Technology is an integral component in medicine, making it easier for practitioners to do their jobs but more challenging to keep patient data protected. Cloud adoption has been a significant component of this, with cloud-hosted EMR and other SaaS solutions containing patient information shifting data outside traditional security boundaries. This problem, Managing Healthcare’s Hidden Attack Surface, shows no signs of slowing down as cloud adoption for the healthcare industry is expected to grow 40% through 2025, creating larger attack surfaces for medical practices to manage. Failing to adequately defend sensitive patient information can lead to hefty fines and mandatory corrective action programs under HIPAA (Health Insurance Portability and Accountability Act).
With the expanding technological attack surface, organizations have the apparent challenge of contending with outside attackers and ensuring this data is not disclosed through internal threats, misuse, or by accident. In an industry where safety and privacy are paramount, finding ways to secure this data no matter where it resides is essential.
In this article, we explore how information can be disclosed by threats within the organization and unique ways to manage access and utilization to prevent it.
Special Challenges
Misuse of Access
Misuse of access is a common problem for authorized users of a system, who use their access privileges to perform actions outside their job function or are not permitted. These actions can include accessing or modifying sensitive information without permission, utilizing company resources for personal gain, or sharing credentials with unauthorized. In the healthcare sector, misuse of access can lead to breaches of patient privacy and potentially harm patients.
Misuse of access is especially an issue in healthcare as any unauthorized access, use, or disclosure of PHI violates HIPAA’s, Privacy Rule. To prevent this, HIPAA requires healthcare organizations to implement technical, administrative, and physical safeguards to limit access to PHI without authorization. With the complex IT ecosystem combining cloud and on-premises resources, it is challenging to create effective controls to ensure data is safe no matter where it resides.
Internal Threats
Internal threats, or threats from within an organization, can include employees or contractors who intentionally or unintentionally cause harm to the organization’s security. This can consist of stealing sensitive information, introducing malware to the network, or failing to follow security policies. In the healthcare sector, internal threats can lead to breaches of patient privacy and can also put patient safety at risk.
Internal threats are incredibly challenging to discover as access to sensitive information is often a legitimate portion of their job. Tracking when average utilization crosses the threshold of excessive or high-risk access is difficult. Traditional security controls aim to either grant or deny access. Differentiating between normal utilization and dangerous utilization requires more advanced solutions.
Accidental Exposure
Accidental exposure occurs when sensitive information is inadvertently made available to unauthorized individuals. This can include leaving sensitive information on an unsecured network, sending an email to the wrong recipient, or accidentally posting sensitive data on a public website. In the healthcare sector, accidental exposure violates patient rights to privacy, allowing unauthorized individuals access and violating HIPAA’s privacy rule.
Accidental exposure is difficult to catch as it is often just an oversight by well-meaning users attempting to do their job. Sensitive information may be placed in areas that lack sufficient security controls to protect it from facilitating testing or data analysis. While users may assume it is just for a short time, these systems are not always adequately sanitized after utilization or left for an extended period. The entire time data is in these areas, it is at risk of discovery by malicious third parties.
Managing Data Use Security
Protecting PHI in the complicated modern IT environment is not an easy task. Traditional security solutions often are designed to either protect data in the cloud or on-premises only. These solutions often rely on controls to stop or limit data sharing altogether, reducing productivity and complicating employees’ lives. Instead, organizations need to seek solutions that meet HIPAA requirements for ensuring privacy while seamlessly providing this protection without impacting employees.
Scoping Access
With medical data, the principle of least privilege is crucial for limiting access. Users should only have access to the minimum data set necessary to complete their jobs and only for the period it is needed. Managing individual user access rights for staff does not scale well, as users might change roles or new users may come on board, and access often exists across many systems and endpoints in the organization.
Rights access management can be simplified using role-based access control (RBAC) to limit access to groups. Rather than altering which data individuals have access to, they are assigned to numerous groups according to their roles, and the groups are assigned access rights. Managing user group membership is much faster and easier to carry across to new users.
Baselining Utilization
Fighting internal threats requires a more advanced solution. User access to data is necessary to conduct business, making determining when misuse occurs difficult. There is a large volume of normal access noise to sift through to identify problematic usage, which hides as only a fraction of the total volume.
More advanced anomaly detection solutions create baselines of individual usage, including time, file access, volumes of data accessed, and many other behavioral indicators. This information gives users a unique profile that evolves with their everyday usage. When usage changes, such as when an account is compromised or misused, the detection triggers alerts for staff and blocks further access, stopping threats early.
Technology to Secure Medical Practices
Sotero helps healthcare organizations see through the noise of everyday usage to discover and stop insider threats and accidental misuse. Sotero’s data protection platform integrates with your existing organization projecting data protection no matter where your PHI and other sensitive information resides. Sotero’s advanced threat detection eliminates threats to data early on, stopping inappropriate use before it can lead to disclosure. Your organization builds a holistic defense against internal and external threats with Sotero.
Contact Sotero today for a demo on how the Sotero Data Security Platform can help your healthcare organization get and maintain complete data security coverage.