Posts

Healthcare organizations and the cloud: Benefits, risks, and security best practices

Healthcare organizations are moving their business-critical applications and workloads to the cloud, and while there are many benefits (lower costs, added flexibility and greater scalability), there are also inherent risks that cannot be overlooked.

Ensuring organizations’ sensitive data is being monitored and protected (24/7) is key and having analysts who clearly understand security in the cloud is critical. Hiring and staffing these roles can be quite difficult because of the skillset required. Outsourcing cybersecurity to a managed security service provider (MSSP) is one viable solution for healthcare organizations that are in the process of migrating to the cloud and are concerned with protecting patient information, sensitive data, and applications.

Why healthcare organizations are moving to the cloud

HIMSS Analytics conducted a survey of healthcare IT professionals about their views of cloud usage, with nearly two-thirds of respondents saying they are currently using the cloud or cloud services.

Why are healthcare organizations finally making the move? Many have started to look at the cloud as a disaster recovery and backup option in the event of a ransomware attack, which affected the healthcare sector in 2017. The cloud also enables increased operational and storage flexibility as more healthcare companies use applications like precision medicine and population health.

Who’s responsible for keeping the cloud secured?

With so much critical information being accessed and stored in the cloud, it’s important to know who is responsible for monitoring authentication, communication, and client access to devices as well as how they’re securing it. Cloud application vendors are motivated to secure their infrastructure against denial of service attacks, disruption to service delivery, and large backend infrastructure breaches to protect their business. However, control over data access, user credentials (in some cases the application servers themselves), and regulatory compliance rests on the user organization’s IT team – not the cloud vendor. In short, cloud infrastructure providers are responsible for protecting their service, while IT teams must ensure their organization’s private data and critical applications are protected.

Whether you are using cloud providers (such as AWS or Microsoft Azure) to host your sensitive applications and data, taking advantage of Microsoft Office 365, or leveraging the scalability of a cloud-based electronic health record (EHR) application, security is a shared responsibility between the IT security team and cloud provider. As more healthcare organizations turn to cloud services, it is becoming critical for IT and security teams to understand the delineation of responsibility.

Taking the right security measures in cloud infrastructures

Most of the same security risks that apply to data and applications residing within a traditional data center also apply to virtualized assets in cloud infrastructures like AWS, Azure, and others. Virtual servers can be infected with malware or ransomware, credentials can be stolen, and cyber criminals can extract data which makes cyber protection even more important.

Web applications are one of the most significant sources of enterprise data breaches, and public-facing web applications are often hosted on cloud platforms. Because cloud platforms are designed for easy sharing, data runs the risk of becoming unintentionally shared or exposed. Misconfigured cloud-based data stores have resulted in many vulnerabilities and threats.

To address these risks, IT security teams are adopting security tools such as virtualized firewalls, web application firewalls, intrusion detection systems, and vulnerability scanning tools developed for cloud infrastructures. These technologies are integrated using service provider application programming interfaces (APIs) that are designed to address the virtualized and dynamic nature of these environments.

Protecting SaaS applications in the cloud

Software as a service (SaaS) applications like EHR software, Office360, and Salesforce often store sensitive patient data and confidential business and operational information. A breach or inadvertent exposure of this data can result in compliance violations, revenue loss, significant recovery expense, and can damage irreparably the organization’s reputation.

MSSPs and cloud access security brokers (CASBs) can collect and analyze authentication, access control, and cloud application transaction logs to identify suspicious behavior. Such logs include downloads, logins, usage, and application specific behaviors that may be analyzed by an MSSP to determine indicators of compromise.

Importance of Maintaining HIPAA compliance

For healthcare organizations, the Health Insurance Portability and Accountability Act (HIPAA) is an omnipresent reality. HIPAA requires patient data to be properly protected, no matter where it is being stored. Those who fail to protect patient data face fines and other regulatory penalties.

To meet HIPAA requirements, IT security teams should apply the same level of vigor to safeguarding their cloud-based data and applications as they would to on-premise applications and data. This can include deploying virtualized firewalls, scanning virtual servers for vulnerabilities, and monitoring and retaining log events from the public cloud.

How MSSPs can help implement stringent security in the cloud

When cloud migration, many healthcare organizations consider implementing in-house security solutions. This means hiring security experts and around-the-clock staff to manage and respond to alerts. With the current cybersecurity skills shortage, finding and building the right team is not always easy.

How can a healthcare organization maximize the rewards of cloud-based data and applications while minimizing the security risks? One approach is to outsource the security monitoring, investigations, and incident response to an MSSP.

MSSPs have a service model that is well-suited for healthcare organizations with limited resources and strict compliance requirements. MSSPs can act as an extension of a healthcare organization’s IT security team at a fraction of the cost associated with hiring additional employees and operating a 24/7 security operations center (SOC).

When choosing an MSSP, it is important that healthcare organizations thoroughly evaluate providers and cross-reference their healthcare expertise to ensure a smooth transition to the cloud. Key questions organizations should ask an MSSP include:

    • Are you experienced with helping healthcare organizations protect their data and applications in the cloud?
    • Does your mix of security services include 24/7 monitoring, breach detection, and incident response?
    • Can you monitor log events from my preferred cloud provider and cloud-based application vendor?
    • How do you ensure we will receive accurate and relevant actionable alerts?
    • Can you manage or co-manage vulnerability management tools, virtualized firewalls, and endpoint security in cloud environments?
    • Do you have a single portal where we drill into security events and understand our security posture for both cloud-based and on-premise assets?
    • Do you offer HIPAA reporting and services to prepare us in the event of an HHS audit?

By asking these questions, healthcare organizations should be able to determine if the MSSP is equipped to handle security needs. Especially for healthcare organizations with limited budgets and small IT teams, a qualified MSSP can serve as an extension of their team, help improve cybersecurity posture, and make the most of moving to the cloud.

Using SIEM Technology to Streamline HIPAA Compliance

There are 154 separate risks underlying the HIPAA compliance security standard. Addressing and continually monitoring each of these risks individually can be an enormous task for a security officer. SIEM technology allows most of these risks to be identified, addressed and monitored.

SIEM technology allows for the collection of security events across devices, with automated cross-correlation of activity. HIPAA specific use cases built into a SIEM tool allow ePHI risks to be displayed in dashboards, channels, or reports.

For example, the login events from a Windows Active Directory server can be correlated against access events from a badge reader system. Where a login of an employee with credentials to a system containing ePHI does not match the recent access logs from the badge reader system, an alert is sent to the Security Officer. This alert contains actionable information to allow for fast remediation of a potential compliance issue. If the Security Officer wishes to look deeper into the issue, they can then open a web based portal to the SIEM, verify both login and badge reader activity and quickly resolve a potential breach of Access control and Validation procedures – Physical Safeguard §164.310(a)(2)(iii).

Use cases such as the above example can be created for the majority of the Security Standards.

The framework for ePHI compliance can be built into the structure of SIEM content, allowing for compliance to be reviewed by the individual security standards.Reviewing the reports, dashboards, and channels by Security Standard allows a Security Officer to identify compliance gaps, and monitor their remediation. Should the Security Officer face a HIPAA audit, they can pull up reports by Security Standards all from a single interface.

Proficio’s ProView web portal provides reports and dashboards tailored to specific HIPAA requirements allowing security and compliance officers to quickly visualize their compliance posture.

Target – FAPD Phishing HIPAA Breach

On June 1st, the Florida Agency for Persons with Disabilities (FAPD) disclosed that a phishing attack had compromised a single email account. The email account contained information that had PHI of over 1,951 customers and/or guardians. Although no evidence was gathered that indicated the information was accessed, FAPD could not completely rule out that it had not been. As a result, FAPD is providing the potentially affected patients with breach credit monitoring services for the following year for free.

The Proficio Threat Intelligence Recommendations:

  • Implement multi-factor authentication for email access of users that may access ePHI
  • Validate that auditing has been enabled to prove what emails were accessed during a user session
  • Limit email access to IP addresses geolocated within the organization’s place of business

General Info – Click Here

TARGET: Nuance Communications – Lost Revenue and PHI

Nuance Communications, a healthcare software company which specializes in speech and imaging, has had a run of bad luck with external and internal incidents in 2017.

Last year NotPetya malware cost the company $92 million in revenue, mainly from the disruption of transcription services and systems used by healthcare customers. Nuance quickly attempted to restore client functionality which took over a month for complete remediation and restoration. This attack constituted a security incident under the HIPPA Security Rule but not a breach of PHI under the BNR (Breach Notification Rules).

In December 2017, only months following the NotPetya incident, there was an unrelated data breach from a former Nuance employee involving the PHI of 45,000 individuals. The records included healthcare provider’s patient assessments, diagnoses, dates of service and care plans. The attacker  stole these records through an unauthorized access of a transcription platform.

Nuance stated that it continues to enhance its security protection to prevent further cyberattacks as these incidents have resulted in negative press and has lost potential revenue.

Proficio Threat Intelligence Recommendations:

  • Proper network segmentation to mitigate the spread of malware outbreaks
  • Implement and enforce access controls to prevent unauthorized access
  • Backup critical systems and store them off-network

 

General Info – Click Here

HOW TO ACHIEVE HIPAA COMPLIANCE