Mitigating common healthcare cloud IT security issues

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://healthitsecurity.com/2014/06/06/mitigating-common-cloud-healthcare-it-security-issues/

Cyber security threats in the healthcare industry are continually on the
rise and the value of an identity data set is about $50 per patient record.
So what can healthcare providers do to avoid these attacks?

If you look at the recent security breach at Ohio’s University Hospitals
(UH), more than 7,000 patient records containing protected health
information (PHI) may have been exposed when an unencrypted hard drive was
stolen. The drive was stolen from the vehicle of an employee working for a
third-party vendor that was upgrading UH’s computer systems. The data
included patients’ names, home addresses, birthdates, medical record
numbers, insurance provider information and health information about
specific patient treatment.

In the case of Cottage Hospital, 32,500 patient records were accessible
online on an unencrypted server hosted by a third party vendor. The
information included name, address, and date of birth of patients including
diagnosis, lab results, and procedures performed — for some patients. The
hospital learned that the vendor removed the electronic security device
without notifying Cottage.

These breaches for example are just a sample of what is being reported by
organizations. What do we learn from these breaches that we can adopt and
carefully scrutinize new third party cloud providers before hosting
employees PHI and other medical data?

- A lot of these third party provider assets which store, transmit or
process ePHI  such as specialized medical devices, X-ray monitors,
dictaphones and other equipment need to be properly physically secured from
patients and other visitors and sufficient monitoring needs to be in place
for overseeing the access and use.

- When you evaluate these third party providers, it’s not just about
evaluating the third party’s infrastructure controls and reviewing their
SSAE16 Type II reports. The devices installed at the consumer’s
infrastructure needs to be evaluated for proper authentication and logging
controls. For instance, tablet devices and mobile devices used to check-in
and onboard patient information needs to have proper authentication
controls and physically secured.

- In addition, the onboarding devices need to have proper data-at-rest
encryption controls. These devices should strongly encrypt and protect the
PHI data from unauthorized use. Ensure that the encryption keys are
protected against attacks that might compromise encryption keys in memory.
Slapdash security is unwarranted and sloppy and organizations face hefty
price tag for the price of non-compliance.

- When evaluating healthcare cloud service providers, it’s very important
to get the complete visibility of your data and not just focus on
evaluating the third party primary and back up datacenters.

For example, Company A is a benefits plan consultant who has direct
contract with my employer. However Company A stores data with Company B
(health broker), company C (insurer for Health and Death disability), and
Company D (another insurer for Pension plans). It’s important to draw lines
on the level of due diligence required for assessing the data security
risks of these organizations.

Again the above list is not comprehensive means of evaluating third party
healthcare providers, but these controls are commonly left unassessed and
ignored.

Healthcare fraud and impersonation of medical records is big concern we
need to be cognizant of. If an unauthorized intruder gets hold of this kind
of information, they can take the medical benefits such as requesting
medicines, going to the emergency room, impersonating and receiving the
kind of treatment on behalf of someone else and receiving all yearly
check-ups.

The other facet to this is if employee PHI gets commingled with somebody
else’s data, this person may end up with some type of a virulent disease
that they do not have and it’s going to have impending and cascading effect
on that person.

Data breaches have more to do with simple techniques such as changing
passwords, shredding paper records, laptop security and less to do with
advanced hacking techniques. A bigger threat as we all know is human error,
which can only be mitigated through proper security awareness. We don’t
need yet another data breach incident to remind us of whimsical security
practices. We need sensible and layered approach to health care security.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!