The number and variety of cybersecurity threats - from the hacking of Democratic National Committee (DNC) email servers to ransom-ware attacks on healthcare organizations – is on the rise. In a recent blog post, Dr. Karen DeSalvo, Acting Assistant Secretary for Health, quantified the problem by noting that criminal cyber-attacks against healthcare organizations are up 125% compared to five years ago and now surpass employee negligence and lost or stolen laptops as the top cause of health care data breaches. What can be done to mitigate these threats?
Current approaches to healthcare cybersecurity typically involve some combination of end-user training, passwords, multifactor authentication and technical solutions such as virtual private networks (VPNs). Some organizations use sophisticated intrusion detection and blocking technology or hire outside firms that specialize in finding weaknesses, penetrating defenses or conducting retrospective reviews. These traditional techniques are mostly passive and backwards-facing. They are isolated to a specific organization and are subject to internal breach by employees and others who have legitimate credentials which they use for nefarious purposes. Historically it has been difficult to detect this type of misuse, much less prevent it from occurring. Solving these kinds of problems requires large scale analytics and real-time collaboration.
I once served as the co-chair of the enterprise security committee for a large integrated health system. Although we invested significant effort and resources, our attempts to use data to identify threats were largely ineffective. Traditional analytics simply are not up to task of sorting normal use from abuse. Annual awareness training helps but people forget, make mistakes or learn to cover their tracks when doing evil.
Happily, there’s a new sheriff in town. Health IT leaders are starting to leverage tactics used by the CIA, NSA and foreign intelligence services ranging from the UK to Israel. Although we are just beginning, it is a step in the right direction. Many of these new strategies are modeled on traditional Security Operations Centers (SOCs) and depend on real-time data flow. Threat monitoring and collaboration across organizations and scenario-based education for end-users are performed in real-time. SOCs leverage “big data” analytics to find the “needle” of suspicious or destructive individual behavior in “the haystack” of regular user activity and then immediately share information about threats and attacks with all participating organizations and individuals.
My colleague, Mark Dill, who is a security expert and partner at tw-Security, said, “The best training is scenario-based and is delivered real-time. For example, to defend against spear phishing attacks, leading hospitals use proactive phishing services that go beyond awareness.”
APIs (Application Programing Interfaces) and web services provide a number of security-related advantages. Well-designed APIs can control user and application access down to individual fields and records within a database. Security can be designed into the middleware so that it leverages an organization’s existing security model and can be configured to require specific user and application credentials for every single transaction.
Another API advantage relates to data “at rest” or data that is in persistent storage. APIs delivered via RESTful web services do not persist data beyond the immediate connection. Once a transaction is complete, the data disappears. This is a major contrast to traditional HL7 interfaces that must replicate and store data. All of that data “at rest” provides a secondary, tempting and on-going target for attackers.
Beyond these significant advantages, it seems clear that bringing active surveillance in the form SOCs to healthcare will require far more data than user access logs to be successful. Success will require patient, care team and other pertinent information to be included via APIs to enrich the data set and power advanced analytics. There is no other established way to provide the data needed by these applications in real-time while also improving connectivity and collaboration between applications and organizations. APIs are a ready-made solution and will be essential to bringing SOCs to healthcare.
To summarize, the future of healthcare cybersecurity will likely rely on access to large and diverse data sets coupled with sophisticated analytics and the ability to share information across organizations and between specialized third-party applications – all in real-time. Traditional approaches to integration have inherent weaknesses. And, while the healthcare industry and health data has unique security and privacy considerations, these can be addressed: APIs and web services are robust, transmit in real-time, do not persist data and support connectivity and deep integration. Other industries have discovered that using APIs is a good way to get those capabilities. Healthcare is beginning to learn this as well.
Given the importance of cybersecurity in healthcare, the growing threat, and the solutions available to address the problems, what are we waiting for?