The 6 key business requirements for protecting patient data in networked medical devices and EHR systems:
- Prevent data leakage directly of ePHI (electronic protected health information) from the device itself, the management information system and or the hospital information system interface. Data loss can be protected directly using network DLP technology from companies like Websense of Fidelis Security
- Ensure availability of the medical device or EHR application. When the application goes offline, it becomes easier to attack via maintenance interfaces, technician and super-user passwords and copy data from backup devices or access databases directly while the device is in maintenance mode.
- Ensure integrity of the data stored in the networked medical device or EHR system. This is really ABC of information security but if you do not have a way to detect missing or manipulated records in your database, you should see this as a wake-up call because if you do get hacked, you will not know about it.
- Ensure that a networked or mobile medical device cannot by exploited by malicious attackers to cause damage to the patient
- Ensure that a networked or mobile medical device cannot by exploited by malicious attackers to cause damage to the hospital enterprise network
- Ensure that data loss cannot be exploited by business partners for financial gain. The best defense against data loss is DLP – data loss prevention since it does not rely on access control management.
Why does data leak?
Just like theft, data is leaked or stolen because it has value, otherwise the employee or contractor would not bother. There is no impact from leakage of trivial or universally available information. Sending a weather report by mistake to a competitor obviously will not make a difference.
The financial impact of a data breach is directly proportional to the value of the asset. Imagine an insurance company obtaining PHI under false pretenses, discovering that the patient had been mistreated, and suppressing the information. The legal exposure could be in the millions. Now consider a data leakage event of patient names without any clinical data – the impact is low, simply because names of people are public domain and without the clinical data, there is no added value to the information.
Why people steal data
The key attack vector for a data loss event is people – often business partners working with inside employees. People handle electronic data and make mistakes or do not follow policies. People are increasing conscious that information has value – All information has some value to someone and that someone may be willing to pay or return a favor. This is an ethical issue which is best addressed by direct managers leading from the front and by example with examples of ethical behavior.
People maintain information systems and make mistakes, leave privileged user names on a system or temporary files with ePHI on a publicly available Windows share.
APT (Advanced Persistent Threat Attacks)
People design business processes and make mistakes – creating a business process for customer service where any customer service representative can see any customer record creates a vulnerability that can be exploited by malicious insiders or attackers using APT (Advanced Persistent Threat Attacks) that target a particular individual in a particular business unit – as seen in the recent successful APT attack on RSA, that targeted an HR employee with an Excel worksheet containing malware that enabled the attackers to steal SecurID token data, and then use the stolen tokens to hack Lockheed Martin.
According to Wikipedia, APT attacks utilize traditional attack vectors such as malware and social engineering, but also extend to advanced attacks such as satellite imaging. It’s a low-and-slow attack, designed to go undetected. There is always a specific objective behind it, rather than the chaotic and organized attacks of script kiddies.