On September 9, 2020, panelists Lynn Sessions (BakerHostetler) and Josh Hass (Charles River Associates) joined moderator Jamie Berry (Integreon) for the penultimate session of NetDiligence’s Virtual Summer Summit, entitled “Cyber Security Trends in the Healthcare Industry.”
Sessions kicked off the panel with a look at how trends have shifted in the last year and how the COVID-19 pandemic and regulatory changes have accelerated an already complex picture. As late as 2019, the healthcare industry was not seeing the uptick in ransomware payments reported by other sectors. A resilient industry, healthcare organizations were more likely to use restoration strategies when hit. However, with threat actors increasingly using data exfiltration as a means to pressure organizations, healthcare has become a ripe target. Simultaneously, the response to COVID – expansion of work-from-home, the rise of telemedicine, and the financial pressure created by a shift in patient mix – has made healthcare organizations all the more vulnerable. Overlaid on these changes are regulatory and legislative actions – including a more stringent interpretation of PII under HIPPA and the broadening of notification triggers at state levels – which make timely action even more critical.
Healthcare data is itself a complex picture, as described by Hass. In addition to large structured data sets, a typical healthcare organization will contain vast stores of unstructured data, including hand-written notes (often poorly scanned), X-rays and other imaging, and meta-data which can be difficult to isolate. Where standard search term techniques are inadequate, sophisticated methods for data mining must be called into play. These will involve both advanced technologies, such as AI modeling to build templates for contextual analysis, and experienced experts whose understanding of healthcare data can enable an efficient review.
In the immediate aftermath of a breach, healthcare organizations are simply unable to bear extended business interruption because they must continue patient care. However, as the investigation proceeds, all eyes must turn to issues around notification. Sessions stresses that the notification cannot proceed until an organization is certain that all involved data has been identified. Hass labels this a “defensible, high-quality product,” the result of a team working with daily communication and constantly updated protocols based on query logs.
Such a review can also provide a road map to better risk posture in the future. As forensics works on a breach, they will identify vulnerabilities that can be addressed. For example, companies are often shocked to find out how much PII is contained in emails, a situation that can be mitigated by thoughtful retention policies. Similarly, examining how, where, and how much data is permanently stored can be an opportunity to critically assess data hygiene practices.
In healthcare, data is king. Understanding that data – its particular characteristics and vulnerabilities – will be the first step to protecting it. Maintaining data stores only as long as they serve patient care will create protections that move organizations from a reactive stance to a proactive one.