GOVERNMENT HEALTH IT The Fight to Keep Public-Sector Data Secure
Government Health IT : The Fight to Keep Public-Sector Data Secure
1
2
A GovLoop Guide
CONTENTS Health IT Today | 5 Health IT Timeline | 6 How the Trump Administration Could Affect Health IT | 7 Reducing Ransomware Attacks with a Cybersecurity Framework | 9 How Digital Health Platforms Drive Connected Health | 15 Federal Spotlight: Health & Human Services | 16 How Test Data Management is Helping Deliver Safe Systems For Government | 19 State & Local Spotlight: Colorado | 22 How to Utilize Cloud Technologies to Drive Health and Social Initiatives | 25 About & Acknowledgments | 28
6 Cyberattacks & Risks Health Care Organizations Face | 10
Data Breaches 12
MedJacking 13
Ransomware 20
Insider Threats 21
Lost or Stolen Devices 28
Internet of Medical Things 29
Government Health IT : The Fight to Keep Public-Sector Data Secure
3
EXECUTIVE SUMMARY Health information technology is one of the fastest-growing areas of IT, with the market expected to hit between $104.5 billion and $228.8 billion by 2020. It’s easy to see why, with benefits such as improving patients’ access to health records, physicians’ efficiency and overall focus on disease prevention.
But with the pros always come cons, and when it comes to health IT, the biggest concern is security. Health data is rife with personally identifiable information (PII), making it a prime target for those with ill intentions. Ensuring privacy and security tops the to-do list of anyone in the industry.
“We have witnessed dramatic changes in the adoption and use of health information technology (health IT) over the past decade,” Karen B. DeSalvo, former National Coordinator for Health IT, wrote in a May 2016 blog post. “The nation has transformed from paper-based record keeping into an environment where nearly all of the nation’s hospitals and three-quarters of the nation’s eligible providers are using certified health IT. And from accessible electronic health records to wearable fitness devices and health trackers on smart phones, health IT gives each individual the tools to actively manage their health like never before.”
In this guide, we will take an indepth look at the challenges and risks associated with health IT, and explore ways that the government is addressing them. We’ll also examine what a new president and administration could mean for health IT, and we will get tips from experts at the federal, state and local levels. First up is a look at today’s health IT landscape, and how it’s evolved.
4
A GovLoop Guide
HEALTH IT TODAY Health IT “is a broad concept that encompasses an array of technologies to store, share and analyze health information,” according to HealthIT.gov. It includes electronic health records (EHRs), personal health records, e-prescriptions and all of the networks, computing devices and software involved in those. “A healthcare database contains over 18 PII identifiers (name, address, social security number, etc.), a patient’s private health information (PHI), and a patient’s financial payment information (insurance and credit card information),” according to a January 2016 report by the Institute for Critical Infrastructure Technology (ICIT). Seems pretty complex already, right? Keep in mind that the industry – and technology – is expanding. Up-and-comers include the Internet of Things (IoT) and its associated sensors, wearable technology and wireless apps. Approaches to securing those are still in the works. Meanwhile, cyber criminals are pouncing on opportunities to exploit vulnerabilities, and they’re doing it in record numbers. IBM’s 2016 Cyber Security Intelligence Index named 2015 the year of the health care breach after more than 100 million health care records were compromised and cyber criminals attacked that industry harder than any other. For comparison, health care didn’t crack the top five mostattacked sectors in 2014. The bottom line: Nearly half the U.S. population had personal data health care data compromised in 2015, according to ICIT. Because health data contains myriad PII, it’s attractive to criminals looking to commit medical identity theft and fraud, but it’s also attractive because it lags in cybersecurity measures, according to IBM. For example, only 31 percent of health care organizations reported extensive use of encryption, and 20
percent said they had none at all, according to a survey by England-based IT security firm Sophos last year.
average cost of a data breach for health care organizations is likely more than $2.2 million.
But malice isn’t the only cause for concern. Accidental loss, device theft and user error are also common reasons for data exposure. For instance, 54 percent of those 440,000-plus records stolen in November were caused by employees. Seventeen were erroneous, 14 were not and nine were the result of external hackers.
To better protect data, government entities need to start by beefing up their security teams and centralizing security operations, according to ICIT. What’s more, employees need to be taught how to recognize red flags, such as strange email messages with unfamiliar links or requests for personal information. Employees can also learn how to secure data on approved software and mobile devices as they come into the organization.
Why aren’t health care organizations taking more precautions to secure data? For one, providers, who are the biggest target, are focused on saving lives, not data, according to ICIT. Additionally, “[h]ealthcare organizations and federal agencies dynamically integrate new systems into their infrastructure over time, according to their needs,” the report states. That heterogeneity translates into difficulty in managing and protecting data. What all this means for government agencies is a wakeup call. ICIT laid out two scenarios to illustrate the severity of the need to secure health data: • While Dick Cheney was Vice President, al Qaeda operatives tried to compromise his pacemaker through an unsecured Bluetooth connection. • Criminals could combine personal health information with data stolen in the Office of Personnel Management breach to create a database of intelligence workers and to locate those workers within the United States and abroad. Government officials should also be aware of the expense data breaches bring. A May 2016 Ponemon Institute report sponsored by ID Experts estimates that data breaches could be costing the health care industry $6.2 billion, and that in the past two years the
Government IT officials also need to look more closely at the likely points of entry for cyber attackers. In 2016, ransomware, malware and denial-ofservice (DOS) attacks were the top cyber threats facing health care organizations, according to Ponemon. Other problems to watch out for include internally based threats such as employee negligence, third-party mishaps and device theft. Agencies also need to put in place a solid, multilayer security platform. To do it, they must first do a risk assessment to determine what assets are essential and which would have the least impact if affected. Next, agencies need to run through possible attack scenarios and invest in quality security technology. Such an audit isn’t a one-time deal. Agencies should repeat them periodically to stay up to date with security. What’s more, agencies need to have an action plan in place for when a breach occurs. Officials must consider how they will contain the problem and how they will notify affected parties. Ponemon found that 71 percent of respondents said their organization has a process in place, but many question its effectiveness.
Government Health IT : The Fight to Keep Public-Sector Data Secure
5
HEALTH IT TIMELINE Health care informatics, or information science, started in the late 1960s, according to the Healthcare Information and Management Systems Society. At first, standards arose according to clinical specialty, a major contributor to the fragmented state of health IT today. Here’s a look at what’s happened since:
1994
The Veterans Affairs Department adopts the Veterans Health Information Systems and Technology Architecture as its EHR, tracking millions of veterans’ health information, including e-prescribing.
Jun 2015
The Supreme Court upholds the ACA.
2004
An Executive Order from President George W. Bush titled “The President’s Health Information Technology Plan” creates the position of National Coordinator of Health IT and pushes for most Americans to have EHRs within 10 years.
May 2013
The Office of the National Coordinator (ONC) for Health IT issues a Governance Framework for Trusted Electronic HIE, setting organizational, trust, business and technical principals for the effort.
The Health Information Technology for Economic and Clinical Health Act provides more than $20 billion in funding for health IT, establishes the Health IT Standards Committee and authorizes the Health and Human Services Department (HHS) to establish health IT-based programs, including EHRs and private and secure electronic health information exchange (HIE).
Mar 2010
President Barack Obama signs the Patient Protection and Affordable Care Act (ACA), reforming the U.S. health care industry and funding accountable care organizations, which heavily use EHRs, HIE and other health IT technologies.
Jul 2016
Sep 2015
ONC releases the “Federal Health IT Strategic Plan for 2015-20,” giving federal agencies and partners a map for implementing health IT.
2009
Oct 2015
ONC releases the “Shared Nationwide Interoperability Roadmap,” paving the way for allowing patients more access to their health data and setting federal interoperability standards with three-, six- and 10-year goals.
6
A GovLoop Guide
The General Services Administration releases Health IT Services Special Item Number 132-56, with the goal of making it easier for IT Schedule 70 customers to procure health IT services.
HOW THE TRUMP ADMINISTRATION COULD AFFECT HEALTH IT As the Trump administration begins to settle into place, questions about what the effect will be on health IT remain. One aspect to look at is Donald Trump’s choice to head HHS, Rep. Tom Price, MD (R-Ga.). Price, a physician, has experience with health IT. For instance, he introduced the Meaningful Use Hardship Relief Act of 2015 and co-sponsored the Flexibility in Electronic Health Record Reporting Act of 2016. Still, much about what’s ahead is up in the air. Here’s a look at five things that could happen in health cybersecurity under Trump.
1 2 3 4 5
During his campaign, Trump called for several actions that would beef up cybersecurity. For instance, he sought an immediate review of all cyber defenses and wanted to create a Cyber Review Team to provide security recommendations, establish mandatory cyber awareness training for government employees and improve U.S. Cyber Command.
Despite Trump’s vows to do away with ACA, it is unlikely to disappear quickly. Trump would have to replace it with a new law, and that’s going to take time to shape, said Jeff Coughlin, HIMSS Director of State and Federal Affairs, in a Healthcare IT News story. Others are casting doubt as to whether Congress will repeal ACA in the first place. “I’m not assuming this is a done deal,” Jeff Goldsmith, a National Adviser to consultancy Navigant Healthcare, said in a Jan. 3 article.
Under Trump, policy changes that use digital infrastructure already in place are more likely than dismantling what’s been built, Paddy Padmanabhan, Chief Executive Officer of Damo Consulting, wrote in CIO magazine. For example, some aspects of health IT – such as interoperability and analytics – are simply too beneficial to deny and will likely grow.
Tom Leary, Vice President of Government Relations at HIMSS, told FierceHealthcare that cybersecurity in health IT will likely be a priority for the Trump administration. The society also plans to monitor the new president’s stance on telehealth and IT for infrastructure improvements. “Whether it’s the engagement with the health care community on some level of the [National Institute of Standards and Technology] cybersecurity framework, or elevating the Chief Information Security Officer at HHS to more of an internal and external engagement with stakeholders and increasing the number of cyber professionals in health care, that’s an area we anticipate approaching the new administration with,” Leary said.
Trump has indicated that he could move health IT initiatives to the private sector, reducing government involvement and increasing competition. The most likely program to get scaled back is Meaningful Use, in which hospitals must certify that they’re using EHRs for myriad things to qualify for Centers for Medicare and Medicaid Services Incentive Programs. The Merit-Based Incentive Payment Program, which started this year, replaces Meaningful Use for physicians.
Government Health IT : The Fight to Keep Public-Sector Data Secure
7
8
A GovLoop Guide
REDUCING RANSOMWARE ATTACKS WITH A CYBERSECURITY FRAMEWORK An interview with Ken Durbin - CISSP, Strategist: Cyber Risk Management & Threat Intelligence, Symantec
Ransomware is a category of malicious software which, when run, disables the functionality of a device. The ransomware program displays a message that demands payment to restore functionality. The malware, in effect, holds the device ransom – and requires payment from the organization attacked. And it’s a growing strategy of cyberattack in the public sector, particularly in health care organizations.
uses a common language to address and manage cybersecurity risk in a cost-effective way based on business needs without placing additional regulatory requirements on organizations.
seen used with Advanced Persistent Threats greatly increasing the impact of a ransomware attack. Therefore, it’s important that strong defenses are incorporated at every level in your agency.
The CSF allows cyber professionals to prioritize their cybersecurity plan and explain it in simple terms, making it easier to gain buy-in from up and down the agency leadership.
To discuss the best ways the public sector can prevent ransomware and other cyberattacks, GovLoop sat down with Ken Durbin - CISSP, Strategist: Cyber Risk Management & Threat Intelligence, Symantec, a global leader in cybersecurity.
“Adopting and implementing the CSF can do a lot to strengthen the cybersecurity posture of an organization as a whole,” said Durbin. “But an additional benefit of the CSF is that you can fine-tune it to assess your organization against a specific threat vector. So if you are concerned about ransomware attacks, you can select the controls and aspects of the CSF that will protect against ransomware and filter it down to those subcategories so you can do an assessment for that specific threat.”
That’s where Symantec can help. Their Integrated Cyber Defense Platform is designed to secure the four pillars of an enterprise information management strategy – Information, Users, Web, and Messaging.
Ransomware is a growing threat in the health care field for a variety of reasons, Durbin explained. One is that the data health care organizations create and maintain is sensitive patient data, making it extra valuable on the black market. Secondly, several hospitals have already been subjected to ransomware attacks and have paid the ransom, emboldening attackers to continue pursuing the ransomware route because they see the payoffs. Finally, ransomware attacks are most often executed via simple phishing emails, making most organizations quite vulnerable. Fortunately, there are steps public sector health care organizations can take to prevent future attacks from disabling their data: adapting elements of the NIST Cybersecurity Framework (CSF), and better security training of the workforce. The CSF is a set of industry standards and best practices to help organizations manage cybersecurity risks that was created through collaboration between government and the private sector. It
Better cybersecurity training of the workforce is another important way to prevent against ransomware attacks, Durbin explained. “Most of these attacks are coming through emails to agency employees,” he said. “This means that training employees how to detect and report phishing emails goes a long way to help reduce the treat. A continuous training cycle to make employees aware they are on the front lines of cybersecurity is an effective way to include them as a part of your overall cybersecurity defense plan. A strong, coordinated response to threats requires more than a prepared and devoted team, Durbin said. Email phishing is still the primary attack vector for ransomware; however, attackers are starting to adopt techniques typically
“In each one of those pillars, Symantec has proven solutions that secure your enterprise against multiple attack vectors,” Durbin said. “By aligning our solutions within the four pillars our customers can tailor their cybersecurity strategies to address their most critical needs fast, then expand over time. We have also taken the extra step of aligning our solutions to the NIST Cybersecurity Framework so as our customers address the four pillars they also know how it helps their CSF efforts.” “The takeaway is that if agencies can look at the four key pillars, and think about how the CSF can work to meet your needs, and properly train your workforce, you’ll be able to take a more holistic approach to securing your enterprise,” Durbin said. As awareness of ransomware attacks and outcomes increases, the attackers and their malware are likely to evolve and use more sophisticated techniques to evade detection and prevent removal. But with an adoption of a more holistic cyber hygiene via the NIST Cyber Framework, and strong training of the workforce, public sector health organizations can work to keep their sensitive and critical patient information safe.
Government Health IT : The Fight to Keep Public-Sector Data Secure
9
6
CYBERATTACKS & RISKS HEALTH CARE ORGANIZATIONS FACE 10
A GovLoop Guide
DATA BREACHES MEDJACKING RANSOMWARE INSIDER THREATS LOST OR STOLEN DEVICES INTERNET OF MEDICAL THINGS Government Health IT : The Fight to Keep Public-Sector Data Secure
11
$50 A 2012 study estimates that data breaches in the health care industry could cost about $7 billion.
In 2016, 91 percent of cyberattacks and resulting data breaches began with a spear-phishing email.
Electronic health records sell for $50 per chart on the black market, compared with $1 for a stolen Social Security or credit card number.
DATA BREACHES The White House defines a security breach as a “compromise of the security, confidentiality, or integrity of, or the loss of, computerized data that results in, or there is a reasonable basis to conclude has resulted in (A) the unauthorized acquisition of sensitive personally identifiable information; or (B) access to sensitive personally identifiable information that is for an unauthorized purpose, or in excess of authorization.”
3 tips to prevent data breaches
1
2
Case Study A hacker or group of hackers by the name of “thedarkoveroverlord” is said to be selling 655,000 patient records, which they accessed by exploiting remote desktop protocol at three health care organizations, according to reports. The stolen information includes names, birth dates and Social Security numbers, putting the victims also at risk for identity theft. Thedarkoverlord provided screenshots in June 2016 of the intrusions as proof. For sale on the dark web, the databases allegedly contain 48,000 patient records from an organization in Missouri, 210,000 records from the central and midwestern United States and 397,000 from Georgia.
3
Thedarkoverlord, who seeks ransom money from victims, asked DeepDotWeb, which gathers information on the dark internet, to post the following message for the companies, according to ComputerWorld: “Next time an adversary comes to you and offers you an opportunity to cover this up and make it go away for a small fee to prevent the leak, take the offer. There is a lot more to come.”
12
A GovLoop Guide
The equation to help manage risk is simple, former National Security Agency employee Tony Sager said in December 2016: Risk equals vulnerability, threat and consequence/ controls. “In other words, an organization’s cyber risk is a function of the vulnerability of their systems, the volume and variety of security threats and the consequence of an attack or breach – weighed against the strength of the organization’s controls, what it can do about it.” For specifics on how to assess cyber risks, check out ONC’s free Security Risk Assessment Tool. It will walk you through 156 questions to help you understand your organization’s activities as they relate to Health Insurance Portability and Accountability Act security requirements. “By conducting a risk assessment, providers can uncover technical, physical, and administrative vulnerabilities in their security policies, processes, and systems. When providers address these issues, they can potentially prevent data breaches or other adverse security events,” the blog states. HealthIT.gov offers 11 steps that can help secure health information on a mobile device. They include using user authentication, encryption, remote wiping or disabling, firewalls and security software. The tips also include keeping security software up to date, researching mobile apps before downloading them and deleting all stored health information before discarding or reusing the device.
2020
Security, health care industry (6%) Security, total federal it budget (16%)
2 01 5
The installed base of health care IoT devices, excluding wearables such as fitness trackers, will grow from about 95 million in 2015 to 646 million in 2020.
In October 2016, Johnson & Johnson notified 114,000 diabetic patients that its Animas OneTouch Ping insulin pump was vulnerable to hackers.
MEDJACKING Remember how hackers tried to access Vice President Cheney’s pacemaker? That was a medjacking attempt. A medjack is the hijacking of a medical device, such as an insulin pump, life-support machine, glucose monitor or MRI machine. Often, medjackers look for outdated health-related Internet of Things (IoT) devices and build backdoors into their networks, which often aren’t closely monitored.
Case Study Although no known deaths have been reported as a result of medjacking, the possibilities for tampering with medical devices are many. In 2015, for example, a security researcher said he’d found vulnerabilities in a widely used drug infusion pump – a problem that BlackBerry officials demonstrated in a video. The vulnerability left the pumps open to hackers who might want to raise the dosage limit on patients’ medication.
The health care industry allocates less than 6 percent of the IT budget to security, while 16 percent of the total federal IT budget went to cybersecurity.
3 tips to prevent Medjacking
1
2
The pump used in the example was made by Hospira, and additional research uncovered vulnerabilities in at least five models of the pumps. About 400,000 Hospira pumps are used in hospitals worldwide. That’s just one manufacturer, however. TrapXLabs, part of deception-based cyber defense firm TrapX Security, analyzed three medjacking instances that had the goal of stealing data from a hospital network, and found that hospital employees didn’t know the devices were infected with malware, according to a news report. The devices involved were a picture archiving and communications system at one unnamed facility’s radiology department, a medical X-ray scanner in another and several blood gas analyzers in a third health care institution’s laboratory department that served critical care and emergency services, according to the report. What’s more, once the malware was removed, the devices could be reinfected quickly.
3
To begin to better protect devices, manufacturers and health care organizations need to know more about them. Take an audit of what devices you have and what needs to be secured, understand where vulnerabilities lie in the devices and the network they connect with and determine who has access to the device and the network. Check the U.S. Food and Drug Administration’s guidance for companies manufacturing network-connected medical devices containing off-the-shelf software. “FDA is concerned about the security of networks because vulnerable OTS software can allow an attacker to get unauthorized access to a network or medical device and reduce the safety and effectiveness of devices that connect to those networks,” the agency explained. Have a policy that requires the rapid deployment of software and hardware updates for medical devices and conduct quarterly reviews with all the medical device manufacturers you contract with, according to TrapX.
Government Health IT : The Fight to Keep Public-Sector Data Secure
13
The future of VA healthcare will be built on solutions that are integrated, interoperable, and scalable. Organizations around the world use InterSystems to share health records, improve communication, and coordinate care. We’re working to move healthcare forward—for Veterans and for everyone. Learn more at InterSystems.com/FutureVA
© 2016 InterSystems Corporation. All rights reserved. InterSystems is a registered trademark of InterSystems Corporation. 9-17
CONNECTING VETERANS TO THE BEST POSSIBLE CARE MATTERS.
HOW DIGITAL HEALTH PLATFORMS DRIVE CONNECTED HEALTH An interview with George Hou, Managing Director and National Account Manager for the Department of Veterans Affairs, InterSystems
Anyone who has ever visited a doctor’s office knows the hassle of having to fill out the same health information on different forms. Wouldn’t it be easier if the data was filled out once, then automatically and securely transferred and accessed by your clinician? Patients could forgo the unnecessary paperwork, and clinicians would be able to treat patients better by analyzing more comprehensive and specific data points. Now, imagine the information shared was not just the health history the patient remembered to provide, but also the patient’s entire clinical history held in various electronic medical record (EMR) systems at numerous hospitals, clinics, doctors’ offices, labs and pharmacies. That future may not be far away. Connected health care is a concept that is helping clinicians access comprehensive patient health data and determine which treatments are most likely to work for a patient. These processes are being driven by digital health platforms. GovLoop sat down with George Hou, Managing Director and National Account Manager at InterSystems, a leader in software for connected care and health data interoperability, who is helping the Department of Veterans Affairs (VA) design and implement digital health platforms to advance connected health care for veterans. Digital health platforms help clinicians collect a variety of data points about a patient’s medical history including symptoms, treatments, and genes as if all were collected in one system. Along with collecting and securing data, a digital health platform provides clinicians with context through metadata standards that help standardize the information so that when clinicians and researchers
need to translate the data into actions, they can use the same information securely to meet their individual needs. “If hospitals put together the platform with standards built in, then they can provide data across labs and practitioners without clinicians having to do the translations in their heads,” explained Hou. “Connected health is about bringing data and standards from all of the different systems together through a digital health platform. The platform is the enabler; connected health is providing better care by having a comprehensive view of the patient’s health history for the patient and clinician or care team.” This leads to more consistent diagnoses and treatment no matter where the doctor is located or what EMR platform he uses. Current widely adopted health information technology specifications require hospitals to track data at the document level, meaning that full documents of data should be tagged and trackable (i.e., C32 – Health Summaries, C37 – Labs). InterSystems has empowered hospitals to change this approach by applying standards such as FHIR, a standard focused on data elements. Interoperability at the data element level creates more useful information for clinicians whether they’re treating patients, looking at population health or reviewing specific cohorts. Public sector hospitals run by the VA, Department of Defense, and Indian Health Service are uniquely positioned to implement and benefit from digital health platforms because they can make investments independent from shortterm financial metrics. Organizations can leverage investments in their existing environments and the data can be made interoperable or migrated with a minimum amount of risk, at the lowest
cost. According to Hou, this will benefit the entire health care field. “Public sector hospitals can focus on improved health care, improved population health, improved research, and they can share their insights with the private sector.” Health data currently is very siloed, but by applying these open, interoperable standards to elements of health data, clinicians will have increased capability to adapt to new specifications and cybersecurity measures, pull more comprehensive clinical and administrative data, and gain a better understanding of what the data actually means for treating the patient. Instead of pulling entire health data sets on a patient, clinicians will be able to access only the information they need, resulting in more efficient and effective care. Connected health care has the potential to revolutionize hospitals and treatments for patients, but to truly reap the benefits of all this data, hospitals, doctors’ offices, and labs need to implement standards to share data. The most efficient way of doing so is to leverage what digital health platforms provide. These platforms are crucial to providing better care because they provide clinicians with comprehensive views of a patient’s health history in the way each clinician is accustomed to working. InterSystems HealthShare® health informatics platform is one such product that is already making connected health care a reality. If public sector hospitals invest in secure digital health platforms, then they will be able to break down the data silos both within their networks and externally to provide more effective treatment and services to their patients.
Government Health IT : The Fight to Keep Public-Sector Data Secure
15
FEDERAL SPOTLIGHT: HEALTH & HUMAN SERVICES Health data isn’t new. Federal agencies have been collecting it in some form another for years to do things such as monitor the spread of diseases or track vaccine administration. Today’s technology, however, enables the government to do much more with much more data, but with those benefits come new challenges, particularly in securing health data. Beth Killoran, Chief Information Officer at the Health and Human Services Department, recognizes how IT is changing the health care landscape. “Health IT has enabled a paradigm shift in the way health care is delivered to the American people,” Killoran said. “For example, ONC reports that over 90 percent of acute care hospitals are exchanging patient records quickly, efficiently and securely. Telemedicine — the ability for a patient to be diagnosed and treated remotely — enables individuals in remote areas to be seen or specialists to evaluate patients.” These gains are important, but they’re not without risks. Just as any technology evolves, it brings with it speed bumps associated with adoption and implementation. In the case of health IT, security and privacy top the list of challenges as agencies work to balance their drive to collect information with the protection of it.
is environmental understanding, she added. “First and foremost, you need a comprehensive understanding of your IT environment and data. Without that understanding, it’s difficult to develop an effective cybersecurity program,” Killoran said. Another challenge comes in the form of people, processes and technologies. This means that HHS has put together a comprehensive IT security and privacy program to protect highly personal information through a combination of input from subject-matter expertise, rigorous processes, and effective tools and technologies, Killoran said. A third challenge is dynamism, she said. “IT and data are not static. The protections an agency puts in place shouldn’t be either,” Killoran said. “At HHS we use a data-driven approach to understand emerging technologies and threats to ensure that the program we have in place remains effective.” A common mistake to avoid in securing data is a lack of understanding around the infrastructure and information to be protected, she noted. “It’s critical to train your workforce on proper ‘cyber hygiene’ as well as understand what’s on your network and identify the information that network stores, processes and transmits,” she said.
That’s “why HHS takes data security and privacy so seriously,” Killoran said. “For example, the HHS Office for Civil Rights has issued guidance to entities covered by the HIPAA Privacy, Security and Breach Notification Rules, and has engaged in robust enforcement, in order to assure that health information, as it is increasingly collected, stored and shared digitally, is protected and kept confidential.” One of the major challenges HHS and it operating divisions – such as the Agency for Healthcare Research and Quality, Centers for Medicare and Medicaid Services; and the National Institutes of Health -- face
16
For example, HHS and its agencies handle PII and PHI, which could take the form of a clinic’s health records or a Medicaid claim. “Obviously, this information is very sensitive but, unlike a stolen credit card number or identity theft, the compromise of this information can have very real health and reputational impacts to individuals,” Killoran said. “A granular understanding of your IT environment and the information with which you’re entrusted is critical. That understanding provides the foundation on which the necessary layers of protection are built in a strategic manner.”
A GovLoop Guide
“As the already immense volume of health data continues to grow, so too will the need to protect larger data sets.” Despite these efforts, problems can arise. For those times, HHS has an incident response plan that covers all the potential actions that it would need to address a security incident. “This includes step-by-step processes for incident identification, reporting and remediation as well as the specific roles and responsibilities for incident response personnel and users alike,” Killoran said. “At HHS, we test this response plan twice a year and conduct tabletop exercises that simulate incidents so we can better streamline the process and better understand where there is potential for process improvement.” Looking ahead, Killoran said more robust technology will be used to not only protect data, but detect and understand risks in real time. Some of this is being driven by federal programs such as the Homeland Security Department’s Continuous Diagnostics and Mitigation Program. “Over the course of several phases of implementation, agencies (HHS included) will have a more granular understanding of their complex IT environments and sources of potential vulnerabilities,” Killoran said. “This will allow agencies to more quickly identify and detect threats to data. As the already immense volume of health data continues to grow, so too will the need to protect larger data sets.” “As data become more complex and technology becomes more sophisticated, our workforce needs to continue to maintain vigilance,” she continued. “HHS embraces security as a shared responsibility that is not limited to security professionals; instead we recognize that security is everyone’s responsibility, which informs all of our training and awareness activities. In-depth cyber defense — ensuring that there are many layers of defense that protect data — is critical and will continue to be in the future.”
Government Health IT : The Fight to Keep Public-Sector Data Secure
17
18
A GovLoop Guide
HOW TEST DATA MANAGEMENT IS HELPING DELIVER SAFE SYSTEMS FOR GOVERNMENT An interview with Huw Price, Vice President of Application Delivery at CA Technologies As health care technology and legislation continues to evolve, government health care agencies must continuously deliver improved capabilities and services to the citizens they support. This isn’t always easy, given the time-consuming task of manually testing new software systems as well as the need for reliable test data to thoroughly test systems. Without high quality test data, public-sector IT teams struggle to realize the true potential of using agile development and a continuous delivery approach. GovLoop recently interviewed Huw Price, Vice President of Application Delivery at CA Technologies. CA focuses on providing software for digital transformation within the application economy. Price shared how test data management can impact continuous delivery of robust systems by public-sector health care organizations, and how these agencies can adjust and deliver better software and services to their citizens. Today in health care software development, as there is in much of government, there is a constant demand for process improvement, and for IT teams to work on accelerating time to market of their applications, mitigating risk, protecting information and patient data, and raising the quality of the user experience. This, however, can be challenging as health care organizations still use legacy software and must deal with siloed data and records. Legacy testing software was built in an era of client server technology, where everything was isolated and stovepiped. This can make continuous delivery – a software development discipline where software is built and designed in such a way that the software can be released to production at any time – nearly impossible.
This is where an effective Test Data Management practice can help. Test Data Management (TDM) is all about having the right data delivered to the right place, at the right time. It’s a critical function that can deliver endless benefits to health care government organizations. A major challenge faced is that most organizations lack a central TDM team or data provisioning service. This means that testers spend valuable time looking for or waiting for test data, which leads to testing bottlenecks that make agility and continuous delivery difficult. “We’ve seen teams that had two or three week sprints, but spent nearly a month preparing the data for the sprint,” Price explained. Additionally, masking or subsetting production data means testing teams having to actually go and find the data to use. For health care organizations, who maintain significant amounts of Personally Identifiable Information (PII) and Protected Health Information (PHI), this is an arduous task, exacerbated by the inconsistent storage of data in uncontrolled spreadsheets. “Additionally, you might have masked the data in the production system, but there still may be a phone app or a flat file that’s coming in, which is in an access database, that is being transformed,” Price explained. “And if you don’t know about that, then you’re opening yourself up to data theft or issues that relate to not knowing where your data is at all times.” That’s why TDM is so important. CA solutions allow organizations to significantly accelerate their quality lifecycle by providing greater test coverage, faster test creation and repeatable test execution for software assets, while considerably reducing the time and resources required to bring products to market.
With a complete, end-to-end approach to TDM, driven by business requirements, organizations can test, mitigate risk, and minimize defect creation, thereby delivering quality software faster, and for less costs. CA offers their product, CA Test Data Manager, to automate the creating, maintaining and provisioning of the test data needed to rigorously test evolving applications. They also work alongside HMS, a certified CA Partner that provides a broad range of health care cost containment solutions to help agencies improve performance via innovative technology and powerful data services and analytics. “The world is changing into having clearly defined models of processes and data and it’s critical to be able to adapt to change,” Price said. “Without building a model, every time you have to do new work or software development, you have to start from scratch. But if you have a model, all you have to do is change the model. The model can be used to autogenerate the correct record types and help to start testing earlier, helping the developers, testers and users deliver higher quality faster. This is why TDM matters.” The application economy requires health care organizations to deliver higher quality applications faster than ever before while keeping sensitive data more secure than ever before. Legacy testing tools and reliance on manual testing are not suited for the speed and number of changes necessary to achieve continuous delivery. But with TDM tools, health care IT departments can remove bottlenecks in their software development lifecycle, protect critical data, and get citizens the life-saving services that they need.
Government Health IT : The Fight to Keep Public-Sector Data Secure
19
362,
4,000 Hospitals are the target of 88 percent of ransomware attacks.
On average, over 4,000 ransomware attacks occurred daily in 2016 – a 300 percent increase over the approximately 1,000 attacks per day in 2015
00 0
In 2015, 362,000 new crypto-ransomware variants were identified, an average of nearly 1,000 new variants per day.
RANSOMWARE Ransomware is a type of malicious software, or malware, that attempts to deny access to a user’s critical data, usually by encrypting it with a key known only to the hacker, until a ransom is paid, according to an HHS definition. Hackers may also use ransomware that destroys or exfiltrates data. Spear-phishing is a common ransomware delivery mechanism.
Case Study Remember when hospital workers used pens and paper to record patient information? The staff at Hollywood Presbyterian Medical Center in California remembers it well – because that’s what they resorted to after hackers held its data for ransom last February. The hackers demanded 9,000 Bitcoin, or about $3.4 million, to restore the hospital’s data, according to one report. And while email servers were shut down, ambulances were diverted from the hospital, departments communicated via fax and patients had to pick up test results in person. Ultimately, the hospital paid $17,000, or 40 Bitcoin, to the hackers, according to another news source. That’s in accordance with FBI recommendations to pay hackers to regain data. “The malware locks systems by encrypting files and demanding ransom to obtain the decryption key,” hospital Chief Executive Allen Stefanek told the Los Angeles Times. “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this.”
20
A GovLoop Guide
3 tips to prevent Ransomware Attacks
1 2 3
The HIPAA Security Rule requires implementation of security measures that can help prevent ransomware. They include conducting a risk analysis, implementing access controls that limit who can get to PHI and training users on malicious software protection. Enable strong spam filters to prevent phishing emails from reaching end users and configure firewalls to block known malicious IP addresses, Justice states. Back up your computers and servers regularly, and keep plugins and patches up to date.
48%
84%
92% Ninety-two percent of health care IT decision-makers say their organizations are somewhat or more vulnerable to insider threats, and almost half said they were extremely vulnerable.
Users without admin rights account for 84 percent of data breaches.
Forty-eight percent of IT executives named insider threats as a top concern in the next 12 to 18 months.
INSIDER THREATS “An insider threat is generally defined as a current or former employee, contractor, or other business partner who has or had authorized access to an organization’s network, system, or data and intentionally misused that access to negatively affect the confidentiality, integrity, or availability of the organization’s information or information systems,” according to a report from the National Cybersecurity and Communications Integration Center.
Case Study July 2016 was a rough month for Ambucor Health Solutions, which discovered two insider data breaches at that time. One affected about 2,500 patients of South Carolina’s Greenville Health System, and the other affected 1,745 cardiology patients at Berkshire Medical Center (BMC) in Pittsfield, Mass. In the first incident, a former Ambucor employee downloaded electronic PHI before leaving the company. Two flash drives containing patient data were turned in to law enforcement officials, revealing that about one-fifth of cardiac-monitored patients had been affected. Exposed data included names, birth dates, phone numbers, home addresses, race, prescribed medications, medical diagnoses, patient ID numbers, physicians’ names and details of the medical device, such as model, serial and ID numbers. In the second breach, an employee sent 41 patients’ PHI to a personal email account before leaving the company. An investigation showed that more patients had been affected because the former worker had also copied information onto two thumb drives, which law enforcement recovered. Similar information to the first breach was exposed.
3 Employee behaviors to watch for that indicate insider threats
1 2 3
The company provided a one-year, $1 million identity theft insurance policy and credit monitoring to the affected patients.
Government Health IT : The Fight to Keep Public-Sector Data Secure
Remotely accessing the network while on vacation, sick or at odd times. Working odd hours without authorization. Unnecessary reproduction of material, especially if it is proprietary or classified, unusual interest in matters outside the scope of their duties and sudden changes in wealth or amount of foreign travel.
21
STATE & LOCAL SPOTLIGHT: COLORADO The Colorado Benefits Management System (CBMS) and Program Eligibility and Application Kit (PEAK) are the main conduits for medical and other assistance for Coloradans in need. And with more than 2 million cases having gone through the system, protecting the data is no small feat for the Governor’s Office of Information Technology (OIT).
OIT also has adopted the National Institute of Standards and Technology’s Cybersecurity Framework to help operationalize the framework in its environment. So far, it has implemented components of all 20 critical security controls, and OIT continues to execute subcontrols and mature the security of the program statewide for all data, not just health data.
One of the biggest security challenges is training IT employees about health data and associated HIPAA requirements, said Deborah Blyth, Colorado’s Chief Information Security Officer. “We have partnered with the agencies and borrowed from their training and put our IT folks through that training to ensure that they’re getting training that is specific to HIPAA requirements,” Blyth said. “We’d love to have some training that’s more customized for IT, not just sort of generic HIPAA training but more customized to technologists who might be interacting with that data, but not necessarily trying to use it.”
To help ensure compliance with all the regulations, OIT is working on implementing a governance, risk and compliance tool. “It would give us a repeatable format and framework so that we can continue to evolve our controls and continue to test against all of those to ensure that we’re meeting them,” said Blyth, adding that health data is some of the most regulated data the state deals with.
Another challenge is meeting regulatory obligations from federal departments such as the Centers for Medicaid and Medicare Services, Internal Revenue Service and Social Security Administration. Most recently, OIT has been working to comply with CMS’s Minimum Acceptable Risk Standards for Exchanges Version 2, which calls for security controls over the state’s Affordable Care Actmandated health insurance exchange. “We’ve got a secure software development lifecycle that includes security so that we are building security in from the beginning,” Blyth said. “We’re also using a trusted partner that I think has been a good source and a good partner for ensuring that security is built in appropriately. We also have used a third party to do security reviews of the system, which has helped us to highlight areas where we need improvement, and then we’ve certainly got a plan of action and milestones in place to continue to improve the system.”
22
OIT is also working to better coordinate with the two agencies it operates CBMS on behalf of: the Colorado Department of Human Services and the Health Care Policy and Financing agency. One way it’s doing that is through incident response tabletop exercises. “What if there is a data exposure of health care data? How would we respond to that?” Blyth said. “Each time that we’ve gone through these tabletop exercises, we’ve identified additional groups that we need to pull in, so we’ve been including the communications folks like the public information officers from all of the agencies. We’ve been including members of the business [teams], leadership and other folks, not just the IT folks, because we started to realize it’s not just the technical response. It’s more of a communication, it requires leadership, it requires folks to look at it from a privacy perspective as well as a health information perspective to get the true scope of how we would need to respond.”
A GovLoop Guide
“We’ve got a secure software development lifecycle that includes security so that we are building security in from the beginning.” Officials are aware of what’s happening on the network at all times through a central security operations center that monitors it. “We continue to enhance the logging capability and the event-monitoring capability across the network, and so that is something that we are continuing to put, I would say, even more monitoring in place for CBMS,” said Bill Stevens, Director of Healthcare Information Services and CBMS. Health IT is such a priority in Colorado that at the end of 2015, Gov. John Hickenlooper issued an Executive Order creating the Office of eHealth Innovation (OeHI) and a new governance structure, the 15-member eHealth Commission. A draft statewide health IT plan is expected no later than fall 2017, Mary Anne Leach, Director of OeHI, said in a written response, adding that security and privacy are top concerns in the planning process. “The ability to automate and facilitate improved and more granular ‘consent management’ is on our list of key objectives as we develop our statewide health IT plan,” Leach said. “We’ll also look at policy and standards in terms of privacy and security, though normalizing these at the federal level would be more useful than standards established by individual states. State-based privacy and security standards present challenges to regional referral centers, multistate health systems, as well as health IT vendors (and ultimately, providers and patients).” OeHI is considering using emerging technologies such as blockchain as officials evaluate federated identity management models, and the state started an effort to specify the office’s requirements for a master person index and master provider directory – “both of which will also help to ensure privacy, security and accuracy of health data,” Leach said.
Government Health IT : The Fight to Keep Public-Sector Data Secure
23
AMERICAN HEART ASSOCIATION USES THE AWS CLOUD TO MAKE PERSONALIZED MEDICINE POSSIBLE, DO YOU?
WISH YOU WERE HERE.
American Heart Association and AWS are harnessing the power of big data to revolutionize cardiovascular science and medicine. Visit now and see how your nonprofit can speed up its promise for medical breakthroughs through the use of open data.
24
A GovLoop Guide
HOW TO UTILIZE CLOUD TECHNOLOGIES TO DRIVE HEALTH & SOCIAL INITIATIVES An interview with Michael Jackson, Health Care Strategy Lead for Worldwide Public Sector, Amazon Web Services
With missions ranging from detection and mitigation of epidemics to finding safe and caring homes for children in need of stability, public health and social services are critical to keeping citizens and communities healthy. But enacting the technology to support these services has traditionally been costly and results have varied. Monolithic procurements and transactional approaches system-wide have often left health and human services programs and their beneficiaries isolated in siloes instead of benefitting from one another. But with current technology – especially cloud computing – the public health care system no longer has to function like this. In order to learn more about how health and human services agencies can modernize and utilize secure cloud technologies, GovLoop sat down with Michael Jackson, Health Care Strategy Lead for Worldwide Public Sector at Amazon Web Services (AWS), a leading commercial cloud provider. Jackson explained that cloud-based modernization solutions are particularly applicable to health care agencies because they offer the ability to bring disparate silos of data together among interdependent programs and providers. Then modern tools, like big data analytics and artificial intelligence, can be employed to enable better decision making for all health care and human services stakeholders. Several health care stakeholders in the public sector that benefit from cloud technology are human services agencies, health care providers, and researchers. While each has their own place in the health care ecosystem, it is critical that these stakeholders are able to share and access information securely within and between their enterprises.
Connecting stakeholders is especially critical in health and human services because benefits are often delivered by a number of different but related organizations. This means that agencies should have controlled access to each other’s data and work from a single source of truth in order to develop a comprehensive view of the citizen and their needs. Where possible, it would also be of great benefit to health and human services cabinets and states in general to understand and quantify the amount spent per citizen, and correlate any related benefits they may be receiving. Cloud solutions can facilitate this coordination and sharing across agencies to minimize redundancies and, more importantly, improve lives. AWS has identified three pillars to accomplish these goals in the health care space within the public sector. First, they aim to accelerate enterprise modernization. “From the inside out we look to help our government customers migrate in an incremental way from outdated legacy architectures to a modular, agile, cloudbased approach that is much more cost effective,” Jackson explained. “This is particularly helpful in health care because oftentimes agencies are using outdated systems tied to error-prone processes that are still paper-based.” Second, AWS helps agencies to more effectively execute on their respective missions and adopt solutions that collectively result in healthier communities. This is facilitated by bringing together disparate datasets and offering powerful tools to visualize that data and maximize its value. “It’s more than aggregation of data,” Jackson said. “This is the ability to glean hidden insights from a multitude of data sources, like pieces to a puzzle, and
ultimately transform the ways that public services are designed and consumed.” The third pillar focuses on care transformation. Specifically, this includes transformation of the delivery of care, as well as helping to transform its payment systems. For care delivery, AWS focuses on making sure that across locations, providers are able to securely consult, collaborate, and update information as a patient travels from one health system to the next. Jackson explained that coordinating care can greatly improve clinical outcomes and experiences for the patient. In order to make quality-based payments of care more efficient, AWS solutions bring together data and analytics to help detect fraud, optimize utilization rates, and help determine how the state or agency can best allocate its funds. “It’s so more than just technology,” said Jackson. “We encourage our customers to take an innovative start-up like approach to improving outcomes by solving longstanding traditional problems and reevaluating the way resources are allocated. And the cloud enables that innovation without requiring significant sunken costs in capital equipment and infrastructure.” By focusing on these three pillars and how cloud can support them, health care agencies will be able to modernize in a way that will promote efficiency internally while providing personalized services to patients and citizens alike. Secure cloud technologies have the ability to transform the way health care agencies operate and ultimately have the capacity to shape the health and welfare of tomorrow’s communities.
Government Health IT : The Fight to Keep Public-Sector Data Secure
25
45% Lost and stolen devices account for about 45 percent of all breaches.
Seventy-four percent of hospitals that use tablets or other mobile devices to collect patients’ information are more efficient than those that don’t.
As of 2013, more than 5,000 physicians at the Hospital Corporation of America, an operator of almost 300 health care facilities in the U.S. and U.K., used tablets.
LOST OR STOLEN DEVICES The term “health care IT devices” encompasses many things, as we have seen here so far. But common devices that practitioners use are laptops and tablets. This makes sense when you think about it. Rather than toting around heavy files of handwritten notes, doctors, nurses and other providers can carry a tablet with all the information they need a click away. At the same time, however, the use of tablets creates a security problem. If one of those tablets containing all that data goes missing, what happens to the information?
Case Study In 2015, Hartford Hospital and EMC (now Dell EMC), paid Connecticut $90,000 after an unencrypted laptop containing patient information on more than 8,800 state residents was stolen in 2012 from an EMC worker’s home, according to PCWorld. The laptop was not found. The hospital had hired EMC to help with a project relating to analyzing patient data, and the employee had worked for a company that EMC acquired. The data on the missing computer included PHI as defined by HIPAA. More recently, personal data on about 15,000 members of Oregon’s CO-OP, a nonprofit health insurance company, was stolen from a password-protected laptop, according to news reports. Although the machine contained no medical data, it did have the names, Social Security numbers, addresses and birth dates of current and former CO-OP members and their dependents.
26
A GovLoop Guide
3 tips to prevent device loss
1
2 3
Use a device key, password or other user authentication to control access to the data on the device. Enable remote wiping and disabling so that you can still remove all data should the device be lost or stolen. Train users on mobile device privacy and security awareness, including what steps to take if they misplace their device.
The IoMT market is expected to hit $117 billion by 2020.
More than half of major new business processes and systems will involve IoT in some way by 2020.
But by 2020, 25 percent of all enterprise breaches will involve IoT.
INTERNET OF MEDICAL THINGS The Internet of Medical Things (IoMT) is the “collection of medical devices and applications that connect to health care IT systems through online computer networks,” according to TechTarget. Examples include remote patient monitoring, tracking medication orders and the location of patients in hospitals, wearable devices and infusion pumps. IoMT that helps providers monitor patients at home is called telemedicine, the site adds.
Case Study Let’s look more closely at the threat to Johnson & Johnson’s insulin pump, which we highlighted under medjacking. The benefit of the pump to patients is that it has a remote control so that they don’t have to remove their clothing to give themselves an insulin dose, as is typically the case. The problem is that the wireless connection between the remote and the pump is unencrypted, according to Axiom Cyber Solutions.
3 tips to Secure Iomt
1
That vulnerability means the pump can be hacked within a 25-foot radius of the patient. “With the right radio equipment, a hacker can take control of the pump and trigger unauthorized insulin injections,” Axiom says. Too much or too little insulin can have fatal results in diabetic patients. Although no reports of pump hacking have been made, Johnson & Johnson issued a warning about the problem after computer security firm Rapid 7 discovered it. Johnson & Johnson also said users who are concerned about hacking can turn off the radio frequency feature and set the pump to vibrate when an insulin dose begins, which would enable them to cancel the delivery if need be.
2 3
Government Health IT : The Fight to Keep Public-Sector Data Secure
IoMT vendors should provide internal segmentation firewalls, which operate inside the network rather than at the edge, allowing health organizations to segment networks among patients, administrators, health care professionals and guests, in addition to separating it among devices such as heart monitors and infusion pumps. Prioritize which devices need the most monitoring and protection. Put a team in place to study threat intelligence so that real-time threat and mitigation updates can be made.
27
ABOUT & ACKNOWLEDGMENTS About GovLoop GovLoop’s mission is to “connect government to improve government.” We aim to inspire public-sector professionals by serving as the knowledge network for government. GovLoop connects more than 250,000 members, fostering cross-government collaboration, solving common problems and advancing government careers. GovLoop is headquartered in Washington, D.C., with a team of dedicated professionals who share a commitment to connect and improve government. For more information about this report, please reach out to info@govloop.com.
Thank You Thank you to Amazon Web Services, CA Technologies, DLT Solutions, HMS Technologies, InterSystems and Symantec for their support of this valuable resource for public-sector professionals.
Author Stephanie Kanowitz, Writer
Designer Kaitlyn Baker, Graphic Designer
28
A GovLoop Guide
Government Health IT : The Fight to Keep Public-Sector Data Secure
29
1152 15th St. NW, Suite 800 Washington, DC 20005 (202) 407-7421 F: (202) 407-7501 www.govloop.com @govloop
30
A GovLoop Guide