Last Monday, we kicked off our new Monday Morning Healthcare IT Podcast Series with David Chou as we discussed change, communication and leadership during an EHR implementation. You can catch up with episode 1 here. In our 2nd episode, we sit down with Ryan McDaniel to discuss the case for UBA and recap some of the industrys most common threats.
Transcript
Tom:
Hello and welcome everyone. Thank you for joining us during this, the second episode of our healthcare IT podcast series. My name is Tom Letro of the HCI Group, and today I will be joined by Ryan McDaniel, our VP of Security and Technology. Today our discussion will center on cyber security, where we will start by going over the basics with regards to breach and insider and outsider threat, and will then discuss the case for UBA as a means of combating these threats. Thank you for joining us, Ryan.
Ryan:
Thank you for having me.
Importance of Cyber Security in Healthcare
Tom:
Absolutely, now, Ryan, when people are thinking of cyber security, the first thing they think of probably isn’t healthcare. Why is cyber security so important for a healthcare organization?
Ryan:
That’s a great question and ultimately, security is so critical to healthcare because healthcare, by necessity and by definition, deals with information relevant to individuals, and oftentimes its information that isn’t readily shareable. Furthermore, as we look at healthcare currently, since so much of that information is being digitized in patient records and EHRs and these kinds of more accessible technologies, not only is that information still relevant, but it’s more at risk because it is more accessible and more useful, and potentially a breach could directly impact not only quality of care, but access to patient information.
Healthcare Security Threats
Tom:
Ok, and what are some of the threats that are currently facing healthcare?
Ryan:
So, we’re seeing a lot of growth within what we would call hacking or breaching. There is a lot within that, so I’ll start with talking a little bit about that. What we are seeing today is that because of the EHR, and because of the value to the organization that the EHR represents, all this information being taken online, a lot of hackers are looking for low barrier of entry organizations, and they are breaching them.
Tom:
And how do they accomplish these instances of breach?
Ryan:
They are either doing this with things like phishing attacks, launching a virus within there that can infect and get that information. Also we’re seeing kind of – it’s common in other industries, but I think it’s becoming more common in healthcare, and that is what we call the socially engineered attack. This could either be done by an individual who is on the inside of the organization, where they’re simply physically accessing something that they are allowed to, and then using it illegally to take it outside of the organization, or alternatively where you have a malicious act, or someone outside the organization coming in and using either a relationship with someone or building a relationship with someone that allows them to get access to their account, and therewith to take information outside. Ultimately, the biggest risk in all of this is something called breach, the ill-gotten or unintended access of an external malicious actor to your network that allows an access to your healthcare data and patient record.
Tom:
Ok, and are there other prominent threats outside of breach?
Ryan:
Sure, there is mismanagement of information, there are things that we would relegate under poor policy, i.e. failure to eliminate or get rid of records, failure to decommission appropriate systems, that being said, I think the two examples we talked about initially are the primary sources, and by primary I mean well above 75% of the PHI loss that we have seen over the past two years has resulted from those first two.
How Healthcare Organizations Can Combat Security Threats
Tom:
Right, and for those of you listening, these two types of threat that Ryan is referring to that have resulted in this profound amount of PHI loss are internal threat and external threat. Now Ryan, what can an organization do to combat these two obviously prevalent threats?
Ryan:
So, there’s a lot, thankfully, and increasingly, let’s say there is more each year with some of the emerging technologies, but let’s consider them two different instances. Let’s look at the external first, and I would say that most healthcare organizations have done a good job to eliminate or reduce external threat. They’ve used solutions like SIM, (Security Information Management), IAM (Identity Access Management), they’ve used antivirus, all these tools do a good job at at least attempting to prevent the outside from getting in. And again, I think healthcare has done a good job of adopting those technologies, and deploying those technologies to create what we’ll call a walled garden.
Benefits of User Behavioral Analytics Against Threats
Tom:
Right, and I know from our earlier discussions, Ryan, that while you believe this walled garden is beneficial, it is not enough to stop these threats by itself. If I recall correctly, you said that UBA, or User Behavioral Analytics, may be a huge benefit to an organization trying to cut down on these types of threat. What can UBA do to help your organization?
Ryan:
What UBA can do is allow an organization to start monitoring insider threat comprehensively, without adding significantly new resources, and it does this by using machine learning to monitor user activity, and define what normal is. And then once normal is defined, it begins to look at abnormal, and abnormal is what ultimately edifies or what encompasses internal threat. So, what we’ve looked at doing in the industry is not only helping organizations recognize gaps within their security practice, but particularly look at capabilities that are available to address and assess insider threat. We see that as the biggest gap, and the biggest risk within healthcare today.
Tom:
Ok, and what about the outsider threat?
Ryan:
So, outsider threat, as we said, is kind of the, it’s what we all think of, it’s the notion of someone sitting in a computer room with 37 monitors watching a matrix go by and trying to get into your system. While I think, by-in-large, that’s not real, it’s an image we all have, and it’s something we can all think of as “this is what a hacker looks like,” or, “this is how a hacker behaves.” In a majority of cases that’s not real.
Tom:
Right, as much fun as it would be to think of a guy with 37 monitors watching our every move.
Ryan:
It would be fun, right?
UBA in the Adoption Process
Tom:
Of course. Switching gears here Ryan, how does UBA play into the adoption process?
Ryan:
So, adoption can be very difficult, in so much as if you are not looking at the solutions that are readily available, what you’re looking at is building a huge team to essentially monitor everything manually. That being said, with UBA, adoption is actually quite simple. It is a matter of determining the solution that’s right, and monitoring the capabilities that are right for you, and then deploying and allowing initial phase of monitoring. So in fact, the advanced state of UBA that we have access to today makes adoption relatively simple for an organization.
Tom:
Right, so you would say that UBA is critical to securing your information.
Ryan:
Oh without question, and I would say UBA is fundamental. If we go back a few years ago, when UBA was kind of a nice theoretical capability, you can see a huge difference in what we can do today versus what we can do then, now, now that this actually has become something that we actually have access to. So I would say UBA is very much critical, and if it’s something that an organization is not aware of or is not thinking about, they really need to, because it dramatically expands the capability of their organization not only to assess threat, but to capture threat, and to reduce or in some cases eliminate the risks of breach.
Comprehensive UBA and Non-Comprehensive UBA
Tom:
So are there different layers to UBA? It sounds like it can help your organization in more ways than one.
Ryan:
You have – let’s differentiate between comprehensive UBA and non-comprehensive UBA.
So there are a number of solutions on the market that will align with this specific product, so let’s say the EMR, and you could have a solution that looks at all the users assessing the EMR, accessing the EMR, using the EMR, and what that tool might do is tell you “well this person has looked at it a lot, this person hasn’t looked at it that much.” And that’s great, but it gives you no context. So let’s say ‘doctor A’, let’s just use an example, looks at 10 records a day on average. A solution-aligned UBA tool will tell you “ok, they hit the EMR 10 times on average.” Now let’s say one day they hit it 30 times on average. Well, that doesn’t necessarily give you a lot of information. Maybe there is a reason they are doing that, maybe that is a necessary behavior, maybe that is really important for them. And the solution-aligned UBA will only tell you, within the space of that solution, what is happening.
But a more comprehensive UBA brings context, where you can ask questions like “well we know they hit the EMR 3 times as much as they normally do. Did they send more e-mails? Did they browse any sites we know to be malicious? Did they try to download data to a USB key? So, you start getting a much more comprehensive sense of their activity, and, ultimately, if you are looking at a more risky behavior, or if you are looking at a necessary practice behavior. So those are the first two delineations. Now, again, going back to the days before UBA, your only real option was hiring a massive team and creating a very, very comprehensive policy to allow monitoring and capturing of insider threat, so I would say, for most organizations, that kind of hiring and that kind of scale is not a viable option today, and is not something that I would even encourage them to consider, given that UBA is available to them.
Summary
Tom:
Ok Ryan, we’ve gone over insider threat, we’ve gone over outsider threat, and we’ve gone over how UBA can help your organization combat them. Any final thoughts on what someone working in the healthcare IT field should be aware of when it comes to security and their information?
Ryan:
Well, ultimately, again, it is just that a lot of healthcare organizations have done a great job thinking about external threat. It’s something that I think we have been conditioned to do, and it’s something that has a lot of really well-placed and really capable solutions to address. But in addressing only external threat, I would say that you’ve actually done less than 50% of the overall battle. Insider threat is really critical to securing not only your infrastructure, but the patient record itself. As organizations start to understand the importance of insider threat, and the risk that it represents, I think there will be a lot more discussion about things like UBA and technologies, that allow more comprehensive monitoring. So certainly, for those listening, if you’d like to know more about insider threat, it is a conversation that we are willing, ready, and able to have, and ultimately not only that, but we can recommend or identify your gaps, identify and assess what you risk, and then ultimately assist you in providing solutions, capabilities, and practices, that help mitigate and minimize the risk associated with insider threat.
Tom:
Alright, some very useful information there, thank you Ryan.
Ryan:
Yeah, absolutely, really appreciate the time.
Tom:
Absolutely. For everyone listening, make sure to subscribe to our blog and our podcast, and to follow us on social media. Also, make sure to comment below with anything that you feel we may have missed or that is equally important with regards to security, so that we can keep the conversation going. For Ryan McDaniel, this has been Tom Letro of the HCI Group. The HCI Group, offering a smarter approach to healthcare IT.