• United States



by George Grachis CISA, CISSP Maxis360

Cyber risk management in healthcare

Mar 06, 201511 mins
Data and Information SecurityData BreachRisk Management

medical records
Credit: Thinkstock

If you are a risk manager in healthcare you face the same challenges as in any other Interne-connected business. For example; we are all familiar with the Target and Home Depot data breaches.

But the fact is that all industries that connect to the Internet are subject to the same risk. What really matters is that no matter what industry; what is your organizations risk appetite? The 2014 Verizon data breach investigations report includes 1,367 confirmed data breaches, 63,437 security incidents which represented 95 countries and 50 global organizations. While finance and retail intrusions led by a huge margin we know that healthcare is in a high growth mode, between the business need to push more to data online for business efficiency and the Affordable Care Act, it’s all about electronic records.

You will do this ready or not. After all it’s 2015 and everything is online. The problem is that in our quest to have access to all our information anywhere anytime, we forgot about considering the risk to do so.

[ 5 ways to create a collaborative risk management program ]

To make things worse, the people actually pushing us to do it now, whether it be from the business or the federal government is that, no one is considering the risk of doing so. In 2009 Leonard Kleinrock recalled for CNN the birth of the Internet. On Oct. 29 of that year, for perhaps the first time, a message was sent over the network that would eventually become the Web. Kleinrock, a professor of computer science at the University of California-Los Angeles, connected the school’s host computer to one at Stanford Research Institute, a former arm of Stanford University. That was over 40 years ago.

Leonard Kleinrock

Kleinrock: There’s a very dark side to the Internet, which we’re all familiar with. It started with a worm in 1988, and it became spam in 1994, and now we have pornography, we have denial of service [attacks], we have identity theft, we have fraud, we have things like botnets [pieces of software that cyber thieves use to remotely and secretly control your computer], which really worry me. One of the problems of the Internet is that we didn’t install what I like to call strong user authentication or strong file authentication. We didn’t anticipate the level of the dark side we see today. The culture of the early Internet was one of trust of all the users.

So what we are saying here is that the Internet was not designed to be secure, it was designed for anything but security. So what did we do back in the 1980s? We began to push everything we had online, e-commerce, electronic banking, 24 hour online shopping, medical records, our children’s educational records and yes military secrets. Every single one of these sectors has suffered major losses, The F-34 Stealth Fighter secrets were reported stolen in 2013 via a cyber-intrusion. The plans for Marine 1, the president’s helicopter were compromised via file sharing at its contractor. JP Morgan Chase had a major hit this past year along with Sears, UPS, Target, Home Depot and Sony were also in the news.

Community Health Systems, Inc. experienced the largest healthcare data breach of the year, when it announced toward the end of the summer that Chinese cyber criminals hacked into its computer network with malware between April and June 2014.The hackers compromised 4.5 million patients’ data, including names, addresses, birth dates, telephone numbers and Social Security numbers. Mandiant stated that they were looking for the usual intellectual property.

Healthcare, breaches climbed 138 percent. Take 29.3 million, for instance, the number of patient health records compromised in a HIPAA data breach since 2009, or 138 percent, the percent jump in the number of health records breached just from 2012. 

Lisa Gallagher, senior director of privacy and security for HIMSS, said speaking at the 2012 Boston Privacy and Security Forum that somewhere between 40 million to 45 million patient records have actually been compromised. The number can’t be confirmed, as the data isn’t all there, she adds, but it’s a more accurate number based on healthcare organizations’ reporting. Moreover, out of the 90,000 complaints HHS’ Office for Civil Rights (OCR) received in 2013, some 5,447 went unresolved. Although the office boasts a 94 percent success rate for resolving cases, some 53,000 of those cases may have been closed because either OCR lacked jurisdiction, or the complaint was untimely or withdrawn, not because a HIPAA violation did not occur.

Many of these breaches, officials say, can be easily avoided through regular risk analysis and updating company policies. “By combining device scanning with an understanding of workflow, policies, and procedures, you get a more complete picture of what is actually happening in your environment, Redspin officials wrote in the report. “From there you can implement a remediation plan that significantly lowers your risk of breach.” 

We regularly perform HIPAA and multiple business sector IT audits and Risk assessments, I was also a chief security risk officer, throughout my career whether it be as a consultant or a cyber-risk manager. I keep seeing the same things over and over.

First, the CEO is often unaware of the risk of doing business online. Homeland security has created an excellent list of five questions for CEOs. I have actually worked for companies as a risk manager reporting to IT and was unable to share this list with the CEO as it would have caused a direct confrontation with IT to do so.

Having Security & Compliance report to the IT Department is one of the biggest issues I have seen, it often prevents cyber risk management from taking place. It’s the fox guarding the chickens.

ISACA and KPMG have weighed in on this and it’s clearly an issue. ISACA states: “Information security is not only a technical issue, but a business and governance challenge that involves adequate risk management, reporting and accountability. Effective security requires the active involvement of executives to assess emerging threats and the organization’s response to them.” “To achieve effectiveness and sustainability in today’s complex, interconnected world, information security must be addressed at the highest levels of the organization, not regarded as a technical specialty relegated to the IT department.” Information Security Governance 2nd edition

Number 2, is that organizations are simply not aware of or are just not doing the compliance.

The 2014 Verizon PCI DSS report stated that only 11 percent of companies passed all 12 PCI DSS requirements. This report was for PCI not HIPAA, but the trend is the same wherever we look excluding the financial sector. The financial sector is highly regulated and this seems to make a big difference, it’s the most attacked because it’s where the money is and it’s the best in compliance. But as I have stated before, Compliance is the minimum! So it’s unfortunate we can’t even get everyone on board here, no wonder cyber criminals enjoy such easy access to so many organizations.

Let’s define compliance vs security. As I recently stated in a quote I made in the Nov. 17 issue of Fortune, “How Frank Blake kept his legacy from being hacked”, “Compliance is backward-looking and static, and security is forward-looking, dynamic, and intelligent.” Compliance is the foundation for security, it’s the minimum.

Number 3, Just where are organizations failing on compliance? Policies are not in place, I’m talking about a cyber-security policy, An acceptable use policy, remote access policy, wireless access policy, and a BYOD policy to name a few. Policy sets the stage, it tells everyone the CEO gets it and that all users play a critical role in properly managing risk within the organization. This includes your vendors. Remember Target had a vendor issue.

We see very little PEN testing, Shore Break Security’s Mark Wolfgang advocates continuous PEN testing. He says if you are hacked quarterly then scan quarterly. Otherwise if you are like most organizations, which are hacked daily, PEN test and scan daily. This is a game changer and companies need to look closely at it, it’s a sure win for our side!

We also see too many administrator accounts or too many users with rights that are above and beyond what they need to do their jobs, this is called principal of least privilege, we see poor passwords and little or no user security awareness training. Humans are usually the weakest link and cyber criminals constantly exploit this by sending a phishing email to an unsuspecting user that’s willing click on that malicious attachment or link.

Number 4 Technology, remember that as a minimum you have a firewall and it’s managed, an Intrusion Prevention/Detection system, anti-birus on all devices, Web filtering appliance, email filtering appliance and a sandbox device like Fire eye or Fortinet type technology. This sandbox technology is now needed to combat zero day exploits, they catch Advanced Persistent Threats that firewalls and anti-virus can’t detect or block. We constantly see out dated or unmanaged firewalls, or no one is looking at any device logs. Stay away from any product that claims to be a magic bullet, they will say: “this will solve all your security and compliance issues”. It’s never that simple.

Number 5, Risk assessments. When they are mandated by law they are often done, but not always in a manner that actually reduces risk. Sometimes organizations self-assess, this is a great first start but when checking your own work you will always miss what an independent audit can find. Make sure you are looking at the actual risk to the data you plan on protecting. If you don’t know where the data is how can you assure it’s protected? You can’t!

Number 6, this is cyber security at its best. If you are doing one through five, then you are likely compliant. Now it’s time to concentrate on that dynamic and forward looking area, called security. Reach out to information sharing organizations like US CERT or the FBI InfraGard program, they allow you to get out of the silo and plug into what’s happening in other organizations. They allow you to share attack intelligence and methods of protection. It’s like neighborhood watch for your cyber business operations. Look at Splunk and similar technologies that employ data analytics to detect Indicators of Compromise that could slip through everything else you have in place.

Besides the fact that the Internet was not designed to be secure, we moved everything we had to it and did not consider the risk. To make matters worse we don’t always get a communication path to the CEO, all too often we try to push enterprise risk management from the bottom up, especially if the IT department is in charge of a part of it like cyber security. IT security is about managing IT devices in the IT department, this does not include managing and securing all corporate data alone. Its corporate governance and data governance that enables a chief risk officer to manage risk across the enterprise by working with all departments including the IT department, but not reporting to them. It must start with the CEO!

Finally, The 2014 SANS State of Cyber Security in Healthcare highlights the challenges ahead.

“This past year (2014) brought heightened recognition that health care information and health care identity are worth money—and that the bad guys can and will launch cyber-attacks against vulnerable health care networks. According to an article in United States Cybersecurity Magazine, the health care industry has seen more targets being discussed in 2014 than any other year.”

They also stated that trends in mobile and cloud computing are game changers as they require more specialized skills and knowledge to assure compliance and security are in place. Healthcare faces the same newer and evolving threat vectors that all organizations face but healthcare has its own unique challenges from regulators, stretched healthcare system, doing more with less but somehow still needs to get everyone on board in managing risk to all this health data that’s being demanded by patients and the industry as a within the current healthcare ecosystem. All of our healthcare records are at risk, this is really getting very personal, let’s fix this problem now!

George Grachis, CISA, CISSP, is a senior consultant with Maxis360, located in Orlando. He can be reached at or