As the weather turns warmer, the mind naturally turns to summer fun. Backyard BBQs, outdoor adventures, and most notably, baseball. Specifically, one of the sports most beloved characters, Yogi Berra.
Yogi wasn’t just a baseball legend with 15 years as an All-Star and 3 MVP awards. He was also a philosopher of sorts, known the world over for his “Yogi-isms,” quirky turns of phrase that were somehow profound in their simplicity (ok, sometimes they were just plain funny).
His wisdom is appropriate in many situations, including healthcare security. Who knew we could learn so much from a grumbly old baseball catcher from Missouri…
1. “It’s like deja-vu all over again.”
Deja-vu is exactly what we feel about the headlines we all see every day. Stories about new cyber-attacks at healthcare facilities are so commonplace that they’ve almost become easy to ignore. Except that they can’t be. 90% of hospitals were hit with a breach in the last year, and most of them had up to five attacks to report. One look at the Norse map of live cyber-attacks happening around the world right now confirms that we are all under siege. If you haven’t been hit by an attack yet, you will be. If you have been hit, expect to be hit again. And again. As long as there are attackers, there will be attacks.
So what can be done about it?
2. “If you don’t know where you’re going, you might wind up someplace else.”
Having a comprehensive security strategy is critical if there’s any hope of protecting your patients’ data. Too often, organizations cobble together a series of disparate security measures and consider the job done, but those kinds of band-aid approaches never work. They might make people feel better because at least something is being done, but the reality is, they do very little to protect the security of your data or the reputation of your facility. You have to have a plan and it needs to address all levels of your organization from the outside in, from perimeter security to staff education. It’s also important to involve everyone with a stake in the matter, starting at the top. This isn’t a problem for just IT to solve. C-level execs and even the board needs to be an integral part of the program if significant progress is to be made.
When done properly, implementing a successful security strategy seems like a daunting task, but it doesn’t have to be.
3. “It’s pretty far, but it doesn’t seem like it.”
Make no mistake – properly securing your organization against threats that grow in scope and severity every day is perhaps the most important – and challenging – initiative your facility could undertake. But it isn’t insurmountable. The key is to be prepared. Approach the planning of your security program calmly and logically, and give yourself the time and space needed to make the best decisions. Do your research. Investigate what other organizations are doing (or not doing) that impacts their success. Interview your staff and understand their roles, so you know what kinds of workflow considerations will need to be made. Talk to vendors – lots of them. Doing so will highlight lots of factors you didn’t even know you needed to think about.
For example, did you know that most security solutions only use log files to identify potential threats? Unfortunately, reviewing log files only uncovers issues after the damage has been done. Not very much help when you’re trying to avoid being listed on the wall of shame (and they certainly weren’t helpful for The University of California Irvine Medical Center, who announced in 2015 that employees had inappropriately viewed 5,000 patient records – and had been doing so since 2011).
Real-time behavior monitoring should be a requirement for any solution you consider. It’s the key to identifying security issue before they become reportable events.
4. “You can observe a lot, just by watching.”
It’s just a reality that all healthcare organizations will be hacked eventually. Even the most advanced security solutions have vulnerabilities in them that attackers will find a way to exploit. So assuming that intruders will get in regardless of what kind of perimeter security is employed, it becomes clear that the focus needs to be on stopping data from leaving the organization. Thankfully, that’s easier than it sounds.
Employ a security solution that proactively protects your patient data by monitoring all activities across the network in real time. Doing so will make it possible to detect unusual behavior that’s indicative of a potential security issue. Also, make sure your solution helps you to understand user behavior in the context of other employees and peer groups. It’s critical that you have a big picture view of your organization and are able to connect the dots across applications, systems, networks and channels.
Take, for example, a user who routinely signs in every day from 9 am – 5 pm. They have a predictable schedule, exhibit a reasonable set of behaviors, and therefore, are nothing to worry about. Until suddenly that user starts to log in from different IP addresses late at night, viewing records that have nothing to do with his job function. That’s a huge red flag that investigators should look into immediately — but you would only know about it if you were proactively monitoring the network.
The good news about all of this is that it isn’t rocket science. There’s a right way and a wrong way to secure your organization and protect patient data. Do it incorrectly and the consequences will be catastrophic, starting with loss of patient trust and reputation. So do it the right away and avoid having to learn another Yogi-ism, “we made too many wrong mistakes.”
Boaz Krelbaum is General Manager of Cyber Fraud & Risk Management for Bottomline Technologies.