En­cryp­tion grows as an im­por­tant line of de­fense

As se­cu­rity risks mul­ti­ply, mak­ing data un­read­able is key to pro­tect­ing pa­tient in­for­ma­tion.

Health Data Management - - THE OPIOID CRISIS - By Joseph Goed­ert

Ran­somware. Mal­ware. Phish­ing at­tacks. Med­i­cal de­vice vul­ner­a­bil­i­ties. Hack­ers prob­ing for net­work gaps.

These are among the con­sis­tent chal­lenges for health­care IT and se­cu­rity ex­ec­u­tives. With so many gam­bits to ac­cess sys­tems, pro­tect­ing data has be­come para­mount. The use of data en­cryp­tion soft­ware is a pow­er­ful weapon in that re­gard, but one that’s used on a frag­mented ba­sis.

Health­care or­ga­ni­za­tions have mul­ti­ple in­for­ma­tion sys­tems and not all of them are en­crypted, so the or­ga­ni­za­tions re­main un­pro­tected, says Will Long, chief in­for­ma­tion se­cu­rity of­fi­cer at Chil­dren’s Health in the Dal­las area with three hos­pi­tals and 35 sites of care. “A lost lap­top not en­crypted still is one of the big­gest causes of a data breach.”

As providers face more se­cu­rity chal­lenges, they’re tak­ing a fresh look at en­cryp­tion tech­nol­ogy.

En­cryp­tion 101

En­cryp­tion en­codes data so only au­tho­rized per­son­nel can ac­cess the data with a de­cryp­tion key.

There are three pri­mary ways en­cryp­tion pro­tects data, says Keith Fricke, prin­ci­pal con­sul­tant at twSe­cu­rity, a con­sult­ing firm. The first way is data in mo­tion, un­der which data is en­crypted as it moves across a net­work from one sys­tem to an­other. Data at rest means a file is en­crypted or the disk stor­age on which data re­sides is en­crypted. The third op­tion is database en­cryp­tion, which con­verts data in a database into plain text for­mat us­ing a se­cret code.

En­cryp­tion can and should be widely

de­ployed, ex­perts say. For ex­am­ple, all USB thumb drives in an or­ga­ni­za­tion should be en­crypted, Fricke ad­vises. Health­care or­ga­ni­za­tions should make sure that en­cryp­tion put on em­ployee lap­tops is seam­less, with the en­cryp­tion tied to the user’s lo­gin on the lap­top. If an em­ployee logs in and tries to open a file, the en­cryp­tion sys­tem should de­crypt and show the file.

How­ever, en­cryp­tion is not a panacea for data pro­tec­tion—it won’t cure all of an or­ga­ni­za­tion’s se­cu­rity ills, notes Sean Mur­phy, vice pres­i­dent and chief in­for­ma­tion se­cu­rity of­fi­cer at Pre­mera Blue Cross. How­ever, it is a foun­da­tional pro­tec­tion strat­egy.

“Much like HIPAA is just the floor for a ma­ture in­for­ma­tion pro­tec­tion strat­egy, en­cryp­tion is a base­line stan­dard for data at rest and in tran­sit,” Mur­phy ex­plains. “You re­ally can­not make an op­er­a­tional or clin­i­cal ar­gu­ment against en­cryp­tion of data with the so­phis­ti­ca­tion of cypher tech­nolo­gies and com­pu­ta­tional power these days.”

The ef­fec­tive­ness of en­cryp­tion is best viewed from a de­fense-in-depth ap­proach, he con­tin­ues. En­cryp­tion by it­self makes it harder for an ad­ver­sary to gain ac­cess, but that’s just a start. “You need ro­bust iden­tity and cre­den­tial pro­tec­tion, and mon­i­tor­ing as well,“says Mur­phy. “With­out these con­trols, en­cryp­tion is in­ef­fec­tive, be­cause a stolen cre­den­tial could al­low unau­tho­rized ac­cess be­cause the cor­rect de­cryp­tion keys are present.”

Mur­phy in­creas­ingly is fo­cus­ing at­ten­tion on en­cryp­tion of text mes­sages and SMS mes­sag­ing from one phone to an­other phone. As pa­tients and other cus­tomers are adopt­ing or de­mand­ing more mo­bile apps for com­mu­ni­ca­tion, Pre­mera de­vel­op­ers are pro­vid­ing tools to put in­for­ma­tion and care where mem­bers are. “That in­ter­ac­tion may in­volve shar­ing pro­tected health in­for­ma­tion so pro­tec­tion of the data in tran­sit is re­quired, as we do for tra­di­tional email com­mu­ni­ca­tions.”

Find­ing a safe har­bor

Large health­care en­ti­ties are more likely to use en­cryp­tion be­cause a big breach can be so dif­fi­cult and ex­pen­sive to re­solve, and any breach can im­pact many pa­tients, says Linn Freed­man, chair of the data pri­vacy and cy­ber­se­cu­rity team at the Robin­son & Cole law firm.

If an en­crypted lap­top, desk­top com­puter or other de­vice is stolen or lost, the or­ga­ni­za­tion does not need to no­tify pa­tients or the HHS Of­fice for Civil Rights, which reg­u­lates the breach no­ti­fi­ca­tion rule, Freed­man ex­plains. It is as if the in­ci­dent never hap­pened. The same is true un­der most state laws, she adds, so larger or­ga­ni­za­tions use en­cryp­tion for risk re­duc­tion. That’s based on the premise that a hacker can’t de­ci­pher and use en­crypted data.

But there is a caveat, Freed­man notes. “Hack­ers still can use phish­ing emails, so un­less the or­ga­ni­za­tion has ev­ery bit of data en­crypted, hack­ers can get in through email.” Then, a hacker can not only get health in­for­ma­tion but fi­nance and pay­roll data as well.

“En­cryp­tion is get­ting to the point where it is ab­so­lutely nec­es­sary, es­pe­cially with mo­bile de­vices,” says Heather Roszkowski, net­work chief in­for­ma­tion se­cu­rity of­fi­cer at Univer­sity of Ver­mont Health Net­work. “To pick the right en­cryp­tion, un­der­stand what you want the prod­uct to do, such as cover email, mo­bile de­vices or in­for­ma­tion sys­tems. Talk to other or­ga­ni­za­tions us­ing the en­cryp­tion be­ing con­sid­ered and ask how dif­fi­cult it is to de­ploy and level of user sat­is­fac­tion. We also switch ven­dors as the net­work be­comes more com­plex if we need to.”

Erik Decker, chief in­for­ma­tion se­cu­rity of­fi­cer at the Univer­sity of Chicago Medicine, works for a provider that has so­phis­ti­cated in­di­vid­u­als and re­sources to make the or­ga­ni­za­tion less sus­cep­ti­ble to at­tack­ers. He wor­ries about smaller shops that don’t have the re­sources to match the threat level.

That’s why Decker is lead­ing a task group work­ing with the De­part­ment of Health and Hu­man Ser­vices to de­velop cy­ber­se­cu­rity guid­ance, in­clud­ing proper use of en­cryp­tion, for hos­pi­tals and prac­tices of all sizes. But not ev­ery­one is get­ting the mes­sage.

Some small or­ga­ni­za­tions be­lieve they are too small to be at­tacked, Decker says. They don’t ap­pre­ci­ate the po­ten­tial im­pact if they are at­tacked and lack pro­tec­tion from en­cryp­tion and other se­cu­rity tools.

“We’re try­ing to raise the level of aware­ness for small and medium prac­tices and show them how an in­ci­dent would re­late to their own prac­tices,” Decker ex­plains.

That said, en­cryp­tion is im­por­tant but it’s not a sil­ver bul­let, he adds. “There are a lot of dif­fer­ent types of en­cryp­tion and some do noth­ing, so be care­ful about what you are buy­ing.”

Fill­ing gaps

It is easy for a provider, in­surer or ven­dor to be­come com­pla­cent be­cause it is us­ing en­cryp­tion so it may fail to see big holes in its se­cu­rity pos­ture.

For ex­am­ple, a hard drive at a hos­pi­tal may be en­crypted and the in­for­ma­tion it holds is pro­tected. But if an em­ployee’s com­puter does not have an­tivirus soft­ware, when a Word or PDF file is opened other files in the net­work can be in­fected.

“Once you boot up the op­er­at­ing sys­tem, mal­ware is just an­other piece of soft­ware scram­bling your files,” Long says. □

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.