Tackling latent risks in health IT security

BOSTON—Although they lay dormant, latent risks pose real potential to undercut health IT security, Fernando Martinez, senior vice president and CIO of Texas-based Parkland Health and Hospital System, said at the HIMSS’ Privacy and Security Forum on Sept. 9.

Martinez cited a survey in which 51 percent of employees indicated they would work around any security policies that restricted their technology use. “We don’t have a lot we can do to completely deal with the problem,” he admitted.

However, Martinez pinpointed “latent risks” that deserve that to be on the radar of healthcare executives and IT security leaders:

• The Internet of Things (IoT): The interconnectedness of anything digital, which connects modalities not historically connected to hospitals, opens up a whole slew of security weaknesses—especially as larger amounts of data stream in. “The more things you connect, the more exploit vectors you have,” he said. With each new device connected, the risk portfolio grows.
• Business associates: “This is a big issue for us,” he said, as any company under contract with a hospital can be the locus of a breach or unauthorized access to protected health information.
• Distributed data: “This is a huge latent risk,” Martinez said, noting that this deals with the ease with which data are propagated. “Unless you have a fullproof way to mitigate this, you are not managing it well.”
• Cloud storage: Martinez compared it to nuclear power, noting when the tsunami disaster struck in Japan, many realized the risk potential inherent in this power source. “We haven’t had that big breach yet, we haven’t had that tsunami,” he said. Once data are in the cloud, he said there are “too many possibilities” around access boundaries and the life cycle of data, and limited ability to control data in the cloud.
• USB drives: Any removable media designed to interoperate with computer systems in healthcare settings create risk. “Anything you can plug in can simulate a network connection,” he said. In fact, even a smartphone getting charged up on a computer can be used to perpetuate an exploit, he said.
• Bring Your Own Device: “For me, it’s an area we have to come to terms with,” he said. Even the best virus protection can’t protect against malicious elements. If you have a key logger, it could compromise credentials.  
• Social engineering: The clever manipulating of the natural human tendency to trust is a security weakness. Martinez said his system launched phishing attacks against its own employees to see if the workforce would be susceptible to it. “The results were not good,” he said. “Human nature as it is, it’s a difficult, difficult problem to address.” Even education is not enough to prevent the problem.
• Data breach fatigue: With a reported 110 million U.S. victims of breaches, fatigue begins to set in, creating an overly lax attitude about breaches.

With these latent risks in mind, Martinez suggested the following considerations: cyber insurance; abstraction; anomalous activity detection and alarm systems; and education.

But, "there is no silver bullet,” he concluded.