This book includes a plain text version that is designed for high accessibility. To use this version please follow this link.
my activity, or when you try to open another line of credit and you see that your credit score has been taking a hit. Many times, it is too late to repair the damage. In addition to being mindful of protecting patients’ fi nancial futures,

healthcare administrators must also appreciate the fi nancial damages cyber attacks can have upon their facilities as well. T e Department of Health and Human Services (HHS) has enacted extensive modi- fi cations to the Health Insurance Portability and Accountability Act (HIPAA), known as the HIPAA Omnibus rule. Written into the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, this rule created stronger privacy provisions in terms of protected health information (PHI). It also created severe penalties for data breaches ranging up to $1.5 million per incident. When one considers the enormous weight of these potential

fi nes, the possible long-term damages to patients and the inevitable loss of an organization’s reputation, it’s no wonder C-level executives are becoming more proactive in the planning and execution of cyber attack defense strategies. Too often, however, these eff orts are incom- plete simply because a thorough examination of a facility’s physical and virtual layout is never conducted.

Know your environment

While a tremendous amount of money and eff ort is spent to protect themselves from hackers and other criminals, make no mistake, hos- pitals are prime targets for cyber attacks because they are easy targets. Even though regulations such as HIPAA/HITECH are starting to force the industry to address some exposed areas, there are still some gaps among healthcare organizations that require individualized protection mechanisms to cover their data, their operations and their business functions. One area often overlooked involves access. “T ere are lots of ways to enter a hospital’s environment because

it can have many points of entry; dealing with multiple payers, multiple types of customers, sometimes over multiple operations sites,” says Goche.

Although many organizations aggressively monitor these access points, they sometimes forget to double their eff orts in special areas where critical information resides. Calatayud says, “Awareness and understanding of risk starts with the data. A key fi rst step is identifying where your data lives and having strategies to protect that data. In some cases, part of that strategy of protecting patient data is reducing where that data lives.” To diminish risk, administrators need to develop schematics that map out where their data lives within their ecosystem. After that schematic is created, special attention should be made in determining whether or not certain zones contain data redundancies or unnecessary exposures. With this map in hand, administrators can then establish strict credentialing policies and processes for each area containing data and then monitor the behavior within these credentialed locations. To stop at this point, however, leaves your organization vulnerable to one of the most common catalysts for cyber attacks: credential theft. “Many times if you look at the anatomy of the breach or attack,” Calatayud says, “it’s happened with credential theft, therefore, a lot of organizations focus upon the protection of credentials. T at’s a reason- able approach, but to assume from the beginning that a credential is going to get stolen is a more complete line of thought. Facilities can mitigate the risks early on by asking, ‘If a credential at one of our access points is stolen, how do we restrict its usage on our network?’” Credentials should be developed in such a manner that they can

be monitored in real time so that inappropriate activity can be quickly and easily identifi ed. “Monitoring the activity of credentialed users is vital,” says Cala- tayud. “Having a good handle on the monitoring of users can create

opportunities to detect a potential breach. A lot of this is considered a normalization where you can detect or create patterns around users’ behaviors on your network or on your databases and systems. So if a doctor generally logs in from 9 am until 5 pm and looks at certain records and you see abnormal behaviors, such as a spike in the user logging in during ‘off hours,’ or the level of access that they are us- ing is changing, or the amount of records they are accessing seems abnormal, then you would be able to detect that for further research.” In terms of protecting against a cyber attack, an accurate map

of your users’ behavior within your network is just as critical as an accurate map of your access points and their credentialing standards. To create a more complete defense plan, however, facilities must also develop stronger understandings of the various states in which their data exists.

Calatayud says, “In looking at your ecosystem, you have to un- derstand how data is being handled. It gets back to understanding where your data lives and how it gets accessed. Once you have a good understanding of your data at rest, you can develop your data life-cycle management strategy, which encompasses how the data got there. With data entry, fi le transfer services, the applications themselves and where the data moves, that’s the data-in-motion side of it; the transit side. T at tends to be where people generally have a good focus in terms of security, more on the transit where you hear a lot about encryption. Where people tend to fall short is at understanding data at rest, but it is equally important.” Many cyber attacks have been no more elaborate in nature than someone walking away with an employee’s thumb drive. Without the proper security measures in place, this type of data at rest is an easy target for nefarious individuals looking for a low-tech opportunity.


While some of the biggest names in business have been exposed as being vulnerable to data theft, most healthcare organizations have been spared the indignity and the painful setbacks caused by cyber attacks. T is will not, however, be the case for much longer as it is only a matter time before the crime becomes commonplace in the industry. It is vital that organizations develop accurate maps of the points of access, develop and monitor the credentialing processes, and understand where and how their data lives and moves within individual ecosystems. Without these fundamental considerations in place, a facility’s defense is incomplete at best.


Paul Calatayud, Chief Information Security Officer, Surescripts


Matt Goche, Consulting Director, SunGard Availability Services

April 2014 13

Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28