What
is a “Good” Healthcare system?
“A
good health system delivers quality services to all people, when and where they
need them,’’ (Consortium of Universities for Global Health) at an affordable
cost with proactive best security control practices of e-PHI
Insider
Threat or a malicious insider is “a current or former employee, contractor, or
business partner who: has or had authorized access to an organization’s
network, system, or data, and intentionally exceeded or misused that access in
a manner that negatively affected the confidentiality, integrity, or
availability of the organization’s information or information systems” (Cappel,
D., Moore, A., Tizeciak, R., & Shimeall J., T. CERT). In the healthcare
delivery system these occur when a healthcare provider employee intentionally
and maliciously exfiltrate data or unintentionally violate e-PHI use policies,
systems and networks, thereby compromising the confidentiality, integrity, and
availability of such e-PHI. Insider users of a healthcare delivery system network
resources and information are both the best defense and its foe. “The costs
associated with losing, misusing, or abusing this information make insider
threats one of the most dangerous (and most common) risks facing” healthcare
organizations today (palantir.com).
How do
you defend, prevent or protect e-PHI from insider threat? It starts by having
an exact and full knowledge of what data or resources that the healthcare
organization have, who have access to what and how they are used, stored and
moved around the healthcare provider network. According to Sleeth, J., Bach P.,
& Summers, A., “health systems resources are the means that are available
to a healthcare system for delivering services to the population. And to be
effective and efficient, health system resources must be sufficient,
appropriately utilized, managed,” and secured. There are four categories of
healthcare systems resources; physical capital, consumables, human resources,
and e-PHI. In this blog, we are concerned more with e-PHI resources.
With the
rapid growth of malware and other cyber threats, you would expect that insider
threat would be one of the least causes of data breach. Gartner reported that
70% of unauthorized access to data is committed by an organization’s own staff
(Beaver, K. searchsecurity.techtarget.com). Cappel, D., Moore, A.,
Tizeciak, R., & Shimeall J., T. in their research findings observed three
patterns and trends by type of malicious activity: insider IT sabotage, theft
or modification for financial gain, and theft of information for business
advantage (CERT). The study also proffered 16 best practices to mitigate (detect,
defend, or prevent) these insider threats. It is appropriate to ask at this
point, what are the most common insider threats faced by healthcare system providers
and how can they be prevented? I shall be considering in this block a number of
these insider threats that is prevalent in the health care delivery system:
1. IT sabotage: the use of IT
by healthcare employee to cause a specific harm at the healthcare facility.
Porter G., reported a security guard at a Texas based hospital used malware on
dozen hospital computer systems and nurses’ workstation to access e-PHI. The
insider also installed the remote access program LogMeIn on the hospital’s Windows
controlled HVAC system. Although, this insider sabotage was prevented, but the need
for proper background, credit, and security check, car insurance is necessary prior
to hiring. Constant behavior monitoring of employee as allowed by federal,
state and local laws and HIPAA regulations are imperative.
2. Theft or modification of e-PHI
for financial gain: “Intern at a Florida based health care system used mobile
device to take pictures of computer screens containing over 14,000 e-PHI (names,
dates of birth, SSN, and more) with the intention to inevitably engage in
criminal activity. Preventive measures, include, to consider threat from insiders
and business associates, monitor and respond to suspicious or disruptive
behavior, enforce separation of duties, and log, monitor, and audit employee
online activities.
3. Sending out medical information
via e-mail, instant messaging and mobile devices. Patient health record, refill reminders, personal
and financial information are sensitive e-PHI that are prune to insider threat.
This threat can be prevented by the network administrator setting up policies
and using network analyzer and filter keywords, specific attachments, client or
server-based content filtering would catch or even block sensitive e-PHI from
going out. Easier to manage perimeter-based or outsourced messaging security
solutions, for example, behavior-blocking systems (BBS) that provide content
filtering and blocking, could be deployed. The drawback in using any of these
preventive measures is when message is encrypted they tend to function less
effectively. In addition, a good firewall configuration will determine not only
what is allowed in, also what is let out of the network (Beaver, K.
searchsecurity.techtarget.com).
4. Exploiting e-PHI via remote
access software. This means that insiders exploit e-PHI through the use of
offsite software as Terminal Services (TS), GoToMyPC, and Citrix. There is less
likelihood that such stealing of sensitive e-PHI would be caught. A worst
scenario is if the remote access computer is left unattended, lost or stolen.
An effective protective policy is to ensure “solid share and file permissions
are critical, as is OS and application logging. Tighter security controls can
also be achieved with many remote access solutions, on certain features and systems
access, by monitoring employee usage and behavior in real-time and generating
usage logs (Beaver, K. searchsecurity.techtarget.com). A good system or network configuration to determine
which features and audit trails can provide better management, reporting and provide
better security controls is necessary. Some insider abuses take place after
business hours, hence, the need to remote access to network by remote users. In
the case of guessed logins, a strong, hard to crack password or passphrase and
hard drive/network encryption may be considered, especially in the event of losing
these systems or devices. The other consideration is when a healthcare employee
is no longer in service, the security control preventive measure is to
deactivate the employee account.
5. Insecure wireless network
usage: This may be considered one of the most unintentional insider threat.
With the growing availability of free unsecured Wi-Fi, Bluetooth usage on
smartphones and PDAs, WLAN in healthcare facility, Public libraries, at
airports, shopping malls, and hotels, critical e-PHI are put at risk of being
compromised. The control of airwaves outside a healthcare delivery system premises
is beyond the network administrator responsibility, however, secure hot spots
can be enabled for Wi-Fi users as a matter of policy. For instance, “a VPN may
be used for remote network connectivity, firewalls for PCs connecting to healthcare
provider WLAN, and SSL/TLS for all IM (Webmail via HTTPS, POP3s, IMAPs and
SMTPs)” (Beaver, K. searchsecurity.techtarget.com). In addition, for enhanced
security of e-PHI, there is need to employ appropriate biometric controls, for
example, encryption and authentication (better with WPA or WPA2) and logging.
Another technology control is the use of directional antennae to drop down the
power levels on the access points to ensure that wireless signals are kept
within the building premises.
6. Cloud computing and Insider
Threat in the healthcare delivery system. Cloud computing with mass of
systems/complexity of processes can offer Inside Threat much coverage in
criminal activity. The big data housing e-PHI presents ample potential for theft
of information for business advantage. Network administrators can mitigate
against insider fraud by deploying robust layered threat management program
approach.
In
conclusion, insiders are the most valuable defense measures for sensitive
e-PHI; at the same time, they are the most vulnerable threat to critical e-PHI.
In personnel security management, best practice is to seek to merge technology
with business processes to reach a safe playing ground. This will for some time
to come remain a continuum.
References
Sleeth, J., Bach P., &
Summers, A. Health Systems Resources and Resource Constraints.
(2012=3).
Retrieved (2016-26-2) from http://www.cugh.org/sites/default/files/content/resources/cugh-health-systems-resources-and-resource-constraints.pdf
Cappel, D., Moore, A.,
Tizeciak, R., & Shimeall J., T. Common Sense Guide to
Prevention
and detection of insider Threats. CERT. Carnegie Mellon University. 3rd
Ed. V3.1 (2009-1). Retrieved (2016-24-2) from https://cyberactive.bellevue.edu/bbcswebdav/pid-7726596-dt-content-rid-10880935_2/courses/CIS608-T302_2163_1/cert_common_sense_guide_to_prevention_and_detection_of_insider_threats.pdf
Whitman, E. M., & Mattord,
J. H., (2014). Management of Information Security. 4th ed.
Boston: Cengage Learning
Insider Threat (2016).
Retrieved (2016-26-2) from https://www.palantir.com/solutions/insider-threat/
Beaver, K. Five
Common Insider Threats and How to Mitigate Them. (2016) (SIEM:
Gartner 2015 Report). Retrieved (2016-26-2) from http://searchsecurity.techtarget.com/tip/Five-common-insider-threats-and-how-to-mitigate-them
Porter, G. The
Insider Threat: A Brief Overview. (2013-27-9). Retrieved (2016-26-2)
No comments:
Post a Comment