The COVID-19 pandemic has had a tremendous ripple effect across all industries, with one of the most impacted being healthcare. Providers have had to quickly adapt to supporting patients ‘virtually’ in a secure manner, while simultaneously developing procedures to support accurate reporting to government organizations. These changes have placed added pressure on security and privacy professionals, as they struggle to keep up with urgent demand.
Mature healthcare organizations already have stringent policies and procedures in place to remain compliant with government regulatory requirements (i.e., HIPAA, HITECH Act, etc.) and protect patients’ privacy. However, with the new focus on telehealth, unprecedented patient growth, and strict regulations on reporting, the key threats healthcare security and privacy teams need to be able to detect are also evolving:
- Unauthorized access to patient data by employees
- Patient data snooping (by employees, family members, co-workers, etc.)
- Compromised records (unusual access patters – new locations, multi-location access, etc.)
- Failed logins and download spikes
- Terminated or dormant user accounts being used to gain access
- Accessing discharged patient records or deceased patient records
Identifying these threats and uncovering suspicious patterns or activities, however, is no easy feat. Most security monitoring solutions cannot integrate with and consume electronic medical records (EMR) in a usable format. As a result, these solutions have limited out of the box content, leaving a majority of threat detection engineering to the security operations teams, which are already overwhelmed. Legacy security tools are no longer cutting it, as they use rule-based security event monitoring methods that do not account for the need to protect patient data privacy required by regulations such as HIPAA, HITRUST, and GDPR. They also lack the ability to protect patient data from insider threats, advanced persistent threats, or targeted cyberattacks.
Successfully monitoring patient data privacy must focus on two key entities: the employees accessing records and the patients whose records are being accessed. Organizations need to be able to visualize and correlate events across these entities and throughout the IT infrastructure and EMR applications to detect suspicious patterns while adhering to reporting and compliance mandates.
Monitoring EMR applications is crucial to detect and prevent suspicious activity that may lead to data compromise. However, this can be a cumbersome process. Given that nearly all EMR records contain patient data information, organizations must maintain the confidentiality of this data while enabling security monitoring. Unfortunately, most traditional SIEMs do not provide solutions to this problem. As a result, organizations are forced to intermix sensitive patient data with other IT data, risking compliance violations.
To achieve these goals in the near term, there are five crucial areas where healthcare security and privacy teams need to focus attention:
1. Remote Access Protocol: Like all other industries, healthcare organizations must now grant remote access to a large percentage of their workforce. As they migrate workers to remote access these organizations must address logistical challenges such as ensuring IT support can keep up with requests and implementing multi-factor authentication.
2. Security Training: Organizations must make sure that their employees are abreast of the unique challenges that accompany working remotely and associated security best practices (i.e., security hygiene, secure internet connections, strong vs. weak passwords, signs of phishing attacks, etc.)
3. Critical App Exposure: Typically, critical applications containing electronic health records are not exposed to the internet without very rigid security controls. However, with the need to share and access more information via apps, strict security is more critical than ever before.
4. Use of Personal Devices: Many organizations do not issue corporate devices to all their employees. Therefore, there is a greater security risk as workers are being permitted to use their personal devices to access critical systems.
5. User Monitoring and Detection: Identity activity patterns are vastly different as employees adapt to the new normal. As a result, prospective attack vectors have changed drastically. Monitoring and detecting new patterns of human and non-human identities must happen quickly in order to adapt to the new reality and detect attacks.
With the entire world experiencing unprecedented changes, we must learn to adapt quickly and strategically. New threat patterns will emerge, but it is crucial to remain vigilant about all activity and access occurring across IT infrastructure. Stringent regulations and ethical codes of conduct also mean that organizations need to be more vigilant about protecting patient data privacy than ever before.
The constantly evolving data landscape makes it hard to differentiate new and normal, from malicious and threatening. Healthcare organizations need to assess their security posture, ensuring that they have proper tools in place to accurately analyze and correlate events across the IT infrastructure and electronic records. Only with access to this full picture will they be able to detect any suspicious patterns and ultimately protect patient data.
Sachin Nayyar is the CEO of Securonix, a company redefining Next-Gen SIEM using the power of big data and machine learning. drives the vision and overall business strategy for Securonix. Built on an open Hadoop platform, Securonix Next-Gen SIEM provides unlimited scalability and log management, behavior analytics-based advanced threat detection, and automated incident response on a single platform.
Prior to Securonix, Nayyar served as the founder & CEO of VAAU where he led the company from conception to acquisition by Sun Microsystems. Following the acquisition by Sun, Sachin served as the Chief Identity Strategist for Sun Microsystems where he led the vision and strategy for the Sun security portfolio. Sachin is a renowned thought leader in areas of risk, regulations, compliance, identity/access, and governance and speaks frequently at professional conferences and seminars.