Protecting the empire goes beyond securing the castle walls: Understanding the importance of audit controls

By Adam Kehler on February 14, 2017 (Last Updated on February 25, 2022 )

Get latest articles directly in your inbox, stay up to date

castle-1863724_1920.jpgIs your information security program stuck in the middle ages? Are you still just protecting the castle walls or have you taken a step forward into the modern times where you must assume your outer perimeter will be breached.

Healthcare organizations are notorious for applying minimal security measures, which generally consist of firewall and anti-virus precautions to prevent attackers from penetrating their systems. This is an antiquated method that simply doesn't work. You need to think more strategically and prepare your organization for impending attacks by assuming that your defenses will be breached. In fact, 56% of organizations say it is unlikely or highly unlikely that they would be able to detect a sophisticated attack. On top of that, it takes an average of over 200 days for an organization to simply detect an attack of any severity. Those are some scary stats to consider when people’s personal information is at stake.

With the average breach exposing 1.3M people, it is your responsibility to take every necessary precaution to protect your consumers and organization. The healthcare industry, on average, underspends on cybersecurity compared to other industries, generally only 6% of their IT budgets go towards security (other industries spend 12-16% of their IT budgets on security). This is shocking because the black-market value for healthcare information is at a record high. It's reported that 1 in 13 patients will have their records stolen after a healthcare provider data breach. It’s no wonder why cybercriminals are focusing their efforts and increasing their sophistication with each attack.

New guidance from the Office for Civil Rights (OCR)
In the wake of recent events and attacks, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) published a newsletter that clarifies the requirements for detection of unauthorized disclosure of protected health information (PHI):

The HIPAA Security Rule provision on Audit Controls (45 C.F.R. § 164.312(b)) requires Covered Entities and Business Associates to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information (ePHI). The majority of information systems provide some level of audit controls with a reporting method, such as audit reports. These controls are useful for recording and examining information system activity which also includes users and applications activity.

These audit trails exist at the application, system, and network levels. What is important to understand is that it is not sufficient to just collect the data. The System Activity Review requirements indicate that organizations should also be looking at these reports with the intention of detecting unauthorized or malicious activity.

What’s everyone else doing?
Security should be top of mind but naturally healthcare organizations have a lot to deal with, they’re in the business of healing and security can sometimes takes a backseat. As providers and partners increase their shared data usage, the opportunities for loss, error, or theft grow exponentially. The backseat approach is unacceptable and changes need to be made.

The current security landscape for healthcare providers is changing. Healthcare organizations are starting to understand that it is no longer sufficient to simply “protect the castle walls,” but rather increase their capabilities to sound the alarm when the walls have been breached. As the number and size of systems storing ePHI grows, they are looking to automated and managed solutions to accomplish this goal.

Case study
Online recently worked with a hospital that had identified, through the Security Risk Assessment process, that they lacked the ability to effectively detect unauthorized access to ePHI. As Online walked through the process with the hospital, the first step was helping them get their arms around and fully understand the problem. The largest system containing ePHI was certainly the Electronic Medical Records (EMR) system, however a four-hour workshop was required to simply identify other systems on their network that store or transmit ePHI.

By the time the exercise was complete, over 100 systems had been identified including those that stored ePHI in-house and those that were cloud-based. Another two hours were spent identifying third party connections where ePHI left the organization. The enormity of tracking activity within these systems and connections is daunting, especially considering the limited resources available to the Information Systems and Privacy teams.

The solution for this organization was to seek outside help. They contracted with a managed service provider that has developed systems to retrieve the audit logs from the hospital systems and use heuristics to create reports and automated alerts. This system successfully detected a confirmed incident of snooping within the first two weeks of deployment.

The hospital is taking a slow and careful approach to the implementation of this system and plans to add capabilities bit by bit. They are also looking at aggregating system and network logs in order to detect threats on a broader scale.

How should you approach this problem?
Are you still confused about what your organization should do? I’ve outlined a plan to help you get started:

  1. Inventory of systems with ePHI and external connections that transmit ePHI
  2. Define risk levels of systems (number of users, amount of ePHI, criticality)
  3. Start with the most critical system(s) (e.g. EHR)
    1. Assess audit capabilities
    2. Aggregate audit logs on a separate, secure system
    3. Define what unauthorized activity looks like
      1. Insider threats like snooping
      2. Third party access (often higher risk)
      3. Outsider threats (could use compromised credentials)
    4. Create specific alerts and reports to detect what this activity looks like. Start with one or two. Don’t bite off more than you can chew. 
  4. Rinse and repeat for other systems based on risk level

If you’re like many of the healthcare providers that have little or no information security experience, it would be smart to partner with an organization that specializes in information security consulting. When considering a partner for information security advice and services, it is important to ensure that the service provider has extensive experience working in the healthcare industry, along with a deep understanding of the threats, risks, compliance requirements, and controls unique to it.

Not a matter of if, but when…
It’s not a matter of if, but when. Assume your data will be stolen and take steps to know that when you’re breached, you’ll have a plan in place to fight back. Don't end up on OCR’s wall of shame.

To continue the conversation, send me a message or to learn more about Online Business Systems’ Risk, Security and Privacy practice click here.

Submit a Comment

Get latest articles directly in your inbox, stay up to date