UNDERSTANDING MEDICAL PRACTICE CYBER SECURITY RISKS

Join Our Mailing List 

A SPECIAL ME-P REPORT

Risk Management, Liability Insurance, and Asset Protection Strategies for Doctors and Advisors: Best Practices from Leading Consultants and Certified Medical Planners™

Mitigations for the Digital Health Era

Shahid N. Shah MS

[By Shahid N. Shah MS]

There has been a tremendous explosion of information technology (IT) in healthcare caused by billions of dollars of government incentives for usage of digital healthcare tools.

But, IT systems face threats with significant adverse impacts on institutional assets, patients, and partners if sensitive data is ever compromised. Every health enterprise is required to confidentiality, integrity and availability of its information assets (this is called “information assurance” or IA). Confidentiality means private or confidential information must not be disclosed to unauthorized persons. Integrity means that the information can be changed only in an authorized manner so as to maintain the correctness of the information. Availability defines the characteristic that information systems work as intended and all services are available to its users whenever necessary.

It is well known that healthcare organizations face and have been mitigating many risks such as investment risk, budgetary risk, program management risk, safety risk, and inventory risk for many years. What’s new in the last decade or so is that organizations must now manage information assurance risks related to operating its information systems because information systems. IT is now just as a critical an asset as most other infrastructure managed by health systems. It is important that information security risks are given the same or more importance and priority as given to other organizational risks.

As health records move from paper native to digital native, it’s vital that organizations have information risk management programs and security procedures that woven into the culture of the organization. For this to happen, basic requirements of information security must be defined and implemented as part of both the operational and management processes. A framework that provides guidance on how to perform these activities, and the co-ordination required between these activities is needed.

***

hacker

[Black Hat Medical Hacker]

***

INTRODUCTION

The Risk Management Framework (RMF), supported by the National Institute of Standards and Technology (NIST) provides this framework. The NIST 800 series publications provide a structured approach to achieve risk management. It provides broad guidance and not necessarily all the prescriptions, which means it can be tailored to meet the organization’s specific needs and providing the flexibility needed for the different organizations. Using the NIST RMF helps organizations with risk management not only in a repeatable manner, but also with greater efficiency and effectiveness. Healthcare information assurance is complex and without a framework that takes into account a broad risk management approach, it is difficult to consider all the intricacies involved.

The NIST Risk Management Framework consists of a six step process designed to guide organizations in managing the risks in their information systems.

The various steps as defined in the NIST specifications are the following:

  • Categorize the information system and the information processed, stored, and transmitted by that system based on an impact analysis.
  • Select an initial set of baseline security controls for the information system based on the security categorization; tailoring and supplementing the security control baseline as needed based on an organizational assessment of risk and local conditions
  • Implement the security controls and describe how the controls are employed within the information system and its environment of operation.
  • Assess the security controls using appropriate assessment procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
  • Authorize information system operation based on a determination of the risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation of the information system and the decision that this risk is acceptable.
  • Monitor the security controls in the information system on an ongoing basis including assessing control effectiveness, documenting changes to the system or its environment of operation, conducting security impact analyses of the associated changes, and reporting the security state of the system to designated organizational officials.

All information systems process, store and transmit information. What is the possible impact if a worst case scenario occurs that causes endangers this information? A structured way to find out the potential impact on the confidentiality, integrity and availability of information can be done through the first step of NIST RMP, the categorization of information systems.

***

keyboard

[Triple Redundant Passwords and Encryption]

***

The NIST SP 800-60 [1, 2, 3 4] provides such guidance. The potential impact is assigned qualitative values – low, moderate, or high. Based on these impact levels for each of the information type contained in the system, the high water mark level is calculated, that helps in selecting the appropriate controls in the subsequent steps.

Organizations need to mitigate risks adequately by selecting an appropriate set of controls that would work effectively. In the selection of security controls step, the set of controls are chosen based on the categorization of the information system, the high water mark and the goals of the organizations.

These baseline controls are selected from NIST SP 800-53 [5] specification, one of three sets of baseline controls, corresponding to low, moderate, high impact rating of the information system. These baseline controls can be modified to meet specific business needs and organization goals. These tailored controls can be supplemented with additional controls, if needed, to meet unique organizational policies and environment factors and its security requirements and its risk appetite. The minimum assurance requirements need to be specified here.

All the activities necessary for having the selected controls in place, is done in the implementation of security controls step. The implementation of the selected security controls will have an impact on the organization risks and its effects. NIST SP 800-70 [6, 7] can be used as guidance for the implementation. An implementation strategy has to be planned and the actions have to be defined and the implementation plan needs to be reviewed and approved, before the implementation is done.

Once the controls are implemented, then the assessment of security controls is done to find out whether the controls have been correctly implemented, working as intended, and giving the desired output with respect to the security requirements. In short, whether the applied security controls are indeed the right ones, done in the right way, giving the right outcome. NIST SP 800-53 [5], NIST 800-53A [6], NIST 800-115 [8-11] can provide the necessary guidance, here. 

***

md-defeated-

[Frustrated Physician]

***

The authorization of information systems is an official management decision, authorizing that the information system can be made operational, with the identified risks mitigated and the residual risks accepted, and is accountable for any adverse impacts on the confidentiality, integrity and availability of information systems. If the authorizing personnel find that the risks are not mitigated and hence can compromise the sensitive information, they can deny authorizing the information system. NIST SP 800-37 [2] provides guidance on authorization. The authorizing personnel are to be involved actively throughout the risk management process.

Risk management is not one-time process, that once it is done, it is forgotten. It is a continuous process, to be integrated with day-to-day activities. One of the key aspects of any risk management is the monitoring of security controls to check whether the controls are performing as intended. The main focus of monitoring security controls is to know whether the controls are still effective over a period time, given the changes that occur in the information systems — the changes in hardware, software and firmware, the changes in environment factors, operating conditions etc. NIST SP 800-37 [2] provides guidance about this. And, if the security controls are found to be ineffective, the cycle starts again, with either re-categorization or selecting another set of baseline controls, or assessing the effectiveness of the controls once more etc.

Regardless, in all the steps in risk management framework, one of the important aspects is communication. Appropriate documents needed to be generated in all the steps, reviewed and kept up-to-date.

Organizational risk management provides great benefits to the organization because it helps to prioritize the resources, increase interoperability, and reduce costs incurred due to the adverse effects. It helps to prevent unauthorized access to personally identifiable information which will lead to security breaches. 

Channel Surfing

Have you visited our other topic channels? Established to facilitate idea exchange and link our community together, the value of these topics is dependent upon your input. Please take a minute to visit. And, to prevent that annoying spam, we ask that you register.

Link: http://feeds.feedburner.com/HealthcareFinancialsthePostForcxos

ABOUT 

Mr. Shahid N. Shah is an internationally recognized healthcare thought-leader across the Internet. He is a consultant to various federal agencies on technology matters and winner of Federal Computer Week’s coveted “Fed 100″ Award, in 2009. Over a twenty year career, he built multiple clinical solutions and helped design-deploy an electronic health record solution for the American Red Cross and two web-based eMRs used by hundreds of physicians with many large groupware and collaboration sites. As ex-CTO for a billion dollar division of CardinalHealth, he helped design advanced clinical interfaces for medical devices and hospitals. Mr. Shah is senior technology strategy advisor to NIH’s SBIR/STTR program helping small businesses commercialize healthcare applications. He runs four successful blogs: At http://shahid.shah.org he writes about architecture issues; at http://www.healthcareguy.com he provides valuable insights on applying technology in health care; at http://www.federalarchitect.com he advises senior federal technologists; and at http://www.hitsphere.com he gives a glimpse of HIT as an aggregator. Mr. Shah is a Microsoft MVP (Solutions Architect) Award Winner for 2007, and a Microsoft MVP (Solutions Architect) Award Winner for 2006. He also served as a HIMSS Enterprise IT Committee Member. Mr. Shah received a BS in computer science from the Pennsylvania State University and MS in Technology Management from the University of Maryland. 

Conclusion

Your thoughts and comments on this ME-P are appreciated. Feel free to review our top-left column, and top-right sidebar materials, links, URLs and related websites, too. Then, subscribe to the ME-P. It is fast, free and secure.

***

Risk Management, Liability Insurance, and Asset Protection Strategies for Doctors and Advisors: Best Practices from Leading Consultants and Certified Medical Planners™

***

READINGS

[1] National Institute of Standards and Technology Special Publication 800-30 Revision 1, Guide for Conducting Risk Assessments, http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf

[2] National Institute of Standards and Technology Special Publication 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems, http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf

[3] National Institute of Standards and Technology Special Publication 800-60 Volume I Revision 1, Guide for Mapping Types of Information and Information Systems to Security Categories, http://csrc.nist.gov/publications/nistpubs/800-60-rev1/SP800-60_Vol1-Rev1.pdf

[4] National Institute of Standards and Technology Special Publication 800-60 Volume II Revision 1,  Appendices to Guide for Mapping Types of Information and Information Systems to Security Categories, http://csrc.nist.gov/publications/nistpubs/800-60-rev1/SP800-60_Vol2-Rev1.pdf

[5] National Institute of Standards and Technology Special Publication 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations, http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

[6] National Institute of Standards and Technology Special Publication 800-53A Revision 4, Assessing Security and Privacy Controls in Federal Information Systems and Organizations, http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53Ar4.pdf

[7] National Institute of Standards and Technology Special Publication 800-70 Revision 2, National Checklist Program – Guidelines for Checklist Users and Developers Recommendations of the National Institute of Standards and Technology for IT Products, http://csrc.nist.gov/publications/nistpubs/800-70-rev2/SP800-70-rev2.pdf

[8] National Institute of Standards and Technology Special Publication 800-115, Technical Guide to Information Security Testing and Assessment, http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf

[9] National Institute of Standards and Technology Special Publication 800-137, Information Security, http://csrc.nist.gov/publications/nistpubs/800-137/SP800-137-Final.pdf

[10] U.S. Department of Health and Human Services, HIPAA Security Series, Security Standards: Technical Safeguards, http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf

[11] U.S. Department of Health and Human Services, HIPAA Security Series, Security Standards: Physical Safeguards, http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/physsafeguards.pdf

Speaker: If you need a moderator or speaker for an upcoming event, Dr. David E. Marcinko; MBA – Publisher-in-Chief of the Medical Executive-Post – is available for seminar or speaking engagements. Contact: MarcinkoAdvisors@msn.com

OUR OTHER PRINT BOOKS AND RELATED INFORMATION SOURCES:

Risk Management, Liability Insurance, and Asset Protection Strategies for Doctors and Advisors: Best Practices from Leading Consultants and Certified Medical Planners™8Comprehensive Financial Planning Strategies for Doctors and Advisors: Best Practices from Leading Consultants and Certified Medical Planners™

Advertisements

7 Responses

  1. 6 Tips for Protecting Your Communications From Prying Eyes

    In an age of ubiquitous surveillance, there are still some things you can do to keep your communications private — and not all of it is high-tech.

    http://www.propublica.org/article/six-tips-for-protecting-your-communications-from-prying-eyes?utm_source=et&utm_medium=email&utm_campaign=dailynewsletter&utm_content=&utm_name=

    Martin

    Like

  2. UCLA Health Hacked

    University of California (UCLA) Health, which runs four hospitals in the university’s campuses, and drug retailer CVS Health Corp’s CVSphoto.com became the latest victims of cyber attacks.

    http://www.msn.com/en-us/news/us/ucla-health-says-it-was-victim-of-criminal-cyber-attack/ar-AAd9s0f?ocid=iehp

    UCLA Health just said that data on as many as 4.5 million individuals was at potentially at risk, although it added it had not yet found evidence that individuals’ personal or medical information was actually accessed or acquired during the breach.

    Gage

    Like

  3. Beware Financial Info Security – Too

    How vulnerable is your financial information?
    The answer may surprise you.

    http://www.msn.com/en-us/money/personalfinance/how-vulnerable-is-your-financial-information-the-answer-may-surprise-you/ar-AAepFJH?li=AA4Zjn&ocid=iehp

    Jenna

    Like

  4. On stolen digital health records

    Stolen digital health records are being sold on the internet – Stolen paper records? Not so much.

    “New Breach: 655000 Healthcare Records (Patients) Being Sold.” By DeepDotWeb, June 26, 2016.

    https://www.deepdotweb.com/2016/06/26/655000-healthcare-records-patients-being-sold/

    DeepDotWeb:

    When Paul Syverson, Co-creator of the Tor web browser said that Your Medical Records Have Bullseyes On Them, he probably meant this. According to what the hacker told us over an encrypted Jabber conversation, he used a “an exploit in how companies use RDP. So it is a very particular bug. The conditions have to be very precise for it “.

    ———————————————

    On the other hand, Electronic Dental Records – which thieves find just as interesting as EMRs – can occasionally be hacked accidentally by passers-by

    When Patterson Dental, maker of Eaglesoft dental EHR systems, was discretely informed by security researcher Justin Shafer that he noticed their barn door was open, they chose to blame Shafer for their embarrassment, as opposed to quietly buttoning up and thanking him for helpful info. (See: “Armed FBI agents raid home of researcher who found unsecured patient data – Prosecutors allegedly say he exceeded authorization in viewing unsecured FTP server.” by Dan Goodin, ArsTechnica, May 27, 2016).

    http://arstechnica.com/security/2016/05/armed-fbi-agents-raid-home-of-researcher-who-found-unsecured-patent-data/

    Word gets around. Things get worse instead of better. Hang in there, Justin. The “Streisand effect” is coming

    Predictably, other benevolent security researchers like Shafer have since abandoned their hobby of penetration testing health records – leaving that to more reticent hackers who sell what they find to bad guys – which leads to preventable, unpleasant surprises for identity victims. (See: “Security researchers stop disclosing vulnerabilities after FBI raid on fellow researcher.” By Dissent Doe for The Daily Dot, June 1, 2016).

    http://www.dailydot.com/politics/justin-shafer-security-researcher-chilled-speech/

    Until dentists stop putting patients’ identities on computers, indications are that the danger of data breaches will only worsen. Physicians might be incapable of successfully de-identifying patients’ digital records simply because of the variety of information that must be available in one’s primary medical record. On the other hand, only coroners identify owners of dental records.

    Anyone yet looking for a dentist with heavy, loud, metal filing cabinets and a typewriter? Just give it a little more time.

    D. Kellus Pruitt DDS

    Like

  5. Cyber-Security

    Health care faces a unique challenge when it comes to cyberattacks in that the data collected by the industry is, by nature, personal and highly valuable to hackers. In addition, health care organizations have not historically had the same resources or incentives as other industries to invest heavily in building stronger cybersecurity programs. 89 percent of health care organizations sustained a data breach during the past two years – and nearly half of those attacked reported five or more breaches. The combination of valuable information and lack of sophisticated cybersecurity program to protect it has led the industry to become a prime target for cyberattacks, a trend that may continue for some time if cybersecurity issues are not thoroughly addressed.

    Given the risks, what should health care executives be thinking about and addressing in order to prepare for and respond to cyber incidents:

    • Convene the right team. Cybersecurity is not just an IT issue, but a business issue that requires involvement from stakeholders across the organization.
    • Identify top risk areas and assets. In most enterprises, particular data sets (such as patient records), clinical systems, medical devices, or other digital assets represent high value unto themselves.
    • “Right size” spend to reduce incident impact. While greater investment may be required, understanding an organization’s unique risks and investing in a risk-focused manner is key.
    • Modernize what “readiness” means. With awareness of what assets matter most to the organization, plans can be made to involve the various parties needed to protect, defend, and recover if compromised.

    Cyber readiness is not just about being prepared to respond after an incident occurs.

    According to a recent report by Deloitte, over 95 percent of the impacts of a cyberattack on a health care organization may not be immediately identifiable – and the full impact may take years to play out. Executives need to recognize that cyberattacks impact their entire business and are not just a task for IT departments and third-party security vendors. A risk-based cyber risk management program must be implemented and exercised to reduce the impact of an attack.

    Cybersecurity starts at the top, and understanding this can help health care executives build stronger, more secure organizations.

    Mark Ford
    [Principal]
    Cyber Risk Services Deloitte & Touche LLP

    Like

  6. In the News

    “Redboot ‘Ransomware’ Is Capable of Permanently Altering Hard Drive Partitions – RedBoot is a new bootlocker ransomware which seemingly modifies computers’ partition tables. Users are unable to decrypt their files or restore their partition settings whatsoever. It is not the first time we have seen a crossover between ransomware and data wiping capabilities in the malware world. There have been a few types of malware which disguise themselves as ransomware but effectively delete encrypted data.” By JP Buntinx for TheMerkle.com, September 25, 2017
    https://themerkle.com/redboot-ransomware-is-capable-of-permanently-altering-hard-drive-partitions/
     
    “Myth busted: You can’t sweep ransomware attacks under the rug – Breach reporting isn’t optional, and organizations risk making things worse by failing to be transparent.” By Jessica Davis for Healthcare IT News, September 26, 2017
    http://www.healthcareitnews.com/news/myth-busted-you-cant-sweep-ransomware-attacks-under-rug
     
    “New Cybersecurity Report Shows Companies Are Alarmingly Unprepared to Deal with Ransomware Threats – Crowd Research Partners today released the 2017 Ransomware Report, which shows that companies and government agencies are overwhelmed by frequent, severe ransomware attacks, which have now become the #1 cyber threat to organizations.” – Business Wire, September 26, 2017.
    http://www.businesswire.com/news/home/20170926005516/en/New-Cybersecurity-Report-Shows-Companies-Alarmingly-Unprepared
     
    “Scam Report: Ransomware can destroy backups several ways – The prevailing wisdom is that, if you back up your data, you can recover from a ransomware attack. While this premise generally holds true, simply backing up your data no longer provides an absolute guarantee that you can recover from a ransomware attack.” By Stu Sjouwerman for Reading Eagle, September 26, 2017.
    http://www.readingeagle.com/business-weekly/article/scam-report-ransomware-can-destroy-backups-several-ways

    D. Kellus Pruitt DDS

     

    Like

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: