If you are a CIO or CISO of health, you already know that cybercriminals point to protected health information (PHI). A recent report shows that stolen PHI can be sold for up to $1,000 per record on the dark web. The value of patient records has led to an increase in attacks on healthcare organizations. In 2020 he saw a 25% increase in health data breaches, with more than 29 million records exposed. It is no longer a question of whether he will face an offense, but of when.
I’ve had hundreds of conversations with health CIOs and CISOs throughout my career, and one of the biggest challenges I’ve heard has to do with preventing PHI breaches. Despite massive spending on cybersecurity tools, organizations are still unable to protect patient data. This is largely due to the simple fact that the cybersecurity solutions available today are largely adopted by other industries and are not designed to operate within the complex clinical workflow of the modern healthcare provider. In other words, conventional cybersecurity is more often designed to protect infrastructure (i.e., perimeter, network, endpoints, or servers) rather than patient information inside and across clinical workflow.
During my time in the cybersecurity working group in the healthcare industry, we talked about this issue about the protection of PHI in the clinical workflow and the need for tools that give visibility to vulnerabilities that everyone knows which exist but which are extremely difficult to find. Most solutions focus on keeping actors out of threats or defending the system (i.e., perimeter or network defenses), rather than identifying and managing PHI risk. The high degree of variability in the types of unstructured PHI content (e.g., discharge notes, queries, referrals, etc.) adds the complexity and thoroughness needed to better protect PHI.
Better protection of PHI requires better security of the clinical workflow itself, including devices, applications, and people operating on it. The actions of physicians, academic researchers, patients, administrators, and healthcare providers create a wide range of data vulnerabilities that are hidden within the clinical workflow and outside the realm of existing cybersecurity solutions.
Vulnerabilities in the clinical workflow
A doctor’s first priority is, and should always be, the health, safety, and well-being of his patients. That said, a physician’s ability to provide quality care begins largely with the way his or her healthcare system insures PHI, and not just PHI, but also the devices, applications, and users that interact with it. with patient data. PHI protection and patient safety require a more holistic and concerted strategy to better reduce the risk of different types and types of clinical workflow vulnerabilities.
He Cybersecurity framework of the National Institute of Standards and Technology (NIST). provides a set of guidelines to help organizations manage their cybersecurity risks. One of the main guidelines is that organizations can protect data by understanding the vulnerabilities of their computer system, user, device, and endpoint. In the context of healthcare, this framework clearly stipulates the need to inventory all assets that are critical to PHI, however, making an inventory of vulnerabilities in a healthcare IT system is extremely difficult.
From shared workstations to clouds of insecure vendors, excessive user privileges, unknown applications, and unknown memory drives, the clinical workflow contains a large number of hidden vulnerabilities that threaten the privacy and security of your device. PHI. The COVID-19 pandemic pushed for a further increase in the number of vulnerabilities due to the rapid adoption of new applications and technologies to support remote care. A recent cybersecurity study found an average of 816 endpoint attack attempts in 2020, an impressive increase of 9,851% over 2019. In fact, PHI is at risk every time:
– A physician performs a virtual visit of the patient and accesses the PHI on uncontrolled devices and through hyperconnected endpoints in networks with different computer security standards.
– Files containing PHI move to / from a cloud storage application.
– Emails with unencrypted PHI are sent to unknown telehealth providers.
– Unknown applications are downloaded to a user’s personal device where PHI is accessed or stored.
– PHI moves to an unknown USB drive.
– PHI is printed on insecure printers.
The large volume and scale of potential PHI exposure during the pandemic will be felt by the industry over the next few years. The biggest concern now is what will happen after COVID-19 when health CIOs and CISOs have limited means to identify the extent of PHI exposure that occurred outside their domain.
Key approaches to securing PHI
Hospital CIOs and CISOs need to be advanced in adopting innovations that help them prevent PHI violations. Reducing the risk of PHI consists of end-point protection and more preventive mitigation at the point of clinical use, far beyond perimeter safety. Until CIOs and CISOs can see where PHI is hidden within their growing clinical workflow, how it is used, who uses it, and where it is going, vulnerabilities will remain undetected and PHI will continue. with a high risk of default. . The security strategy for PHI must continually track data wherever it goes, even in the increasingly virtual and decentralized healthcare system.
Traditional cybersecurity solutions designed to protect infrastructure have not detected and identified problems with PHI, but advances in machine learning and telemetry open the door to continuously monitor the movement of PHI in clinical workflows. New technologies in the areas of flow processing and cutting-edge machine learning (Edge ML) help assess where PHI is at risk at all endpoints and servers and are only recently available. The industry needs to use these new technologies to provide continuous, real-time monitoring, identification, and detection of PHI vulnerabilities.
About David Ting
David Ting is the founder and CTO of Tausight, a startup that helps hospital CIOs and CISOs better protect patients’ protected health information (PHI) through a more proactive risk management philosophy. David previously co-founded Imprivata and created the technology behind the OneSign solution that is widely used in healthcare. In 2016, he was appointed by the U.S. Department of Health and Human Services to the cybersecurity working group in the healthcare industry.