Ramping Up HIPAA TrainingSecurity Awareness Key to Breach Prevention
Healthcare organizations need to provide more meaningful education on key information security issues, says Daniel Berger, CEO at Redspin.
Better training is an essential step because so many major breaches have been caused by human error, such as skipped security steps or lost devices, Berger stresses in an interview with Information Security Media Group about the survey results (transcript below). But too often, he says, healthcare organizations are offering annual HIPAA compliance training that's little more than going through the motions. "It's not detailed enough in terms of security," he contends.
"We'd like to see dedicated IT security training courses to raise the awareness that security extends to mobile devices; security extends to e-mails; security extends to not clicking on a suspicious e-mail..." Berger says.
The new survey also shows that about one-third of healthcare organizations have not conducted a risk assessment in the past year. Berger says annual updates pave the way for mitigating emerging risks.
"Providers of all types are in the midst of a massive transformation from paper-based systems to electronic health records," he notes. Plus the use of mobile devices is skyrocketing. "Change itself always introduces new risks," he adds.
In the interview, Berger also:
- Calls on healthcare organizations to scan their networks more frequently to identify and then remediate risks. "It's going to become more important over time as incidents of hacker attacks increase."
- Stresses the need to address the surge in use of mobile devices by adopting new policies, security controls and training/awareness programs. "Organizations will gain much more policy compliance if they are actually involving their employees in policy setting."
- Discusses effective approaches to security training.
Berger is president and CEO at Redspin Inc., an IT security assessment company based in Santa Barbara, Calif. The company offers "Meaningful Healthcare IT Security" a suite of services to help healthcare organizations meet and maintain HIPAA compliance while fulfilling the security risk analysis requirement for "meaningful use" under the EHR incentive program. Most importantly, Redspin helps safeguard PHI from data breaches. Berger was directly responsible for deploying Redspin's IT security risk analysis methodology at about 100 hospitals in the past two years. He is a frequent speaker and blogger on healthcare IT security. Before joining Redspin, he spent 25 years in the global networking industry, holding senior sales, marketing and general management positions in companies ranging from the Fortune 500 to ground-floor start-ups.
Conducting Risk Assessments
HOWARD ANDERSON: The survey shows that about one-third of healthcare organizations have not conducted a risk assessment within the past year, even though federal authorities advise annual updates. Why is it so important to conduct an assessment annually?
DAN BERGER: If I had to answer that in one sentence, I would say keep pace with change. There has really never been a more dynamic time period in terms of healthcare IT than right now, and providers of all types are in the midst of a massive transformation from paper-based systems to electronic health records. Legacy systems are being replaced. New applications are being deployed, including some web-based applications or even software-as-a-service applications. It's the proliferation of new devices - more laptops in use, iPads, tablets, smart phones.
The back drop is that when you've got that much change, change itself always introduces new risks. We think it's more important than ever to conduct a security risk assessment. If you haven't done so, do one in short order and then continue to do them on a fairly frequent basis. For those who have yet to do one in the past several years, a reason or rationale that I often hear is that, "We're just about to deploy X, Y, Z new application," or, "we're just about to do an upgrade to our EHR system and then we're going to do the risk assessment." The fallacy in that is that things are always changing, and there's always that one more thing you're going to be doing next. All that time you spend in anticipation of getting it all in order is really a time frame in which you're running a great deal of risk.
ANDERSON: Are there emerging risks that some organizations might be overlooking in their risk assessments?
BERGER: ... We don't think that healthcare organizations scan their networks frequently enough. Part of that's a resource issue and a technical expertise issue, because even when they do, they tend to lack the resources to analyze the results and then prioritize remediation activity according to risk. Not only do we strongly recommend that this kind of work be outsourced to expert companies - whether it's Redspin or others - we think it's going to become even more important over time as incidents of hacker attacks increase. ... It's starting to catch on a bit in the industry as continuous vulnerability assessment and remediation, where the scans are running quarterly, monthly or semi-annually - they're at regular intervals. And the results of those are then looked at and changes are made where they can be made. They're compared to past scans and you're also able to detect new threats. We think that process is somewhat overlooked right now. It's not so much that they're emerging risks that they're overlooking. It's just that without doing a very good job of continuous vulnerability management, you're susceptible to new risks that may arise from hacker groups.
Mobile Device Security
ANDERSON: One of the biggest perceived security threats the survey shows is the growing use of mobile devices. The majority of the organizations we surveyed say they allow clinicians to use personal mobile devices for work-related purposes. What are the key mobile device security issues that need to be addressed?
BERGER: This is such an important area. We have to tell you we've heard everything from organizations that have a policy that says, "Thou shall not connect mobile devices to our network," to, "Yes, we allow our employees to connect and we don't yet have a policy." Ultimately, we don't think either of those approaches is workable long-term.
Another thing we hear very frequently is that while we have mobile devices attached to the network, everything is going to be fine once we install our mobile device monitoring system. But again, today's MDM solutions are imperfect at best, but they're also very costly, and costly not just in dollars and cents, but also the implementation and monitoring resources you need to dedicate to them for them to be effective. You get a situation where ... the risk is now in saying, "We're going to have a solution based on an MDM product next year." [It] just won't cut it for protecting yourself from the risk today.
The way we advise our clients to look at mobile security is we consider it three related issues. It's an issue of policy, it's an issue of controls and it's an issue of security awareness. We think these three things actually are almost interlocking in their relevance to creating an environment where mobile devices can be used securely in the workplace. Certainly, there are some policies that need to be dictated from kind of an autocratic basis, or from the top down - policies like which platforms organizations prepare to support; what technologies are required, such as encryption, remote-wiping, sandboxing; what's required if you're going to use these in the workplace?
But aside from those types of top-down edicts, we find that organizations will gain much more policy compliance if they're actually involving their employees in policy setting and, even in some cases, policing. Part of that means that unlike a lot of other types of security policies where they're set by IT or a compliance group and employees are told to ... abide by it, in the mobile case, particularly as you move into people who are bringing their own devices to work, where they feel a certain sense of ownership over the device and don't want to be told what to do and what they can't do with that device, it's very important to have a much more open dialogue between employees and the various compliance departments and IT into what's a workable policy. It's helpful to both the employee and the organization for people to be able to use their own devices and to be able to use mobile devices. It's cost-savings in some cases. There's efficiency. There's ease of use. People love to be able to do it from an employee standpoint. ... So it does require an approach that takes both sides into account to jointly formulate what the policy should be.
BYOD: Security Precautions
ANDERSON: What are some of the best security precautions to take when accommodating the bring-your-own-device trend in particular?
BERGER: We would like to say an ounce of prevention is worth a pound of cure. In our case, we think an ounce of education is worth a pound of enforcement. Once there's a BYOD policy established and you have made it clear what is and what is not allowed, I think you've got to be ever-present on people's minds. There should be internal training seminars on this topic fairly regularly and on a consistent basis, whether you do that through some sort of web-training, posters, workshops or training seminars. Even simple things: We find that when the average worker is bringing their iPhone to work and wants to use it for work purposes, oftentimes even some of the built-in security controls on the individual phones aren't set, and really that's more of a matter of people aren't actually even aware how they could be set or that they're there to be set. Once you've made it clear that this is our policy, this is what's supported and this is what is and what isn't allowed, I think then the approach from IT is, "Now how do we help you secure your phones? What can we do from a training perspective, from an educational perspective and support perspective to make sure that your use is secure, protecting both you and the organization?"
Ramping Up Privacy, Security Training
ANDERSON: Speaking of training, ramping up training on privacy and security issues is the No. 1 step organizations plan to take to help prevent health data breaches, our survey showed. What are some of the other key topics that such training should address, and what are the most effective ways to offer the training?
BERGER: I was delighted to see that ramping up training on privacy and security made No. 1 this year. It's the single most important thing that healthcare organizations can do to prevent data breaches. If you look at any of those statistics over the past three and a half years, you'll find that at the heart of almost two-thirds of the breaches is some sort of human error or human oversight ... devices that are stolen or lost, things that people have just neglected to do that are fairly obvious in terms of security. What we find in healthcare organizations is almost all of them have HIPAA training as a general generic training course on an employee's first date of hire. They usually go through HIPAA training as part of their new hire orientation. It's typically refreshed maybe every year, but I would call that HIPAA training "light." It's not detailed enough in terms of security, particularly IT security in 2013.
We'd like to see dedicated IT security training courses to raise the awareness that security extends to mobile devices. Security extends to e-mails. Security extends to not clicking on phishing-attempt e-mails or suspicious e-mails at work. Security extends to not posting something that could be personally identifiable information or, even worse, protected health information on your Facebook page, even if you thought that it was for a good purpose. There's a lot of education to be done that will ultimately pay off big time in terms of return on investment as compared to getting into an OCR [HHS Office for Civil rights] resolution agreement and possibly incurring breach penalties.
As far as most effective ways of offering training, I think you've got to take an "all-of-the-above" [approach]. We think that training is most effective when it's offered in context, and there are lots of clever mechanisms for doing that today. There's web-based training. It's more curriculum-based. But there are also reminders that can be set up, screen-savers that can reinforce certain messages, even good old offline stuff like posters in the hallway. I think it's just a bit of a constant reminder that security is really job one when it comes to protecting PHI.