I've had the unfortunate opportunity to be a part of yet another HIPAA category security breach violation that contained PHI. A "sophisticated phishing attack" circumvented the security technology we had built. We do a full HIPAA audit yearly, and shore up gaps, but I want to share with you how we got breached with all of the technology work done over the past 10 years to follow the HIPAA guidelines. Prepare yourself; the likelihood of it happening to you is greater than you think. The weak link in the armor you've built trying to meet the guidelines spoiler alert users. It began when we stepped too far across the blurry line between secure business effectiveness and convenience of anywhere access.
I am the CIO at the health system I've been with for over 17 years. I started in tech support and the big anticipated event was when everyone thought the systems would shut down for Y2K. Those were the days when computers were stand alone for back office use, modems were required to let someone out onto the internet, and the likes of the Michael Angelo virus was "holy cow" hacking event. Medical records were on paper, and billing and charges were fed into terminals feeding the main frame beast in the basement data center. Time progressed; EHRs are the backbone of the clinical process. As the internet has become a commodity to the point people are shocked when the guest wireless system is too slow for their game of Candy Crush, and virus/hacking cost companies thousands to millions of dollars each year. To build the security to transform the system into a fortress, HIPAA, and NIST 800 guidelines gave instructions on how to build your own security system to protect your PHI and PII. Flexible enough to allow healthcare systems the latitude in picking and choosing the technology that fit them the best. Build the perimeter, setup behind the wall sniffers, scrub outbound data, and discourages un-authorized entry. Then we needed to build portals into the perimeter walls so people could get in from off network because the workplace was no longer the only place work gets done; easy answer, 2-factor authentication. Key fobs were the answer because the number of people needing to get in was limited. Physicians and management were assigned the fobs. Then the next layer of access was requested. Employees needed to get access for HR purposes like paycheck stub so they no longer had to be printed, W2's so they didn't have to be mailed, and communications (webmail) to be able to get information, like yearly benefits documents, out in an efficient and cost effective manner so staff could review the information at home. These are all very important and should be expected of any company. We went from 2 factor requirements to single factor password for just a couple of HR specific data items. We have the technology in place to stop the hackers from busting in to our network. But then again, who needs to hack the technology when it's easier to hack (aka phish) the people using the technology to give away their keys (aka password) to the portal door. A hacker doesn't need to be on your network to get into your EHR to get PHI, just having access to a user's webmail is all it takes. Does your company allow PHI to be sent via email for internal purposes? It doesn't matter because it happens anyway.
Jump to the chase for what every health system IT department needs to ask them. Do you expect every single person that has a username and password to your network to be able to recognize a phishing email, or at least not click on links or attachments if they don't recognize the sender or intent? A simple email from "IT Helpdesk" is a very successful method of acquiring usernames and passwords. Then you have to figure out if the remote logins are the staff or if it's the hacker using the staff credentials.
"EHRs are the backbone of the clinical process, the internet has gradually evolved into a commodity and there has been a change in the way how this system is used in enhancing outstanding patient experiences"
If you are telling yourself that you have filters to catch these spam emails, it only takes one to get through. Do you think that you can catch every single one? I recently attended FBI seminar on Health Care industry security and their statement was it is just shy of impossible to stay on pace with hackers. A half step behind is the best pace to be expected. A single well crafted phishing email can slip through that half step.
The answer to this is education of people. This is what HIPAA would classify as Administrative Safeguards. Keep it front of mind monthly at least, not just a once a year required computer based learning/education quiz. Send out a monthly article to your company giving simple descriptions of phishing methods works wonders. It scares the heck out of people who don't realize how devious hackers can be. I've written a few and encourage staff to share with family and friends. I've received nothing but positive feedback and had other local companies ask for copies. Another recommendation is to self phish your company. There are vendors and software systems to enable you to do this. Make remediation of those that fail the test a bit painful, like writing 100 times "I will not click on links or attachments that I do not recognize. I will call the sender if I am not sure" (check with your HR dept on options) and the word will spread. This self phishing will reveal awareness levels and education program success.
Heed the warnings you see in most of the latest healthcare breaches press releases. Many list phishing and email box access in the root cause. That means staff gave up their passwords unknowingly.