Quantifying Data Risk in Health Care
Quantifying Data Risk in Health Care
The health-care industry has long been subject to rules about the protection of patients’ personal data. These include the Health Insurance Portability and Accountability Act (HIPAA) and the more recent Health Information Technology for Economic and Clinical Health Act (HITECH), which strengthens HIPAA protections as they related to electronic medical records. HITECH also increased penalties associated with data breaches.
As the health-care IT environment becomes more complex, with increasing numbers of connected devices, more electronic medical records, more applications processing health data, and more data sharing between affiliated practices, protecting personal data has become a major challenge. To comply with a more rigorous regulatory environment and avoid embarrassing data breaches, health-care organizations make decisions about how to prioritize their cybersecurity efforts. A key part of that is deciding what data presents the greatest risk to the organization.
This can be a challenging question for several reasons. One is the type of data itself. A breach of electronic medical records can subject an organization to remediation costs, bad publicity, and costly penalties. But a hack of connected medical devices can be life-threatening. Additionally, the cyber-threat landscape is changing. The two most common causes of lost medical records are hacking and unauthorized disclosure. By far the fastest- growing threat comes from hacking, and although the number of records stolen in recent years has declined, the number of breach incidents is steadily rising.
Quantifying data risk is an essential step in developing a strategy to protect that data. Joseph Weinberg, global senior security architect specializing in integrated hospitality resorts and executive board member for a health-care security corporation, explains it in this way: “We talk a lot about layered defense and various cyber-kill chain methods. Regardless of the health organization, it is important to understand that the number of ways into an organization is immense. It is impossible to detect and respond to every threat. Risk-based data classification is essential for every health-security operation. The key to proper data classification is to identify the most critical data in the organization. We call these the crown jewels. These are data sets that need the most advanced security controls and instrumentation around the practice. Focusing on crown-jewel data ensures that the finite resources that are available are utilized in the highest value and most efficient manner.”
Sean Murphy, vice president (VP) and chief information security officer (CISO) at Primera Blue Cross, says, “To avoid protecting all information at the highest level, the risk-based approach requires the organization to sanction areas for sensitive data to reside, move data to those areas, and protect the data in those areas with robust access controls, encryption, and audit processes. Data that is less sensitive, and therefore lower risk to the organization, can be protected with less stringent security controls.”
The question becomes how you identify and classify data requiring this special security treatment, and how you quantify its risk in a way that enables rational decisions about the security investment needed to protect it. Sean Murphy recommends beginning with how the data is used and how it needs to be regulated. “Data classification from a risk perspective starts with a tiering approach, from publicly available information to data that is most critical in the organization. Some categories and values are regulatory by nature, like electronic health information. Other data, such as pricing models and actuarial process information in a payer organization, can be highly proprietary. In provider organizations, configuration and networking information about medical devices could require protection for patient-safety reasons.”
To actually score these risks, Murphy advises tying risk assessment to security standards widely used in the health industry. “Using a best-practice risk-management framework, like NIST, ISO, or HITRUST, a healthcare organization can begin to measure the security maturity of the organization,” he says. “These measures show the level of residual cyber risk in an organization. Another method that many insurance underwriters use involves external risk-scoring agencies, known as security rating services (SRS). The scores they provide are like a FICO credit rating, but for security posture. They show the level of residual cyber risk for the organization in terms of likelihood of data breach compared to a baseline organization’s risk. Individual organizations can also use the SRS scores to assess their third-party vendors and suppliers. External partners are a source of risk to the organization relying on third-party products and services.”
In the health-care industry, quantifying data risk means looking at the regulated and sensitive data itself, but also assessing the infrastructure where that data resides and the threat landscape. “The threat landscape and underlying technical environments are always changing,” Weinberg notes. “Understanding the risk requires identifying and managing technology assets, including operating systems, firmware, applications, and networks. To properly quantify the risk level for a cyber-security breach, a corporation would typically multiply the potential number of vulnerabilities against the probability of the event and assign a value for worst-case scenarios. We find that the best practice is to have a financial target for a potential breach and design the security program around meeting that objective.”
- As healthcare IT environment becomes more complex, with increasing numbers of connected devices, more electronic medical records, more applications processing health data, and more data sharing between affiliated practices, protecting personal data has become a major challenge.
- In the healthcare industry, quantifying data risk means looking at the regulated and sensitive data itself, but also assessing the infrastructure where that data resides and the threat landscape.