I recently read an article in HealthIT Security that analyzed the breaches reported to the Department of Health and Human Services Office of Civil Rights between January 1, 2016, and June 1, 2016. According to the article:
“There have been 114 incidents reported to OCR between Jan. 1, 2016 and June 1, 2016. Of those, 47 (41%) were classified as being caused by unauthorized access or disclosure.”
The remaining events were classified as follows: hacking/IT incident (34); theft (26); loss (5); and improper disposal (2).
In a summary of the HIPAA Security Rule, the Department of Health and Human Services says covered entities must have technical controls in place to prevent unauthorized access, including:
- Access Control: A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).
- Transmission Security: A covered entity must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.
- Audit Controls: A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.
- Integrity Controls: A covered entity must implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed.
In 2014, AHA’s Hospital & Health Networks magazine presented the seven most commonly used security tools to prevent unauthorized access to patient data. Number one on the list, used by 94 percent of the “most wired” hospitals, was “Intrusion Detection Systems.”
The three types of Intrusion Detection Systems (according to SANS) are:
1. Network Based (Network IDS): A network IDS – using either a network tap, span port, or hub – collects packets that traverse a given network. Using the captured data, the IDS system processes and flags any suspicious traffic, e.g. SNORT.
2. Host Based (HIDS): HIDS generally involves an agent installed on each system, monitoring and alerting on local OS and application activity. The installed agent uses a combination of signatures, rules, and heuristics to identify unauthorized activity, e.g. OSSEC, Tripwire, AIDE, Prelude Hybrid IDS.
3. Physical (Physical IDS): Physical intrusion detection is most often seen as physical controls put in place to ensure CIA (confidentiality, integrity, and availability), e.g. security guards, cameras, motion detection systems, access control systems, etc.
Given the reality of incidents caused by unauthorized access, as well as the fact that intrusion detection systems are the number one preventative measure put in place by the “most wired” hospitals, there is a strong business case for fully funding the three types of IDS to safeguard patient data.
In the meantime, be sure to delve into CIS Critical Security Control No. 14, “Controlled Access Based on the Need to Know.”
If you’re interested in a quick read on the peril of unauthorized access at Anthem (80 million records exfiltrated), check out this article on The State of Security blog.