A few weeks ago, I attended a talk on electronic healthcare record (EHR) system security given by Leido’s Chief Cybersecurity Strategist Gib Sorebo at the 2017 RSA Conference.
Overall, the estimated annual costs of data breaches has totaled $6 billion in the healthcare industry, with healthcare organizations spending an average of $2.1 million to resolve the consequences of a data breach in the past two years. Gib reported that an estimated 73% of patients will choose another provider if their current one was breached, based on a healthcare data privacy and security study by the Ponemon Institute.
Security in the healthcare industry is relatively immature, as the industry moved toward adopting EHR systems to store, collect, process and share patient data in recent years, motivated by government incentives called Meaningful Use (as well as penalties for not meeting the standards). In 2016, the goals for using EHRs included improving the outcomes of data capture, sharing and advancing clinical processes.
Another goal is to be able to facilitate care between multiple providers for patients and ensure secure sharing of patient data. While EHR incentives have started to fade away, the net-new installs of EHR software has seen a decline.
Gib recognizes the immature level of healthcare security - many security researchers have reported they’ve had trouble finding a place to report vulnerabilities in the industry. But like security in any other industry, it will take awhile for it to develop.
Information Security Challenges in EHR Systems
Many EHR systems overlap with Enterprise Resource Planning (ERP) systems and other enterprise applications, causing complexity, dependencies and challenges for security.
Vendor dependency can present security challenges since EHR patching and other maintenance are typically controlled by the EHR vendor, which can make it difficult for the healthcare organization to take a more proactive role, since they must wait for their EHR vendor to act.
According to Gib, some EHR vendors like Cerner are taking a more active role in IT implementations for their customers, as they see themselves as the IT provider for organizations due to the breadth of EHR systems. EHR systems are often the focal point of a healthcare organization’s environment that other applications interact with and support.
Identity management can be more challenging in the healthcare field, as there are so many diverse users - patients, nurses, doctors, non-employees, finance, etc. that must have different levels of access, often to very large sets of historical and current sensitive patient data to do their jobs.
A clinician or nurse may need access to historical healthcare data in order to avoid duplicating resources - for example, calling for duplicate MRIs if a patient has already had one at a previous provider.
EHR Interoperability Problems
The typical EHR architecture includes a client - usually a thick client on desktop or in a virtual environment. Then, there’s middleware, which includes an application server and related programs; plus a database.
When there is a lack of interoperability between EHR systems and other providers, people will often use workarounds that can create security problems.
According to Gib’s slide on where EHRs are vulnerable, diagramming the typical EHR system with its interfaces, the attack surface can include:
- External and legacy systems
- Patients and authorized users
- Mobile devices
- External service providers (e.g. labs)
- Research and HIEs (health information exchange providers)
- Government oversight and dashboards
- Insurance companies
- Wireless infrastructure
- Bedside technologies (medical devices)
- Data center security (authentication)
- Business continuity & failover
Security Recommendations for Healthcare
Gib’s security recommendations include adopting a defense in depth security approach, that is, layered security. Authentication systems require a higher level of security than other systems.
He also recommends implementing network segmentation - segmenting based on use in order to monitor data as it moves through different junction points in the organization. By monitoring what type of data is transferred from medical devices to clinical operations, you can determine if that’s the correct and safe route.
Good cyber hygiene, patching systems regularly, and log analysis is key only if you understand what those logs mean and can put them into context. Gib mentioned that visibility into every system isn’t there today, and is one area of security that needs attention.
He also recommends watching your users’ roles - don’t just use the EHR’s default roles for different users, but configure your own based on your organization’s specific needs.
In the Next Six Months…
To apply some of the best security practices, he suggests ingesting EHR log data or output from an anomaly detection tool into your SIEM (security information and event management) or other centralized log aggregation tool. Duo’s Trusted Access sol ution provides detailed authentication, user, administration, device and other security logs to help you monitor and track any risks.
Another recommendation is to include EHR components in regular vulnerability scans, and look into the use of anomaly detection tools to detect suspicious activity, and the feasibility of application whitelisting for EHR components.
And, where feasible, implement two-factor authentication for EHR administrative functions. Duo’s two-factor authentication solution can be integrated with healthcare applications and systems like Epic’s EHR to both protect against credential theft attacks and help meet healthcare compliance requirements for strong authentication - such as for e-prescriptions. Learn more about Duo for Healthcare.