If you’re a healthcare CIO or CISO, you already know that cybercriminals are targeting protected health information (PHI). A recent report shows that stolen PHI can sell for as much as $1,000 per record on the Dark Web. The value of patient records has driven a surge of attacks targeting healthcare organizations. 2020 saw a 25% increase in healthcare data breaches, with more than 29 million records exposed. It’s no longer a question of if you will face a breach, but when.
I’ve had hundreds of conversations with healthcare CIOs and CISOs throughout my career, and one of the biggest challenges I’ve heard has to do with preventing PHI breaches. Despite massive spending on cybersecurity tools, organizations are still unable to protect patient data. This, in large part, is driven by the simple fact that the cybersecurity solutions available today are largely adopted from other industries and not designed to work within the complex clinical workflow of the modern healthcare provider. Said differently, conventional cybersecurity is most often designed to protect the infrastructure (i.e., perimeter, network, endpoints, or servers) rather than patient information deep within and across the clinical workflow.
During my time on the Health Care Industry Cybersecurity Task Force, we talked through this issue with protecting PHI in clinical workflow and the need for tools that give visibility into vulnerabilities that everyone knows exist but are extremely difficult to find. Most solutions focus on keeping threat actors out or defending the system (i.e., perimeter or network defenses), rather than identifying and managing the risk to PHI. The high degree of variability in the types of unstructured PHI content (e.g., discharge notes, consults, referrals, etc.) add to the complexity and thoroughness required to better protect PHI.
Better protecting PHI requires better securing the clinical workflow itself, including the devices, applications and individuals that operate inside of it. The actions of clinicians, academic researchers, patients, administrators, and healthcare vendors create a broad range of data vulnerabilities that are hidden within the clinical workflow and outside the purview of existing cybersecurity solutions.
Vulnerabilities in Clinical Workflow
The first priority of a clinician is, and should always be, the health, safety, and well-being of their patients. That said, a clinician’s ability to deliver quality care largely begins with how well their healthcare system secures PHI – and not only PHI, but also the devices, applications, and users that interact with the patient data. Protecting PHI and patient safety requires a more holistic and concerted strategy to better de-risk the various types and kinds of clinical workflow vulnerabilities
The National Institute of Standards and Technology (NIST) Cybersecurity Framework provides a set of guidelines to help organizations manage their cybersecurity risks. One of the main guidelines dictates that organizations can protect data by understanding their IT system, user, device and endpoint vulnerabilities. In the context of healthcare, this framework clearly stipulates the need to inventory all assets that are critical to PHI, however, taking inventory of vulnerabilities in a healthcare IT system is extremely challenging.
From shared workstations to unsecured vendor clouds, excessive user privileges, unknown applications and unaccounted thumb drives, the clinical workflow contains an enormous number of hidden vulnerabilities that threaten the privacy and security of PHI. The COVID-19 pandemic fueled a further surge in the number of vulnerabilities due to the rapid adoption of new applications and technology to support remote care. A recent healthcare cybersecurity study found an average of 816 attempted attacks per endpoint in 2020, a staggering 9,851% increase from 2019. In fact, PHI is at risk every time:
– A clinician conducts a virtual patient visit and PHI is accessed on uncontrolled devices and across hyper-connected endpoints on networks with varying IT security standards.
– Files containing PHI are moved to/from a cloud storage application.
– Emails with unencrypted PHI are sent to unknown telehealth vendors.
– Unknown applications are downloaded on a user’s personal device where PHI is accessed or stored.
– PHI is moved to an unknown USB drive.
– PHI is printed on unsecured printers.
The sheer volume and scale of potential PHI exposure during the pandemic will be felt by the industry for years to come. The greatest concern now is what will happen post-COVID when healthcare CIOs and CISOs have limited means to identify the extent of PHI exposure that occurred outside of their purview.
Key Approaches to Securing PHI
Hospital CIOs and CISOs need to be forward-thinking in adopting innovation that will help them to prevent PHI breaches. De-risking PHI is about protection at the endpoint, and more preemptive mitigation at the point of clinical use, well beyond perimeter security. Until CIOs and CISOs can see where PHI is hidden within their growing clinical workflow, how it is being used, who it is being used by, and where it is going, vulnerabilities will continue to go undetected and PHI will remain at high risk of breach. The security strategy for PHI must continuously follow the data wherever it goes, even into the increasingly virtual and decentralized healthcare system.
Traditional cybersecurity solutions designed to secure the infrastructure have fallen short in detecting and identifying issues with PHI, but advancements in machine learning and telemetry open doors to continuously monitor PHI movement in clinical workflows. New technologies in the areas of stream processing and edge machine learning (Edge ML) help assess where PHI is at risk across all endpoints and servers and have only recently become available. The industry needs to use these new technologies to deliver real-time and continuous monitoring, identification and detection of PHI vulnerabilities.
About David Ting
David Ting is the founder and CTO of Tausight, a startup helping hospital CIOs and CISOs better protect patients’ protected health information (PHI) using a more proactive, risk management philosophy. Previously, David co-founded Imprivata and built the technology behind the OneSign solution used extensively in healthcare. In 2016, he was appointed by the U.S. Department of Health and Human Services to the Health Care Industry Cybersecurity Task Force.
