trends, Symantec). Given the magnitude of risk associated with protecting ephi, regulation will almost certainly require that the healthcare industry shift from passive compliance with security regulations to provable adherence. Perimeter-only security approaches are not enough. About the authors is CEO, Absio Corporation, Denver (dan.kruger@absio.com). is a chief officer, Absio Corporation, Denver (tim.anschutz@absio.com). Reprinted from the February 2013 issue of hfm magazine. Copyright 2013 by Healthcare Financial Management Association, Three Westbrook Corporate Center, Suite 600, Westchester, IL 60154-5732. For more information, call 1-800 -252-HFMA or visit www.hfma.org.
WEB EXTRA The Limitations of Cloud Computing in Controlling Information Security In the beginning, compute power was concentrated in mainframe computers. Edge devices were dumb terminals that couldn t connect to anything but the mainframe. The network era has been a constant process of increasing compute power at the edge. PCs, laptops, tablets, smartphones, diagnostic and monitoring equipment, medical devices, and industrial controls have increased compute capacity in ever-smaller forms. Cloud computing is, in a way, an attempt to return to the mainframe model to centralize compute power in massive server farms and use of software on smart edge devices that act as pretty-but-dumb terminals for accessing information from the cloud. But inherent problems prevent the cloud from being a complete solution for controlling the distribution of information: > Edge devices that are accessing the cloud act as dumb terminals, but they are not dumb. They are tremendously capable computers that host myriad applications that can be used as vehicles to defeat cloud security. > It is not always possible to access the cloud. We are years away, if ever, from bandwidth nirvana. There are far too many situations where work cannot get done because no connection is available, the connection is intermittent, or bandwidth is insufficient. > Cloud computing requires that the hospital pay for all of the compute and connection capacity. The compute power of edge devices is more or less thrown away, and each new edge device increases the requirement for bandwidth and central computing capacity. > The cloud data center defines a secure perimeter, but it does not address securing data when data leave the data center. * How do we harness the power of the cloud and leverage the efficiencies of edge devices without sacrificing security? We do it by locating control in the information itself. Web Extra to A New Approach to IT Security Republished from the February 2013 issue of hfm magazine. Copyright 2013 by Healthcare Financial Management Association, Three Westbrook Corporate Center, Suite 600, Westchester, IL 60154-5732. For more information, call 1-800-252-HFMA or visit www.hfma.org.