An Interview with Senior Security and Compliance Engineer, Sean Smith, CISSP
Several times a year, we hear about major data security breaches. Just last month, a breach at Equifax, a major credit reporting company, exposed sensitive information, such as Social Security numbers and addresses, of up to 143 million Americans. And since 2009 alone, it is estimated that the health care records of more than 120 million people have been compromised. In 2014, nearly half of all major data breaches involved the health care industry.
It’s no longer enough for health care organizations or even physician practices to count on basic encryption and regularly changing passwords to protect patient data. Also, it’s not enough to put security in the hands of one or two staff members.
“Cybercrime increasingly is being perpetrated by major criminal organizations around the world on the Dark Net. This is not a kid in the basement fooling around,” said Sean Smith, Senior Security and Compliance Engineer at Geriatric Practice Management, LLC, in Asheville, NC. “Criminal organizations are employing people to attempt to break into your system and steal your information, which they can sell for big money. When you’re building your Electronic Health Records and other data systems, you need to plan for this and stay constantly vigilant.” He stressed, “The stakes have never been higher.”
Defining the Dark Web
Most people have heard about the ‘dark web,’ but many don’t know precisely what it is or why it is dangerous. In short, there are three levels of the web
- Public Web – the area with information that people accessing through common search engines. This is the part of the web that most of us use every day for business and personal activities.
- Deep Web – where you can find information that isn’t indexed by search engines and doesn’t require authentication. It’s important to note that the deep web isn’t necessarily bad or dangerous. In fact, about 90% of what’s online is on the deep web. This includes internal company or school sites, online databases, and member-only sites.
- Dark Web – is basically a hidden network of websites, and people use anonymity software to conceal their identities. The dark web comprises only about 3% of the Internet. Because of its anonymous and untraceable nature, the dark web is a place for illicit activities, such as the trafficking of stolen personal information.
Most people in the health care industry have fears about the dark web and security breaches. However, as Smith noted, “They fear the unknown, but they don’t know what they don’t know. They don’t know if they’re protected or not.” Many practitioners, he suggested, tend to think that if there is a breach, they just have to change their password and take a few other minor precautions such as buying or updating antivirus software. He also pointed out that at the same time, one of the most important precautions of having data encrypted will save a company or practice from Centers for Medicare & Medicaid (CMS) fines and penalties in case of a data breach. However, he stated that none of this is enough to secure data over time. In Sean’s opinion, while annual HIPAA training for staff is useful, it is just the beginning and not the end.
The Significance of a Specialist
Just as a company or practice seeks out an accountant or other professional to set up and manage or monitor tax and business systems, stressed Smith, you should also seek assistance of cyber security experts to set up risk/security programs. As Smith noted, “Cyber security/risk management has become a very specialized field. It is important to contract with someone who has experience, credentials, and—preferably—certification. The gold standard is the Certified Information Systems Security Professional (CISSPPR®) certification, held by only about 90,00 worldwide.” Smith received his CISSPPR earlier this year.
At the least, an expert should have a current understanding of vulnerabilities from the Internet; knowledge of contemporary standards, practices and procedures; understanding of operating systems architecture, administration, and management; understanding of how different types of firewalls and network load balancers work, and a detailed understanding of how network routers and switches work. A strong expert will be able to help set up a strong effective security program, do annual HIPAA trainings, risk analyses, and address issues or problems as they arise.
Of course, you have to do your part. This includes background and reference checks on new hires and providing consistent and ongoing staff training on cyber security. This is essential because, as Smith pointed out, a recent Verizon Data Breach Incident Report indicated that 68% of all health care industry breaches in 2017 involved internal personnel. Two-thirds of these were financial motivated, and a third was just for fun. “There are threats coming from internal people,” he stressed.
A good outside consultant can work with your IT and leadership team to provide support such as webinars and user group meetings. “We train our clients to understand the risks as they build their security programs. We provide support with HIPAA risk processes and procedures.” said Smith. He added, “From the beginning, we have acted like a medical practice. We have completed HIPAA risk assessments and expanded to Service Organization Control (SOC) reports. We provide that documentation freely to customers, and they are covered if they use our tools correctly.”
Establishing a Secure Environment
Smith noted, “We built platforms to function in varied environments, including those with low internet speed, which is a common challenge post-acute and long-term care practitioners face.” Smith added, “You need a product built to function in a secure bubble on your portable devices. For example, our software doesn’t store temporary files or data. Instead, it sends the data to a cloud system and doesn’t leave any residual information on the device at all. There are no temporary files to worry about. Also, he stated that practitioners don’t have to fear losing data on active encounters and avoid the risk of temporarily storing personal health information on an unsecure device.”
This is important because it’s not enough to ensure that your office-based data is safe. A company not only has to worry about security in their office or buildings; but they have to be concerned about how practitioners and other employees use their devices and protect information when they’re offsite. Whether they leave a laptop open in a waiting room, have a tablet stolen from their car, or send a text or email from an unsecured device, the company is responsible for the security of this data.
An organization could just prohibit the use of portable devices, but that isn’t remotely practical. As Smith said, “Post-acute and long-term care practitioners are the purest example of the portable medical professional. They need to be able to access systems on the go.” This involves a different set of security risks than the office. However, just like the office, portable devices/data need to be planned, tested, and audited for security. When looking at security, you also have to focus on encryption and Malware protection. Sean further explains that “In incidents where a device is lost or stolen you need the capability for remote wiping, this is a security feature that allows a network administrator or device owner to send a command to a computing device and delete the data to return the device to factory settings,” said Smith.
Often, practitioners don’t realize the risks associated with using portable devices, even when they are conscientious about privacy issues. For instance, someone who would never think of discussing a patient on the train may not see the risk in texting or emailing about a patient on an unsecured device in a coffee shop. It is essential to help everyone understand the importance of security and how they can comply. Smith continues, “When I do awareness training, I try to tie it to their personal information. If their laptop or phone was lost or stolen, what personal data would be vulnerable? What damage could someone do with that information?”
Planning for a Disaster
As if worrying about security breaches isn’t enough, you also have to plan for how you will protect data in the event of a natural disaster. While you may have time to move equipment and secure data if a hurricane or snowstorm is predicted, a flash flood or power outage can wreak havoc in the blink of an eye. If you are using paper records or a client/server system, information may be lost forever. Smith suggested, “Before you even get to your disaster recovery or incident response plan, you need to have a business continuity plan.” This involves thinking through what will happen if there is a physical disaster so the business can function until the situation is resolved. “Unfortunately,” he said, “Many companies have never thought about business continuity or conducted exercises to identify key business systems, how they function, and how they need to function at a minimum. “The business continuity plan addresses physical things that happen to the business, such as what happens if there is a flood and people can’t get into the office, so when and if it happens, you are prepared,” said Smith. He added that this is part of security and risk programs, which are implicitly tied together.
The incident response plan is designed to address four levels of breach:
- Someone trying to scan your ports (low level)
- Potential harm (such as detection of Malware)
- A breach (someone has gotten into your system)
- Actual data disclosure (the highest level).
“Make sure you don’t reach level four,” cautioned Smith. “If a lost laptop isn’t encrypted, this is considered a breach. If there is personal health information on the device, it is considered data disclosure. You have to report that to CMS and will be fined heavily.” While you hope to never experience a breach or data disclosure, you need to do everything possible to prevent it and prepare for how you will handle it if it occurs.
Like the business continuity plan, the disaster recovery plan addresses a physical emergency. However, this plan is more detailed, particularly concerning recovery efforts. For instance, the disaster recovery plan will address how the organization will replace lost or damaged devices and where/how staff will work if they can’t come into the office. “All plans are tied together, and work to keep your business running during different types of events and get you back to normal as soon as possible,” Smith said.
No one can predict the future, but you can be prepared by ensuring that your data is safe and secure, that practitioners and others have access to the information they need, and that this same information is protected from breaches and threats—both externally and from within. “It is no longer enough to have antivirus software and hope for the best. Cybersecurity support and expertise is now the cost of doing business.”