BreachExchange mailing list archives
Mitigating common healthcare cloud IT security issues
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Fri, 6 Jun 2014 13:31:11 -0600
http://healthitsecurity.com/2014/06/06/mitigating-common-cloud-healthcare-it-security-issues/ Cyber security threats in the healthcare industry are continually on the rise and the value of an identity data set is about $50 per patient record. So what can healthcare providers do to avoid these attacks? If you look at the recent security breach at Ohio’s University Hospitals (UH), more than 7,000 patient records containing protected health information (PHI) may have been exposed when an unencrypted hard drive was stolen. The drive was stolen from the vehicle of an employee working for a third-party vendor that was upgrading UH’s computer systems. The data included patients’ names, home addresses, birthdates, medical record numbers, insurance provider information and health information about specific patient treatment. In the case of Cottage Hospital, 32,500 patient records were accessible online on an unencrypted server hosted by a third party vendor. The information included name, address, and date of birth of patients including diagnosis, lab results, and procedures performed — for some patients. The hospital learned that the vendor removed the electronic security device without notifying Cottage. These breaches for example are just a sample of what is being reported by organizations. What do we learn from these breaches that we can adopt and carefully scrutinize new third party cloud providers before hosting employees PHI and other medical data? - A lot of these third party provider assets which store, transmit or process ePHI such as specialized medical devices, X-ray monitors, dictaphones and other equipment need to be properly physically secured from patients and other visitors and sufficient monitoring needs to be in place for overseeing the access and use. - When you evaluate these third party providers, it’s not just about evaluating the third party’s infrastructure controls and reviewing their SSAE16 Type II reports. The devices installed at the consumer’s infrastructure needs to be evaluated for proper authentication and logging controls. For instance, tablet devices and mobile devices used to check-in and onboard patient information needs to have proper authentication controls and physically secured. - In addition, the onboarding devices need to have proper data-at-rest encryption controls. These devices should strongly encrypt and protect the PHI data from unauthorized use. Ensure that the encryption keys are protected against attacks that might compromise encryption keys in memory. Slapdash security is unwarranted and sloppy and organizations face hefty price tag for the price of non-compliance. - When evaluating healthcare cloud service providers, it’s very important to get the complete visibility of your data and not just focus on evaluating the third party primary and back up datacenters. For example, Company A is a benefits plan consultant who has direct contract with my employer. However Company A stores data with Company B (health broker), company C (insurer for Health and Death disability), and Company D (another insurer for Pension plans). It’s important to draw lines on the level of due diligence required for assessing the data security risks of these organizations. Again the above list is not comprehensive means of evaluating third party healthcare providers, but these controls are commonly left unassessed and ignored. Healthcare fraud and impersonation of medical records is big concern we need to be cognizant of. If an unauthorized intruder gets hold of this kind of information, they can take the medical benefits such as requesting medicines, going to the emergency room, impersonating and receiving the kind of treatment on behalf of someone else and receiving all yearly check-ups. The other facet to this is if employee PHI gets commingled with somebody else’s data, this person may end up with some type of a virulent disease that they do not have and it’s going to have impending and cascading effect on that person. Data breaches have more to do with simple techniques such as changing passwords, shredding paper records, laptop security and less to do with advanced hacking techniques. A bigger threat as we all know is human error, which can only be mitigated through proper security awareness. We don’t need yet another data breach incident to remind us of whimsical security practices. We need sensible and layered approach to health care security.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Mitigating common healthcare cloud IT security issues Audrey McNeil (Jun 16)