While any organization that is a Allscripts and GE Centricity Hosting entity should have strict cybersecurity control, the reality is that a healthcare organization’s workforce is its greatest cybersecurity threat. But there are reliable steps organizations can take to lessen the risks, said Kurt Long, founder and CEO
of FairWarning, a cybersecurity firm that protects patient information in more than 8,000 healthcare facilities worldwide.
“People are the greatest vulnerability statistically, whether it’s the Verizon breach report, the IBM breach report, or any other survey being conducted, statistically it is obvious the workforce is untrained and vulnerable,” Long said. “Most of these breaches start by an inside user making a mistake. But 45 percent of all the breaches in the IBM breach report were malicious insiders. The solution is much more holistic than the industry currently thinks, and until we wrap our hands around the people problem, there is no amount of technology that is going to make a dent in breaches.”
Luckily, there are a variety of approaches that healthcare organizations can take to tackle the people problem. For instance healthcare organizations should focus on having a governed workforce and a trained workforce, Long explained.
“For governed, this means the workforce has signed and is aware of the policies of acceptable use for that care provider,” he said. “And for trained, this means not just trained on acceptable use but also trained to report – this is a big one –suspected incidents. The first level of training is what is appropriate use of PHI, but this second level of training is to report to a security team, some central agency within the healthcare provider, what is suspicious. We’ve seen where workforces can be transformed to help become a line of defense.”
After governance and training comes monitoring, Long said.
“Monitoring is a trust but verify matter,” he added. “Care workers have access to a great deal of data, which they should because it is required in the course of patient care. It is very difficult to ratchet down the access control, so you need to monitor the workforce for various scenarios. For example, you want to statistically monitor is this person well outside the boundaries of what they should normally be accessing.” Or is this individual accessing the system from place that is outside the the normal boundaries?
And finally, healthcare organizations should identify, track and correlate their users, Long concluded.
“Organizations have many different applications that touch PHI, and those applications could be legacy systems that they’ve had for a long time, so they don’t have modern user management controls,” Long said. “Or they could have acquired different group practices and brought in different users they have never seen before. Or in the past they simply could have had poor information practices. It all adds up to poor identification, poor governance and poorly trained users; all those users accessing the PHI, organizations don’t really know much about them at all.”
Do you know what your Allscripts and GE Centricity Hosting company is doing to protect you?