The following is a guest article by Richard Barretto, Chief Information Security Officer Progress.
Files and Documents are a cybercriminal gold mine.
Healthcare companies have a lot on their IT plate, but often neglect their most vital assets: files, documents, and records. Securing the data held within these files is the most critical hurdle, especially since these files move around like a college kid on holiday in Europe.
These files are where most Protected Health Information (PHI) is contained, and if not fully protected not only exposes this sensitive data and harms the individual, it opens your organization up to expensive and embarrassing HIPAA fines and actions. This data MUST be protected and SHOULD be encrypted at rest AND in transit.
Healthcare Breaches Cost More Than Just Fines
Healthcare breaches, at $9.23 million per incident, are the most expensive of any industry, according to a IBM/Ponemon analysis reported in a Beckers Hospital Review blog. Meanwhile, “Nearly half (44 percent) of the breaches analyzed in the report exposed customer personal data, including healthcare information, names, emails and passwords,” IBM found.
Here are some examples of sensitive health data that must be protected:
- Patient appointment reminders
- Medical reports
- Big data e.g. medical images
- Billing and payment data
- Regulatory compliance reports
- Compliance reports
- Claims submissions
Keeping File Transfers Safe – Be Wary of Email and FTP
The bar for security in Healthcare IT is so high it takes Olympic-class efforts to clear it. Securing data is the most critical hurdle. So where is your most sensitive data? In files, of course. And it is these files that fly about like seagulls at the fishing pier. There are, however, three keys to healthcare IT that can help reduce your risk.
In the case of healthcare, these files can contain Protected Health Information (PHI), which if not fully protected not only exposes this sensitive data to harm by bad actors but opens your company up to expensive and embarrassing HIPAA fines and actions. There is no way out: this data MUST be protected and encrypted at rest and in transit.
Email Not the Secure File Answer
Many shops still rely on old fashioned email for file transfers since attaching a file is something everyone can do. While this is fine for non-sensitive data, it is one of the worst things you can do with a sensitive, compliance-regulated file.
Besides the insane security risk (file interception, sent to the wrong recipient or even an entire distribution group), email is not made for large files. Many mail clients limit the size of file attachments to 10MB or less—not nearly enough to accommodate unstructured, multimedia formats such as ultrasound video files, audio files, images, and so on.
Meanwhile, transferring large files through email servers causes performance degradation problems that impact reliability and file delivery.
Having many copies of large attachments gobbles up allocated storage and leads to massive storage management headaches.
And of course, IT has no visibility as to where files are—a real problem when auditors come a calling.
FTP Better Than Email, but Not Nearly Good Enough
FTP (short for File Transfer Protocol) file transfer solutions beat the pants off email but have limits no healthcare organization should put up with.
The main problem is the lack of a method for encryption during file transport, meaning your sensitive health data could be intercepted during transport. FTP solutions, which rely on manual processes with no native means for automation and integration with business processes, are not scalable. If you want to automate and integrate, you go back to your in-house script jockeys to write customized scripts.
Meanwhile, files stored on an FTP server stay there until someone takes them off. This is a big burden for account administrators that must take action for single time setup, deletion or change management process.
HIPAA
Aside from breaches, HIPAA is obviously the fundamental issue healthcare IT and security professionals face today. Of course, there are the fines we just mentioned, but more than that healthcare organizations want to protect patient privacy. It is the right thing to do and good for business.
Key issues for HIPAA compliance include:
- Authentication, which means verifying that users are who they say they are.
- Access control, meaning no access is allowed to data without proper authorization.
- Transmission security, meaning that data transmissions between parties are encrypted and should be both at rest and in transit.
- Integrity, meaning that PHI is not modified without permission or detection.
- Audit control, which involves having a complete audit trail providing total visibility into file transfers.
All these issues can be addressed by ensuring that data is encrypted during transmission, that changes to files are detected and that the audit trail shows everything that happened to a file during the movement process.
No Trust Without Zero Trust (and Least Privilege Access)
Many, but not all, IT professionals are familiar with the concept of Zero Trust. There’s a bit of irony to the term as Zero Trust means that the best way to protect all your data and assets is to trust absolutely nothing — until areas of network are proven trustworthy. The idea is to work with each element of your entire environment step-by-step to protect and secure each.
The Zero Trust Architecture was invented by then Forrester analyst John Kindervag in 2010. “Zero Trust is a security concept centered on the belief that organizations should not automatically trust anything inside or outside its perimeters and instead must verify anything and everything trying to connect to its systems before granting access,” explained CSO magazine.
Files are sometimes forgotten in this effort but should be FIRST and FOREMOST when it comes to zero trust. Your files need a high level of protection, and no one should be trusted to access them without explicit permission and authentic authentication.
Microsoft, a key Zero Trust proponent, defines it this way. “Instead of assuming everything behind the corporate firewall is safe, the Zero Trust model assumes breach and verifies each request as though it originates from an open network. Regardless of where the request originates or what resource it accesses, Zero Trust teaches us to ‘never trust, always verify.’ Every access request is fully authenticated, authorized, and encrypted before granting access. Microsegmentation and least privileged access principles are applied to minimize lateral movement. Rich intelligence and analytics are utilized to detect and respond to anomalies in real time.”
One key to Zero Trust is strong identity management and protection, largely through authentication which should be applied across the environment.
This speaks to the issue of least privilege access which is part of Zero Trust. The concept of least privilege access is to limit user rights to only what is absolutely needed. In the case of files, only those who need to touch, transfer or receive a file should be able to do so.
