Healthcare Hacking: Manual Incident Response Plans No Longer Meet Today's Threat

Healthcare providers and their business associates are increasingly becoming the target-of-choice for hackers today. A Poneman Institute study indicates, “Nearly 90 percent of healthcare organizations … had a data breach in the last two years.” Nearly half of those in the study had experienced “more than five data breaches in the same period.”

The 2016 study also concludes, “Many healthcare organizations and their business associates are negligent in the handling of patient information.” This despite widespread agreement from the report stating, “The vast majority of all respondents agree healthcare organizations are more vulnerable to data breach than other industries.”

The consequences are severe, according to Dave Willsey, CEO at Chicago-based Integrify, a software firm that develops and delivers workflow management solutions to clients in several industries including healthcare. “HIPAA violations carry hefty penalties — financial, operational, and reputational,” Willsey said. “One requirement in today’s environment is a well-conceived and executable incident response plan (IRP). And today the leading IPR best practice is one that emphasizes automation.”

In the following conversation, Willsey expands on today’s challenges and the right approach to meeting evolving threats.

Q: It seems clear healthcare is being targeted by criminals and malicious hackers — what are you and your colleagues hearing and seeing from customers?

Willsey: Indeed, this is a growing problem and one that shows no sign of going away anytime soon, especially with the overwhelming amount of digital data moving around the healthcare ecosystem today. If there is one major common theme we’re hearing, it’s that hospitals, payers, and vendors believe they are a target-rich environment for hackers.

Q: Seventy-one percent of respondents in the study cited above have implemented formal incident response plans. Is this sufficient?

Willsey: It’s an important first step — get the plan, the people, and the processes pulled together and get it all on the same page, so to speak. But a manual IRP is simply not enough today and, without a doubt, will not meet the threat as it evolves in the years ahead. Automated IRP workflow is the new table stakes in the fight against threats to privacy and data security.

Q: Healthcare appears to be taking the right initial steps to better manage the data breach problem by getting IRPs in place, yet at the same time folks in charge of carrying on the fight claim more funding and resources are needed to be more effective. How should decision-makers move forward?

Willsey: Yes, the statistics are showing mixed signals. On one hand, most folks in healthcare agree about the severity of the problem. Most are responding in areas such as implementing a formal IRP. Yet more than half of healthcare says funding levels in the fight to protect privacy and security is stagnant and 10 percent actually say their budgets are getting cut back. Our experience and advice to clients and prospects is there are two primary business case drivers for automating your IRP workflow. The first is to consider the cost of an uncoordinated response. How many days and weeks can pass as the response team ties to coordinate through emails, phone calls, chats, and texts rather than through an automated system with triggers, alerts, escalations, and smart routing that happens in real time?

The second is ROI. You’ll see quick payback from more accurate information about threats and breaches sooner in the process before they get out of hand; rapid response times that lead to fast resolution when compared to manual processes; and, finally, automation will bring a unique capability to enable analytics and intelligence that supports and measures continuous improvement in processes against future threats. Decision-makers would be wise and financially savvy to discover ways to automate and optimize their IRP processes and workflow.

Q: How can automation drive efficiency and quicker resolution?

Willsey: A simple way to describe one capability in an automated IRP workflow is to think of it like the one-click buy button at Amazon: you want the item, you click a button, and you’re completely checked out with the item on its way. Automated IRP can provide a similar one-click experience for any users across the healthcare ecosystem. If a doctor or nurse or someone in the pharmacy formulary for example notices something’s not right with the data they are using, a simple one-click button on any and every screen can immediately launch the automated IRP workflow process by connecting someone on the front lines with the teams in place to respond quickly.

Q: How do you evaluate an effective incident response plan?

Willsey: It boils down to getting right three key areas — people, process, and data. With people it’s very important the roles of each person handling patient data are well identified. This would include all clinical staff, billing and administrative personnel, insurance agents, IT personnel, outside vendors, contractors, and others.

When it comes to process, precisely articulating workflow is vital and this includes, as an example, workflows tied to patients entering the ER and the processes for admission, for diagnosing, for discharging. Also identifying who is inputting information into the system and how is that information protected.

Finally, segmenting different classes of data across the ecosystem. This would include data in motion that is moving through a network, including wireless transmission, whether by email or structured electronic interchange. Also, data at rest that resides in databases, file systems, flash drives, memory, and any other structured storage method and data in use that includes data in the process of being created, retrieved, updated, or deleted. The final class of data the Department of Health and Human Services referenced in the IRP is data disposed which would include discarded paper records or recycled electronic media.

Q: What’s the most important consideration leadership should give in light of today’s trending threat?

Willsey: First and foremost, it’s mindset and culture. Always realizing whatever you have in place today when it comes to protecting patient information and data security is not going to be enough in the days ahead. The bad guys out there are always probing, testing, and looking for ways to exploit the system. The mindset and culture shift that needs to happen is going from one that says we’ve put an IRP in place, now let’s move on. Privacy and security are a process; not an event. Budgets need to reflect this reality and adjust to the growing threats out there in the world. Everyone would probably agree with this statement “none of us can afford to get hacked.” If you buy into that idea, then it follows you can’t afford to ignore investing in tools, such as automated IRP workflow, to step up your response to growing threats in the future.

For more background on automating IRP workflow, please visit a recent post about the benefits of automated IRP on the Integrify blog.