Keeping Health Data Safe in the Cloud: Assessing Risks, Averting Breaches

Big health data keeps getting bigger. In addition to the terabytes of data electronic health records (EHRs) generate, wearable devices have entered the mainstream healthcare consumer market, producing even more massive volumes of data. While this yields many positives, the reality is that few healthcare organizations have the resources to monitor every access point into their networks that house this valuable data—much of it sensitive, protected health information. Even if they did, it would likely be at the expense of innovating new applications for better patient care and outcomes. To that end, an increasing number of organizations are turning to managed cloud security partners to create a “healthcare-managed cloud” where protected health information (commonly referred to as “PHI”) is stored, secured and in many cases, de-identified for intensive analytics work.

However, handing this data off to a cloud provider doesn’t absolve the data owner of the responsibility to secure it. Actions are required from both the data owner and the cloud partner to safeguard PHI. But first things first: is healthcare data even safe in the cloud? What cyber threats exist in the cloud—and how best to address them?

Personal health data is under attack

Between external and internal threats, last year over 113 million health records were breached in the United States alone. Seemingly no organization is invulnerable to a breach, whether the data resides in a community hospital’s database, a massive government agency like the U.S. Department of Health and Human Services or in the human resource files of a national restaurant chain. If that last example gave you pause, consider that just about every industry handles personal health data. What’s more, a full 90 percent of industries have reported experiencing breaches of this data.

Of course, many of these industries aren’t subject to the Healthcare Information Privacy and Portability Act (HIPAA), although they presumably are vulnerable to being sued and having their reputations damaged in the event of a breach. Those healthcare organizations, considered “Covered Entities” and their suppliers, sometimes considered “Business Associates” under HIPAA, on the other hand, are subject to all the associated liabilities, fines and other costs of mitigating a breach. That said, the biggest damage is done to the victims whose personal health information is now exposed and exploited for financial gain by cyber thieves who make a living off fraudulent medical identity scams. And make no mistake, these miscreants are constantly testing any and all access points to PHI.

How cyber criminals get in in, how to keep them out

Decades after the invention of email, there are still countless people gullible enough to click links and open attachments in what should be plainly suspicious emails. As such, “phishing” and other social engineering attacks are among the most common methods cyber criminals use to invade a network with some truly scary malware, up to and including ransomware that can take all of your data and keep you from ever using it again. This is a particularly challenging issue to address and involves behavioral changes and process and access controls, along with a hardened IT ecosystem. It’s important to track how often human error creates data risk exposure, and devise processes aimed at avoiding such errors. This includes documenting each incident that exposes the organization to risk, and training employees on how to avoid those risks.

Additionally, and wherever possible, access to information and applications should be established using profiles and security groups, which limit access based on job type and job function. During the process of implementing a new cloud application, for example, security groups would be developed and implemented prior to the production go-live date for the application. It is particularly important to implement procedures for the authorization and supervision of workforce members who work with electronic PHI (ePHI) or in locations where it might be accessed. Authorization is the process of entitling a user (or a computer system) with the right to access certain data, and carry out certain activities, such as reading a file or running a program. Working alone or with a managed cloud security partner, organizations should identify the logical data flows of PHI, and then focus efforts to defend all systems in and around that flow. This includes deploying multifactor authentication, strong password enforcement, intrusion detection and prevention, regular system activity reviews, among other core areas of protection.

In summary, limit employees’ access to only the minimum amount of data needed to perform their jobs, and even then, limit access to systems for which the employee has no need to use.

Training cannot be ignored either. Train your workforce thoroughly on the safe use of Internet resources, social engineering patterns and defense tactics. A security awareness training program that addresses the HIPAA Security Rule administrative, technical and physical safeguards is strongly recommended. And above all, make it easy for your employees to report suspicious behavior.

The emerging risk of compromised medical devices

The “Internet of Things” increasingly includes medical devices and the software that powers them. Most of these “Things” use common web interfaces, and sadly, many healthcare providers that purchase these devices fail to change default access settings. This allows hackers to break into the devices or the EHRs and other systems to which the devices feed data. After considering the most important impact, which is the health of the patients, the aftermath of a device breach could be fatal to the patient, and nearly catastrophic to the device manufacturer and healthcare provider, as well, with federal and state regulators stepping in to impose harsh fines, and plaintiffs’ lawyers presenting their demands.

To prevent a breach, a comprehensive information security management system should be in place to address security, privacy and compliance. It should emphasize a defense-in- depth, multi-layered approach to protecting data that addresses devices (both mobile and medical), physical storage network infrastructure, application, server, data and user security. Such a plan is also a strong prevention strategy against ransomware.

Cloud Security: The Real Deal

There’s no way around it, proper security measures require extensive resources, and these aren’t abundant in many healthcare organizations. Cloud services offer an alternative, and comfort levels with the cloud are indeed rising. However, there still exists a certain amount of skepticism of around cloud security. Mark Kadrich, Chief Information Security and Privacy Officer at San Diego Health Connect and author of Endpoint Security, states this skepticism is unfounded. “I can think of ten really skepticism is unfounded. “I can think of ten really significant breaches within the last six months, and none of them had anything to do with the cloud,” he says. “As is the case with on-premise server, device, and network security, cloud security is dependent on who’s implementing it.”

While the Cloud has different architecture than on premise hosting models, security principles remain consistent. Cloud has an important advantage though. Security expenses are allocated among many customers which reduces the overall security cost to the data owner. Economies of scale are such that even small cloud workloads can benefit from enterprise grade security solutions and services priced in a pay-as-you-go model. This, along with the ability to automate, and orchestrate cloud resources using code instead of people has revolutionized the way PHI can be protected.

In fact, many cloud data solution providers are now more security-centric than their on premise counterparts.

Working with a healthcare cloud services vendor: the critical first steps

Experience shows the most effective starting point is for organizations to define business strategies and needs, to review existing technology delivery capabilities, and assess which applications may be candidates for cloud deployment. Then, a thorough risk assessment should be performed with the data as foundation of the analysis. If patient data is involved the assessment should focus on PHI security, and include thorough review of IT infrastructure, processes and protocols, physical security, and administrative safeguards. A complete assessment should also include an inventory of PHI owned or managed by the Covered Entity or the Business Associate.

After performing the assessment, an able cloud services partner can provide and manage many of the security controls needed to close the gaps exposed in the risk assessment. Broadly speaking, these activities should address measures to control and protect access, detect and respond to breaches, ensure that backups are restorable, and that all HIPAA Security Rule requirements are addressed. Look for services or tools that can help you specifically address items such as:

• Data encryption
• Application security
• Identity and access management
• Configuration management for operating systems, networks and firewalls
• Client-side and server-side data encryption
• Network traffic protection
• Log management
• Monitoring and alerting
• Data backup and restoration
• Incident management

Continuous vigilance: The security basic for stopping even “sophisticated” attacks

Cyber criminals are always looking for a vulnerability in the healthcare organization’s network. A cloud services partner with an exclusive focus on protecting PHI will deny them an opportunity to find one. The value of such a partner’s constant efforts to defend against persistent threats at all layers of defense cannot be overstated. Judging by the frequently long stretches of time between a breach and its discovery, many organizations are unable to keep up with such vigilant efforts. In the highly regulated, highly defended environment of a top-tier cloud services partner, by contrast, all access can be restricted and documented right down to the user, application, and file, with unauthorized access attempts immediately detected.

Cyber criminals want your data. As the cloud continues to become a viable solution for so many healthcare challenges remember that a trusted managed cloud service partner focused on healthcare can be an incredibly valuable ally in the fight.

About the author

Chris Bowen is responsible for ClearDATA’s defense-in-depth approach to cybersecurity and privacy by design. He manages the risks and business impacts faced by global healthcare organizations, with a specific focus on cyber threats, privacy violations, security incidents, social engineering attempts, and data breaches. He is a Certified Information Privacy Professional (CIPP/US) and Certified Information Privacy Technologist (CIPT) from the International Association of Privacy Professionals, and Certified Information Systems Security Professional (CISSP) from (ISC)2. As one of the U.S.’ leading experts on patient privacy and PHI security, Bowen has authored dozens of articles and is a frequent speaker at healthcare industry events. Most recently, he presented at HIMSS16, the Data 360 conference, Start-X-Med: Stanford Inaugural Conference, Workgroup for Electronic Data Interchange (WEDI) Annual Conference, AHLA Health Information and Technology Practice Group, to name a few.

References
1 http://www.csoonline.com/article/3026661/data-breach/over-113-million-health-recordsbreached-in-2015-up-10-fold-from-2014.html
2 http://www.verizonenterprise.com/resources/reports/rp_2015-protected-healthinformation-data-breach-report_en_xg.pdf
3 http://www.csoonline.com/article/3026661/

Originally published August 2016 by The Journal of mHealth in Cyber Security in Healthcare Briefing.