Healthcare IT on life support - steps to prevent being a victim

Wh1t3Rabbit| December 22, 2011

Chaos in healthcare

What in the world is going on in the healthcare industry? Is every institution out there getting laptops, desktops and other devices stolen with patient-sensitive data on them? Worse yet, how do the thieves know which devices are unencrypted? This is serious, folks!

I have a Google News "as it happens" alert set up for the phrase "data breach"and lately the number of healthcare related articles is starting to pile up to an uncomfortable level. Stolen equipment seems to top the list of transgressions which land the healthcare organization in hot water - so why is it still happening so, so long after we all realized "encrypt the endpoint" was the battle cry of the bewildered IT Security employee? Let's take a rational look...

First off, a number of these incidents are just employees circumventing the process IT Security has laid out for them. Much like I did for a very long time (call my endeavor an experiment of sorts) people avoided having their laptops (mobile endpoints) fully encrypted because it was a hassle to do it and the avoidance was probably relatively easy. Enforcement often is poorly done, or not done at all ...or in some cases done with waivers that no one looks at once they're filed. So having a laptop with lots of good and critical information stay unencrypted against corporate IT security policy[1] is manageable even by an untrained idiot. Let's face it - the sharp end of policy is the enforcement, and when enforcement is a dull stick, people simply don't take it seriously. I would know.

The problem with circumventing process is that it often lands you, the circumvented of process, in serious trouble. Unfortunately, the snowball doesn't stop there ... no, no it keeps rolling down the hill and eventually takes a sizeable chunk out of the organization that employs you. This is called amplification - or as I like to refer to it - amplification of stupidity.

The intelligent healthcare risk manager looked at all the risk in their organization and naturally saw mobile endpoints as the greatest risk so the logical conclusion reached was to encrypt those mobile endpoints. FDE (or "full disk encryption") is the process of encrypting a laptop's hard drive so that it cannot be used outside the machine without a proper login/password. As we've seen lately though, encrypting mobile endpoints is not only a hassle (as I found out) but it's also simply not enough[2]. As in the Sutter Health example, a smash-n-grab of a desktop computer which was unencrypted (naturally... since it likely didn't qualify as high-risk) is now turning into what could quite possibly be a game-changer (to quote one healthcare CISO) in the Healthcare industry.

So what is going on, exactly? Look at the UCLA incident where an unencrypted hard drive was stolen during a home invasion[3]! An incident which probably involved in many things going wrong at once - something we rarely account for in risk management - is now about to cost UCLA Health System and Sutter Health in excess of $1,000/record - which starts to mount into very, very serious profit-killing numbers. Oh, right ... that cost of covering the data breach law suit (even if it never makes it to actual trial) is still $100 million or so ...and it's not going to come out of thin air! That cost will likely come from your operating budget, which means everything else suffers big time.

Collision of several issues

At the heart of the matter right now are a few things that strike me, immediately:

poor enforcement of security policy due to little incentive from regulatory requirements
unlikely risk-management scenarios playing out
inability to identify patient-critical data
inability to protect patient-critical data

What this means to healthcare IT security professionals, CISOs, and risk managers is that the game just got harder. You've now got a lot more to do, with the same over-extended budget. You now not only have to reach 100% entitlement on your mobile workstations for endpoint encryption (this means everyone, including your IT security people, and C-level exceptions), a new project to encrypt desktop computers and non-mobile devices, a sound management and strict enforcement policy which ties into compliance auditing - all on the same budget you had just before you started reading this article. The one shred of good news is that if you work in healthcare IT odds are your CEO has already heard of these massive liability numbers piling up for his or her competitors and is taking notice - but even if not, you're still going to have an easier time making a case for more money in your bucket.

The two things on the above bullet-list you're probably not going to fix in a heartbeat (pardon the pun) are the inability to identify and protect patient-sensitive data. Data that goes home with a doctor that doesn't work for you anymore, or a student who works part-time and wants to do work from his or her dorm room ... or the patient data that travels with a specialist doctor between two hospitals in your network - all are at risk for causing your organization severe damage to brand and bottom line. The good news, if you're a glass-half-full kind of person, is that if you can at least start to identify the patient-critical data, protecting it is much simpler than finding it.

What do to...

First and foremost, re-run your threat and risk models again. Wait, you are doing threat-modeling, right? Look at all possible data 'depot' points and assume that they're compromised (by that I mean by malware, human attackers, or simply lifted from your possession). If you start at that assumption, your risk models become more costly, more tin-foil hat, but also more sound in the face of modern threats. Make sure your leadership understands the threats that have presented themselves out in the space, and the likelihood vs. impact models you've mocked up ... this helps get the conversation on an even keel.

Once you've had the conversation with leadership, raised awareness, and re-assessed your exposure - it's time to start doing something about it. I suggest a 3rd party audit, or maybe even a penetration test for the brave... but remember you're going to have to act upon the findings not just use the 300-page report as a nice paperweight on your book shelf.

This is no joke. My patient records, yours, and those of all of our loved ones are out there floating around in the various health systems across the globe. I don't know about you but if forced to choose I'd rather someone steal my financial history over my medical history ... something about a person's medical chart feels more ...personal. Also remember that at $1,000 per record the precedent is set - how many patient records do you have in your organization? Do some quick math and compare that exposure against your yearly revenue ... can your organization take the hit? I'll answer for you - no.

Knowing all this - take action, swiftly. Don't be afraid to ask for help, there are a lot of great resources out there (HP has several in the space) which can help walk you through risk assessments, implementations and answer basic questions if you're a deer in the headlights. But please, don't be the next victim.

References: