"A lot of organizations did their initial HIPAA training as required, and that was pretty much the extent of the training they offered," Herzig laments. HealthcareInfoSecurity's inaugural survey shows 42 percent of organizations grade their staff security training and awareness activities as poor, failing or in need of improvement.
"Certainly, staff need to know your organization's policies and procedures as they pertain to protected health information," Herzig says in an interview about the survey results [transcript below].
"But you also need to be able to train those individuals effectively on technology. They need to understand why it's not a good idea to bring in cell phone 'x' that is the new tool out on the market, but that may, indeed, be exposing the organization to potential data loss."
In the interview, Herzig also:
- Notes that the lack of an updated risk assessment can lead to inadequate steps to prevent breaches. The survey shows 26 percent of organizations have not conducted a risk assessment. Of those with assessments, less than half update them annually.
- Points out that another important way to prevent breaches is to ask business associates to demonstrate their information safeguards by providing copies of their third-party audits. The survey found that only 14 percent of organizations have taken this step.
- Stresses the need to update business continuity plans annually. The survey shows less than half of the respondents update their plans this frequently. Herzig, whose organization coped with tornadoes that ravaged Alabama earlier this year, notes, "You never know what Mother Nature may throw at you and what size or magnitude of a natural disaster you may find yourself exposed to. So it is very important that you review those disaster recovery plans and make sure that you are ready to deal with a community-wide disaster when it occurs."
Herzig is the featured speaker in an upcoming webinar on business continuity planning. He is information security officer at UAB Health System, Birmingham, Ala., where he also serves as HIPAA security officer. The system operates a 1,000-bed hospital plus numerous outpatient facilities. He's an adjunct professor of health informatics at the University of Alabama at Birmingham. He is also the editor and co-author of the recent book: "Information Security in Healthcare: Managing Risk."
Complete survey results are now available.
Threat Prevention Results
HOWARD ANDERSON: Some 43 percent of the respondents to the survey rank their organization's abilities to counter internal and external information security threats as poor, failing or in need of improvement. Why do you think that is the case?
TERRELL HERZIG: Pretty interesting. When I was thinking about this a couple of immediate points came to mind, actually three or four. Let me step through them. I think the industry has kind of been weak on keeping up with risk assessments, and by not adequately doing those, they probably haven't really accounted properly for the insider threats. I think that's one contributing factor. I think the second is clinical staff has a lot of access rights, and the only way to really discover when those access rights have been abused is to examine log files. In looking through the survey, there were a couple of questions involving log files that you can kind of tell where a lot of the organizations aren't managing those or looking at those adequately, so therefore I think it's going to be hard for most organizations to detect when these particular rights are being misused. I think that's part of it. Then the other part of it is just really insufficient user training. There was a question in the survey that's kind of interesting when you look at the training perspective. If it's weak or not there, then the users may not know in terms of some of the things that they're doing that could be interpreted as breaches or that breach of trust and confidence.
ANDERSON: What about the lack of preparation for external threats. Does a lack of a risk assessment play a role in that? What other factors play a role in that?
HERZIG: If you look back, I think it's a lack of risk assessment and understanding what those external threats are, and I'll give you an example of that. One of the things that we have to do with any kind of security control is to monitor it and set up metrics so you can measure what's going on. I've noticed one of the things out there that's making a comeback is of course the threats from malware. A lot of these threats are getting harder to detect. Not one single tool really does an effective job at discovering those, but by looking at those metrics, you can see where there has been a steady uptick in the last year of malware threats.
Basically, if organizations aren't doing the very basic analysis of their risk, then they probably also don't have the metrics in place to measure how effective their controls are. That would include their external controls as well. Then of course, again, there's a finding about logging and log management, and that's one of those key controls you've got to monitor and look at to see if your controls are being effective.
Biggest Security Threats
ANDERSON: Some of the respondents say the biggest security threats they face are mistakes by staff members, insider threats, including record snooping and identity theft, followed by business associates taking inadequate security precautions. What do you think of that perception of the ranking of security threats?
HERZIG: ... Typically, in any information system your biggest threats are going to be from your inside users. And again, we just talked about several points of what causes that: lack of training, extensive rights to information, where those rights are misused or in some cases abused in the cases of snooping and things like that. When it comes to business associates, the weakness there is that most organizations don't have visibility into their business associate's operations to be able to even determine if they're monitoring things correctly. I think there's a lot of trust there that you undertake as an organization when you establish these business associates. What I have found is that even with an enhanced BA agreement, business associates will often try to negotiate certain points out. Organizations are going to have become more aggressive with these business associate agreements and ask for things like SAS 70 Type II reports, things that show that they have been audited by a third-party auditor and are indeed using controls and they're measuring the effectiveness of those controls. That's going to be about the only way an organization is going to be able to look over the shoulder of its business associate and see that things are being done correctly.
It's a tough world out there right now, and I think a lot of the things in healthcare, the new technologies and stuff coming down, are going to require more and more third-party business associate agreements. I think it's going to have to be addressed in the ability to have third-party audit reports turned into us and be able to detect when the controls are effective.
ANDERSON: Do you think all the publicity about recent, huge data breaches involving business associates might motivate people to take a closer look at their business associate arrangements and the details?
HERZIG: It really should. I know from our personal perspective we take it very seriously and we ask for those verifications. But even then, it's good to have some contractual things in that BAA such that if a breach does occur that you hold them to a certain reporting time period. You certainly don't want the business associate taking 50 days or something like that to investigate a situation, then notify you and you've only got a short time to conduct your investigation and notify patients. And again, a lot of business associates out there who are involved in breaches need to be able to have proof of an incident response plan and be able to give you the information you're going to need should a breach occur. I think we're seeing the tell-tale signs of that in the press now, especially with some of the outstanding breaches we've had in the last couple of weeks.
Security Training & Awareness
ANDERSON: When asked about the effectiveness of their security training and awareness activities, 42 percent of those surveyed grade their efforts as poor, failing or in need of improvement. Why aren't more organizations making solid progress on information security training?
HERZIG: A lot of organizations did their initial HIPAA training as required and that was pretty much the extent of the training they offered. ... What I have found is that there are two fronts you need to train people on. Certainly, they need to know your organization's policies and procedures as they pertain to protected health information, but you also need to be able to train those individuals effectively on technology. They need to understand why it's not a good idea to bring in cell phone "x" that is the new tool out on the market that may indeed be exposing the organization to potential data loss. It's those kinds of things you have to get back in front of individuals with.
It's not necessary to have a lot of town hall meetings to educate folks, because clinical staffs are very busy and those methods tend to field less results. I think people should look at other alternative education strategies. Here we use newsletters; we use e-mail. ... I'll come in, for example, on a Monday morning and send out a mass mailing [noting] some ... security events that we're seeing [in the news] and people like reading those because it tells them things that they were not familiar with.
One big help with that front has been our use of social media as examples of social engineering, that is, techniques where individuals are conned into giving up their passwords and things like that, and that's very common these days, and a lot of people just weren't aware that things like that were going on. That was very helpful to get those kinds of newsletters out and those kinds of e-mail broadcast.
[We also offer] brown bag lunches where we talk about a certain topic, like ... how to harden your home PC against threats like viruses and malware. Those kinds of things reinforce your security strategy and make people understand why some of these controls are put out there and why they're being asked to comply with them.
Mobile Device Security
ANDERSON: Mobile device security is growing in importance as more staff members use the devices, as you just mentioned. The survey shows 70 percent of organizations have a mobile device security policy in place and 60 percent apply encryption to mobile devices in some way. What do you see as the essential components of a mobile device security policy?
HERZIG: On the policy basics, there's a lot to it. Not only should you mandate certain technical controls to be used, like encryption, but you also want to address data ownership. There are a lot of times when clinical staff will use information and assume that because they use it, they are the owners of it, and basically you need to go back and look at who's going to pay the price if that information is breached. Certainly the organization is going to take a big hit reputation-wise, and they're probably going to be on the hook for the violation. In terms of that, there needs to be clear communication in those policies about who owns the data and what the expectations are for securing it.
Then, a lot of clinicians need a good, firm understanding of what constitutes sensitive data. I've had some discussions with our clinical staff [and] sometimes they'll say, "Well I'm not going to have the entire EHR." They need to understand that you ... can just have components of it that would constitute sensitive information. You'd be surprised in some cases that clinicians may not fully understand under HIPAA what constitutes PHI. It's a good [time] to cover that in the policy.
Again, you want to cover device ownership. Does your organization purchase the device and only allow deployed devices that are owned by the organization? Or does it work in a model where personal devices are allowed so long as they meet certain technical controls and policy basics? That's something that needs to be defined in the policy. Then, from the perspective of mobile device security, that policy has got to be pushed out [with] training being used so that everyone understands it and has read it and knows what the expectations are. Here we have an acceptable use rule that everybody has to retest for on an annual basis. We have a certain amount of corporate compliance training required each year and we add that to that so they can review it, refresh their understanding of it and then acknowledge that they have indeed read it and understood it.
Finally, back to your risk assessments, before any decisions are made regarding mobile devices, you really need to assess how that device is going to be used and what threat it's going to pose to the organization.
Business Continuity Planning
ANDERSON: Only 46 percent of those surveyed say they update their business continuity planning annually. Why is it essential to frequently update a business continuity plan, based on your experience? I know you just went through the tornado there in Alabama?
HERZIG: You never know what Mother Nature may throw at you and what size or magnitude of a natural disaster you may find yourself exposed to, so it is very important that you review those disaster recovery plans and make sure that ... you are ready to deal with a community-wide disaster when it occurs.
Part of that too is an ongoing measurement to make sure that your contingency plans and your critical systems have been routinely inspected and evaluated to make sure that any impact to those systems can be recovered in a timely basis. That is where it's important to do those business impact assessments and keep those up. I would say at least on an annual basis those should be reevaluated so that senior management will have an understanding of how long it would take to recover service if it went down, or if there's a need to go out and invest in technologies with faster response times. So not only test internally, but test with your community so that you're prepared for those kinds of events. You understand how your local emergency services will operate and respond so you'll be ready for what we face.
ANDERSON: Finally, did you find any of the results of the survey to be particularly surprising or concerning?
HERZIG: One of the big ones for me was: How do you determine the effectiveness of some of your security controls that you had in place? I think the general answer that the respondents gave overwhelmingly was through their risk assessments, and I scratched my head a bit. I had to think about that one for a while and I think that kind of highlights a certain level of understanding among information security people. Risk assessments traditionally tell you where your risk is at, and the likelihood for impact and those kinds of things. You generally want to look toward establishing metrics and measuring those metrics to determine the effectiveness of those controls. I found that very interesting. Overall, I think the survey is excellent. When you review it, I think you'll see these trends and I think they very much confirm some of the suspicions that a lot of us with information security have, and that is healthcare has a ways to go.