There is a lot of buzz around the security of our personal information as of late. Every day it seems we hear about another new “breach”. Target, Anthem, the US Government…
The C-Suite faces new risks that their predecessors never had to face. Managing the plethora of threat vectors, from external phishing scams to malicious insider attacks, is a daunting task for any CIO.
The healthcare industry specifically has become the target for hackers, malicious actors, and snooping employees. A recent study by the Ponemon Institute estimates that more than 90% of healthcare organizations represented in their study had a breach on their data, with an average cost around $2.1 million/breach; an expensive proposition. Similarly important, but more difficult to measure, is the loss of trust that comes with a breach.
While the healthcare industry has some of the toughest regulations due to the value of information contained within its environment (e.g. the average medical record on the black market is now valued at 10x that of a credit card), it is unclear if hospitals are doing enough to protect their data.
Take for instance the hit that Jackson Health took a couple weeks regarding the leak of NFL player Jason Pierre-Paul’s private health information. While there is likely to be a fine and audit by the Office for Civil Rights, the PR hit for what appears to be a negligent employee looking to make headlines, or worse, make money from their position is devastating. (To be clear we don’t know the full story yet, and may never know the exact motivation behind such actions.)
The Ponemon study highlights employee negligence as the #1 issue for concern regarding the security of their organizations. Negligence can mean many things from a lost laptop to a snooping employee. While well-known technologies exist to help manage physical security threats (e.g. encryption), few mechanisms are available to ensure the appropriate use of patient data by employees or ensure that outsiders acting under the guise of an insider are not present.
Managing employee negligence requires a combination of IT security and compliance expertise. While much focus has been given to IT security over the years, CIOs will be increasingly challenged to think of ways to ensure their compliance offices operate effectively. Compliance officers works tirelessly to ensure rules and regulations are followed through training sessions, but are often understaffed and overworked, and lack technology to automate current manual tasks. Going beyond “best practices” to actively providing feedback and education to deter future negligence is an important next step.
One specific challenge is that of monitoring employee accesses to ensure appropriate use of data. Monitoring employee accesses has proved especially difficult in electronic medical record (EMR) systems because of their open access environments. Open access allows any employee to obtain a patient’s record (while there may exist some exceptions, we find this construction to be the norm). Access permissions are granted broadly because blocking an emergent and appropriate access may result in patient harm. US legislation requires all EMR accesses to be logged, but currently little is done to monitor and search through the millions of accesses produced weekly.
A lack of monitoring access creates a huge compliance and security gap for the C-Suite. With attacks from the external and internal alike becoming more sophisticated, organizations must deploy monitoring technologies to bridge that gap and keep up with modern day threats.
Some have argued that monitoring tools are not frequently deployed due to a lack of technological advances in the space. Connecting millions of points of data to create meaningful and contextual information to identify suspicious activity without technology is implausible. Rules and signatures approaches no longer do enough in this sophisticated environment; the C-Suite must seek out big data processing technologies to manage the massive amount of data produced daily.
What is next for the future CIO when it comes to data security? It is and will continue to become harder to prevent breaches to their organizations. Therefore the more proactive organizations can become regarding risk assessment, monitoring, and remediation, the better the chance they’ll have at finding problems before they become attacks on the organization.
Maize Analytics provides healthcare organizations with a state of the art EMR access monitoring platform to reduce risk up to 95%.