Encryption: How to Set PrioritiesA CISO Calls Attention to the Role of Risk Assessments
Expanding the use of encryption is a top breach prevention step for 2013, the Healthcare Information Security Today survey confirms. And when it comes to prioritizing encryption projects, a risk assessment is essential, says Eric Cowperthwaite, chief information security officer at Seattle-based Providence Health & Services.
"Security programs in healthcare, according to the HIPAA Security Rule and the HITECH Act, are supposed to be risk-based, and they are supposed to be appropriate to the size and scope of the organization and the risk the organization faces," Cowperthwaite explains in an interview with HealthcareInfoSecurity about the survey results (transcript below). "So I think we should go with that as the starting point when deciding whether you're going to encrypt your back-up tape ahead of your desktop PCs, as an example."
The CISO predicts that "the default standard practice" is going to be to encrypt any device that "contains patient data and could leave your physical control."
Since 2006, Providence has required that all devices, including laptops, tablets and backup tapes, containing confidential data that leave a Providence facility must be encrypted. In addition, based on a risk assessment, Providence has taken the extra step of encrypting certain desktop devices that were determined to pose a high risk. "So essentially, any desktop that contains patient data that would meet the threshold of having to report [a breach] to HHS if it were stolen has been encrypted," he says.
In the interview, Cowperthwaite also discusses:
- Authentication challenges. "Part of the problem is that folks in the healthcare industry have chosen to have the same authentication approach for all the various uses cases, rather than looking at the different use cases, the risks involved, and what will be appropriate to manage and control those risks."
- Why healthcare organizations should look to the knowledge-based authentication experience in online banking for guidance in how to authenticate patients that access records through a web portal.
- Tips for deploying a bring-your-own-device strategy.
As CISO at Seattle, Wash.-based Providence Health & Services, which has 250 clinics and 27 acute care hospitals, Cowperthwaite is responsible for information security governance and risk management efforts. Before joining Providence in 2006, Cowperthwaite was a consultant at EDS. He also worked in a variety of information security positions in the financial sector and the U.S. Army.
Universal Use of Encryption?
MARIANNE MCGEE: When it comes to steps that organizations plan to take this year to prevent breaches, 41 percent mentioned that encryption of all mobile devices and removable media, while 35 percent mentioned implementing encryption for all end-user devices. With all the publicity about breaches involving lost and stolen devices, is the healthcare industry finally moving toward more universal use of encryption? What encryption steps is your organization taking?
COWPERTHWAITE: I think the Sutter Health lawsuits that bombarded the healthcare industry about a year ago are a significant catalyst in this whole thing, because it brought to the forefront that this is probably our single biggest security risk from a financial perspective. Sutter Health had a laptop stolen out of an office. It had about 4.2 million patient records on it, and they have a class action lawsuit brought against them for a thousand dollars a record, which amounts to a $4.3 billion class action lawsuit. That's a big deal.
People are thinking about this a lot, especially because of all of the breaches and the Department of Health and Human Services' ... stronger enforcement. ... But then seeing Sutter slammed with a multi-billion dollar lawsuit was a catalyst. So are we moving toward universal encryption? I think we're going to see a continued increasing use of encryption over time. I don't know that universal is the right word, but I think the default standard practice ... is going to be to encrypt any device that contains patient data and could leave your physical control.
Since about 2006, we have required that all devices that leave a Providence facility and contain confidential data be encrypted. Essentially, all laptops, tablets and back-up tapes that go offsite have been encrypted since 2006. What we have done in light of the evolving risk that the Sutter lawsuit brought is we've created criteria for determining risk related to the loss of desktop devices and have encrypted any of those that were determined to pose a high risk to Providence as well. Essentially, any desktop that contains patient data that would meet the threshold of having to report a breach to HHS if it were stolen has been encrypted.
Encrypting Mobile Devices
MCGEE: Our survey also found that 65 percent encrypt information that's sent outside their organization across exposed networks, and 58 percent now encrypt mobile devices. Why aren't those numbers higher?
COWPERTHWAITE: One thing that we ought to think about is the survey included many different types and sizes of healthcare organizations, and I suspect that the small clinics are not doing that sort of thing right off the bat, which, of course, makes sense. You wouldn't expect a clinic that had maybe three physicians and 10 other employees to really be running encrypted e-mail capabilities, mobile device management or any of that. Some of it is about the organization's size and scope, and then I think some of it has to do with the fact that mobile devices as a means of managing and transmitting confidential data is a pretty new thing.
If you think about it, the iPhone, which really revolutionized mobility, only appeared in 2008, and it only became a significant platform being used for computing purposes in the last two years; and not just iPhone, obviously, but also Android-based devices, Microsoft-based devices and so forth. ... We've only been talking about mobility as a significant issue and strategy for the last couple of years. The fact that we're at 58 percent encrypting mobile devices is actually pretty good given all of that.
How to Prioritize Encryption Projects
MCGEE: A smaller percentage of those surveyed are applying encryption to back-up tapes, desktop PCs, mobile storage media and servers. How should organizations go about prioritizing encryption projects?
COWPERTHWAITE: Security programs in healthcare, according to HIPAA Security Rule and the HITECH Act, are supposed to be risk-based, and they're supposed to be appropriate to the size and scope of the organization and the risk the organization faces. We should go with that as the starting point. Deciding whether you're going to encrypt your back-up tape ahead of your desktop PCs, as an example, should be about the risk that your organization faces.
The first thing we did a couple of years ago when we decided that we needed to move beyond encrypting laptops and tablets was to do a risk assessment around mobile storage devices - the USB thumb drives - back-up tapes, desktop PCs and servers that are housed in Tier 1 data centers. We did an assessment of our risk and that gave us an opportunity to prioritize which of those we should do first, and I think that's what people need to do. Are they more likely to have a significant impact because they have unencrypted mobile storage devices, [such as] the USB thumb drives and one of those gets lost or stolen? Or are they more likely to have a problem because the desktop PC containing all of their patient records was stolen after a bad guy broke the front window of their office? They need to take a look at it and then they can prioritize whether they should be spending time, effort and dollars on their security efforts.
MCGEE: Moving on to another topic of our survey, strong authentication of those who access patient records can play an important role in preventing inappropriate access to confidential information. But the use of authentication beyond username and password is relatively rare, according to the survey. For example, 21 percent are using digital certificates and 16 percent are using one-time passwords with two-factor authentication, such as a token of some sort. Meanwhile, use of biometrics is also relatively rare. What will motivate more organizations to strengthen authentication of clinicians and others who access these records?
COWPERTHWAITE: Before I tackle that, I think I should mention that I think the idea that strong authentication is how we prevent inappropriate access is not necessarily accurate. It depends really on whether we're, in my view and my experience, talking about access that's internal to the organization - [for example], one of my nurses inside the hospital logging onto a workstation that's owned by Providence and is assessing our EMR. That's one use case that we need to think about.
Another use case that we need to think about is a physician who is affiliated with us in some fashion and has access to our medical record system but they're doing so from their own office across the public Internet. [They're] two entirely different use cases and you need to think about what you're going to do in each of those situations. Part of the problem here is that generically, folks in the healthcare industry have chosen to have the same authentication approach for all of the various use cases to patient information, rather than looking at the different use cases, the risks involved and what will be appropriate to manage and control those risks. That's sort of my first set of thoughts.
[My] second set of thoughts, looking at the use of biometrics being relatively rare, we've discovered that biometrics can lead to unintended workarounds. I know of a hospital where they were using proximity devices, which is similar in concept to using biometrics, and it would log you on and off as you approached the workstation. The employees discovered that if they put a Styrofoam cup over the proximity sensor, then they would no longer be logged off every time they walked away from the workstation. So you walk in that hospital and every single workstation has a Styrofoam cup over the proximity sensor. What happens when you use biometrics and proximity sensors or strong authentication is it's painful to your employees and so they find ways to work around it. ... I think that's why we don't see biometrics and that kind of thing with much uptick.
What will it take to get us to strengthen authentication in those use cases where it should be strengthened? I don't think there's been very much evidence presented to healthcare organizations yet that inappropriate access by malicious actors is a big problem - except for internal snooping. We aren't seeing evidence yet that the bad guys are out there trying to break into our EMRs and harvest patient information. Now that may change. If it changes and there are some well-publicized breaches, then we're going to start seeing changing sets of attitudes about this.
MCGEE: The survey also shows that 27 percent of organizations are offering patients access to certain records through a portal, but 35 percent have a portal in the works. As portals become more common, what steps do you think organizations should take to help ensure privacy by verifying patient identity, but without making it too difficult for patients to use the portal? What's your organization doing in terms of developing a portal strategy?
COWPERTHWAITE: I'm not sure that I've actually thought a lot about this personally, primarily because it falls into the realm of some other roles within my organization. But I would say that doing the work that I do, portals require that we do know who [the users] they are. The simplest way to do that is probably to have them answer a series of questions that only they should know that we can validate. Our access to our banks' online portals, for example, uses a very similar strategy. I think that we should also be considering looking at what other industries have done when they needed to create customer portals and using their strategies, since they likely have worked the bugs out, have made them effective and found the balance between appropriate security and ease of access. ...
As far as whether we have a portal strategy, yes we're working on a patient portal strategy. We have some things in place already and will have more in place as time goes on. ...
MCGEE: The survey shows that 58 percent of organizations allow physicians and other clinicians to use their personal mobile devices for work-related tasks. Of those that allow use of personal devices, about half of the survey respondents have taken steps to prohibit storage of patient information on the devices requiring strong passwords, requiring use of automatic timeout and requiring installation of remote-wiping capabilities. When it comes to bring-your-own-device, what do you see as the most important steps to ensure that data is secure?
COWPERTHWAITE: There are really three significant things that you need to do. The first one is you need to decide what you will and will not allow. You need to establish policy. You need to have a policy that says, clearly, "We will allow this; we won't allow this. If we do allow this, then here are the ways that we will protect our confidential information, the ways that we will protect our employees who choose to use their personal devices and the things that we will require of them." You have to do that as a first step, and that really should be a decision made at the most senior levels of your organization. You can't have somebody buried in your technology organization trying to make this decision, when, in fact, most of the people who want to use these devices are administrators. ... You've got to make the decision at a business level and establish policy. That policy needs to be clear cut about what you will allow, who you allow, how you make the decisions and how you protect the organization and the employees.
Number two, you need to then create processes to enable your employees to do what your policy says they can do. If we say that they can have a mobile device, their own personal mobile device, as long as the use of that has been authorized by their manager, then we need to build a process so that they can request it, the manager can approve it and it can be handed over to IT for whatever has to happen. ... You have to have those processes in place.
Lastly, you need a security control set that meets your policy. If you've decided that confidential information can be on those devices so long as they're encrypted, password protected and can be remotely wiped, and the employee understands reporting procedures when the device is lost or stolen - if those are the things that you've decided at a policy level, then you need a set of security controls, technical controls that enforce that policy. How do we make sure that the device is actually encrypted, that it actually has the password, and how do we remotely wipe it in the event that it's lost or stolen, for example? You've got to have those. Just to summarize really quickly: one, establish policy about your BYOD equipment; two, establish processes to implement the policy; and three, establish a set of technical security controls to enforce your policy.
Mobile Device Management
MCGEE: Finally, implementing a mobile device management system ranked among the top three security technology investments for the year ahead. Is such a system becoming more critical as the use of both corporate-owned and personally-owned devices continues to grow so rapidly?
COWPERTHWAITE: Yes it's more critical, absolutely. If you think about in our large hospital system, that's tens of thousands of computers and they need to have an information management system that allows them to know how many computers they have, where the computers are deployed, who the users of the computers are and when the computer is going to be at the end of its lifecycle and need to be replaced. We have those things for computers already and we discovered we needed those things when we started to have thousands of these devices deployed. We're seeing thousands of mobile devices out there, and in an organization like mine where we have 65,000 employees, 3,000 of whom are employed physicians, and then we have many thousands of affiliated healthcare providers and so forth, we're seeing literally tens of thousands of mobile devices. Having a way to know who has what device, how it's connected to our networks, how it's protected, what sorts of applications are on it, what its lifecycle is ... is very important. That's why people are investing in mobile device management, because otherwise you've spent millions of dollars on these devices and they're supposed to be greatly enabling the business, and yet you don't know how many you have, where they're at or who has them. Mobile device management is a huge issue if you want to enable a mobile workforce and all of the benefits that it entails.
MCGEE: Eric, does your organization have a mobile device management system?
COWPERTHWAITE: We have one. We're in the early stages. We've enabled it against devices that we consider fairly critical and we're in first stages of planning for more widespread use of it.