Cybersecurity: No silver bullet for healthcare's insider/outsider threats
The threat of data breaches is mounting, with new reports of a cyberattack or a mismanaged electronic document coming out every couple of weeks. In healthcare, especially, the value of data and personal health information is high, as cyberattackers can use stolen information for identity theft and medical fraud.
And it's not just foreign cyberattackers who are targeting information systems: Insider activity is another growing threat. According to MeriTalk's "Inside Job: The Federal Insider Threat Report," 45 percent of federal IT agencies reported being the target of an insider threat within the past 12 months, and 29 percent of those agencies lost data due to an insider incident.
This balance of internal and external security risks poses a challenge for IT leaders, as each arena requires its own strategies and defenses against an attack.
"The typical analogy I give is, particularly in healthcare, it's a chicken egg," says Amit Kulkarni, CEO of Secure Healing, a healthcare privacy monitoring and reporting platform. "You normally have a hard shell on the outside. Your typical firewall, intrusion detection system, proxy servers. That's essentially the outer hard shell. What's on the inside? Once you have an employee authorization — whether you are a nurse, physician, technician, someone from IT, a social worker or a volunteer — you pretty much have unrestricted access to any and all patients' medical records. It's all gravy."
Mr. Kulkarni says it is generally easier to protect the external attacks — via the hard layer of the shell — because you know when activity is coming from the outside. Intrusion alerts and abnormal activity are automatic alerts that something is awry. However, on the inside, care providers with access to information pretty much have free range of the information system. This, Mr. Kulkarni says, is just the nature of healthcare.
"The medical care has to come first. That's how it should be," Mr. Kulkarni says. "It's the nature of the healthcare business to cater to where patients' lives come first and then come security and other things."
He continues to say that a clinician is unable to do his or her job without access to patient records, and when a clinician is working with a patient, there should be no troubles in accessing the pertinent medical history and information.
It is this need for information to easily flow that poses the threat, because if the information is available and accessible to those internally who need it, it is also available and accessible to those internally with malicious intentions.
"Interoperability is great for patient care and reducing waste, but it brings its own share of security and privacy concerns," Mr. Kulkarni says. "When it comes to insiders, it's much harder [to detect inappropriate activity] as you never know when it's a legitimate access versus inappropriate access. It's very hard to detect whether a nurse is looking at medical information of a patient under her care or just snooping."
That being said, insider and outsider threats in healthcare need to be handled differently. On the outside, the traditional software and services — including GEO IP fencing, smart firewalls and other perimeter techniques — are relatively easier to use to track and block outsiders, Mr. Kulkarni says.
Blocking insider threats is more reliant upon continuous employee training of the rules, regulations and consequences regarding protected health information. Mr. Kulkarni says a continued effort will over time lead to a compliant workforce. "The enforcement of these policies with the help of fully automated and intelligent tools will continue to bring out the bad apples; many at first, and then the occasional violators surface, and thus the risk continues to diminish," he says.
Mr. Kulkarni continues, "The key problem is that there is no silver bullet."
More articles on cybersecurity:
© Copyright ASC COMMUNICATIONS 2017. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.