Evolving technologies such as artificial intelligence, connected devices, and virtual assistants are continually simplifying our lives. While they simplify our lives however, they make our technological environments much more complex and difficult to manage and secure. CIO’s have the daunting task of implementing agile cybersecurity and privacy strategies to protect not just their networks but their rich customer data as well. Healthcare CIOs have an even greater burden since experts insist that the cost of a healthcare data breach is still the highest of any industry.
Interestingly, recent reports from Verizon’s 2018 Protected Health Information Data Breach Report (PHIDBR) indicate that 58% of all healthcare breaches involve insiders. This is disturbing especially when many healthcare organizations have repeatedly told us at Nuance, “our devices are only accessible by staff.” The report goes on to show that healthcare is the only industry where insider threats exceed external threats. Further to that HealthcareInfoSecurity reports that there have been 229 data breaches affecting 6.1 million individuals since the start of 2018. It’s imperative that health systems implement the right solutions and best practices to establish security for PHI.
When thinking of security including cybersecurity most organizations focus on their perimeter security — to stop outside threats from entering. The reality is however, that our biggest risk is already inside from employees either through accidental or malicious attacks. As a result, best-in-breed healthcare systems are rethinking their security strategies including managing and monitoring what applications and devices their staff access. Printers and multi-function devices are high on the list given the recent chatter of how vulnerable they are to cyber security breaches.
Shahid Shah, Chief Technology Officer at Citus Health, Inc explained that “security teams spend a lot of their time looking at external threats because we’ve all been taught – across industries – to ensure that proper firewalls are installed, IDS’s are enabled, and that phishing is something we have to care about. What security professionals are not taught about regularly is how insiders, such as those who can escalate account privileges in their EHRs or who have access to lots of Microsoft Office documents with PHI, can be just as more dangerous.” Shah is correct.
Now to tighten their network strategies, many health systems are turning to frameworks such as HITRUST CSF to help guide their security strategies. HITRUST incorporates key elements from a multitude of standards organizations like NIST & ISO among others, in addition to regulatory statutes like HIPAA and agencies such as CMS to name just a few to provide an overarching program that provides governance over technical, administrative, business operations and human capital.
The problem however with insider threat, Shah explained further “is that they are hard to mitigate with just installation of tools – we have to consider all the different ways privileged staff can do damage. While almost any security professional can help with general externally facing threats, we need to train special healthcare security professionals focused on medical, administrative, and clinical workflows that general security personnel cannot catch. If you’re not spending at least 1/3rd of your time and budget on protecting from insider threats, you’re probably more susceptible than you could be.”
Along with the right strategy and frameworks here are 4 factors health systems need to implement when protecting PHI:
Control access across devices
One of the key elements of being able to secure information and the network begins with access controls at the device level. There are many solutions in the market that can provide access controls at an individual function level, like print or scan or fax or copy or maybe a combination of 2 or 3. However healthcare organizations need solutions that control and manage access at the device level across all functions.
Custom and personalized authorization
Healthcare systems need to implement solutions that are not only able to control and manage access to functions of an MFP, but also provide another unique capability such as custom and personalized authorization. Based on a user’s profile and the policies of the organizations, solutions must be able to authorize a user’s access to some or all of the functions of the device. For example, some users may only be allowed to make copies. Others may be able to make copies and pick up print, but not able to scan or fax information.
Mandatory Document Encryption
Health systems must be able to manage the all printed, scanned and faxed documents. These documents hide a wealth of patient information that needs to be protected from deliberate or accidental exposure. Employing solutions that ensure these documents are properly encrypted, recorded for audits, inspected for content restrictions, retained for legal review, and prevented from being sent to undesirable or unintended destinations is critical.
Security and Usability Balance
The best security is a balance between protection and usability. At Nuance we’ve focused on providing an enterprise platform that can secure and optimize document workflows, but in a way that’s also intuitive, flexible and easy to adopt for end users. Change management in healthcare is critical and being able to deploy a solution that accomplishes the technical, administrative and operational goals while also being quickly and easily adopted by the employees, staff and clinicians is what defines a successful project.
To protect their PHI data from externals and especially internal threats healthcare executives must take steps to protect their health systems.