Shore Up Your PHI Defenses
Edited by Susan Kreimer
For St. Luke’s Health System, data flow mapping, vendor management, and full-disk encryption are essential to PHI security.
As EHRs become more and more ubiquitous, PHI security becomes a bigger priority for healthcare providers across the country. Securing patient information takes a different shape when more and more of this data is available electronically and vulnerable to hackers and other cyber criminals. It seems like every week, we’re reading about a health data breach damaging a health provider’s reputation and putting its patients at risk. Many of these are the result of lost or stolen laptops or storage devices that weren’t properly encrypted. Reid Stephan, director of IT security at St. Luke’s Health System, is working hard to ensure his facility isn’t the next to fall victim to a data breach. Here is his advice for keeping PHI safe.
Q: What are St. Luke’s biggest concerns as it relates to securing patient PHI?
Stephan: Generally, our concern focuses on ensuring the confidentiality, integrity, and availability of PHI. Specifically, we want the data to be readily accessible in the desired format to the providers, patients, and other parties who warrant access.
Security controls need to be as transparent as possible to the end user. If complete transparency isn’t possible, then education and awareness training must effectively convey the purpose or value the security control provides to the end user or customer.
Q: How are you addressing these concerns and overcoming these challenges? What steps have you taken to ensure PHI security?
Stephan: One of the most basic elements involves ensuring that you know where PHI data exists on your network and how it flows into and out of the environment. Data flows back and forth between systems and processes inside our network, but we also have data that flows out of our environment to trusted partners (payers, HIEs, other providers) and back into our environment from similar sources. The transfer of data can occur via email, fax, network transmission, etc.
This can be very difficult to map out, but it is fundamentally essential in any successful strategy to secure PHI. The traditional model of a network with one (or just a few) ingress/egress points is antiquated. Today’s networks have myriad ways for data to traverse to and from a network (e.g. email, mobile apps, Web-based applications, cloud-based file-sharing solutions, etc.).
With an understanding of where PHI is created, how it is transported, and where it is stored, you can begin to design processes and procedures and deploy necessary instrumentation to protect it. Without this understanding, you will likely invest in the wrong controls or deploy them in a less-than-optimal manner.
Q: How do you leverage technology to keep PHI safe?
Stephan: We are currently doing full-disk encryption on all of our desktops and laptops and are leveraging McAfee Total Protection for Data for this purpose. We knew that physically touching every endpoint device wasn’t an option when rolling this solution out. Not only would this have been a logistical nightmare for our desktop technicians, but it also would have been highly disruptive to our employees.
With the McAfee full-disk encryption, we could remotely deploy the product and schedule the requisite reboot at a time when it would not impact our end users. The only action required of them was logging out of the system before leaving at the end of a work shift. In the case of shared workstations, we remotely installed the encryption software and waited for the monthly patch cycle reboot (that the users are already accustomed to) in order to fully complete the installation.
Over the course of two months, we deployed the software to more than 8,000 endpoints (desktops and laptops) and experienced essentially zero help-desk tickets or user complaints. By upgrading to a newer version of the McAFee full-disk encryption product, we were able to improve the performance on 800 legacy systems in our environment that were running an older version. The end result was significantly reduced risk, improved performance in a subset of the system, and a deployment that was transparent to our end users.
Q: Have you established any new policies or altered any processes to increase PHI security?
Stephan: We are always looking to refine policies and processes to increase PHI security. One area that we have focused on the last couple of years centers on vendor management. We developed standard security requirements that are attached to any contract where the vendor will process St. Luke’s data or connect to our network.
In addition, we have deployed a central system to facilitate and manage vendor remote access to our network. Prior to this, we had more than 100 site-to-site VPNs. This created an environment where we had a lack of control and visibility around when vendors were connecting to our network and what they were doing when they were connected. By standardizing a central solution, we effectively exited the vendor management business, allowing us to focus on the business of securing PHI.
Q: Since you started managing electronic patient data, have you experienced any PHI breaches?
Stephan: In my time at St. Luke’s, we have not experienced any IT security incidents that resulted in a breach requiring HHS notification. I have been here since February 2011. We stay aware of breaches impacting others (inside and outside of healthcare) so we can apply lessons learned as necessary. This is done by monitoring the HHS breach list and following public information sites such as www.healthcareinfosecurity.com.
In addition, we are members of the National Health Information Sharing and Analysis Center (NH-ISAC), which is responsible for advancing physical and cyber security critical infrastructure resilience. Led by the nation’s health sector, NH-ISAC (www.nhisac.org) is recognized by the HHS, the Health Sector-Coordinating Council (SCC), the U.S. Department of Homeland Security, the National Institute of Standards & Technology (NIST), Law Enforcement, and the National Council of ISACs (NCI Directorate), representing all national critical infrastructures. The NH-ISAC is a trusted way for healthcare organizations to share information and best practices with one another.
The unfortunate reality is that an attacker has a decided advantage in our world. We make every effort to deploy and shore up a strong defensive posture, but at some level, prevention will fail. Defensive postures involve a combination of processes, resources, and technical instrumentation layered in such a way that the failure of one does not allow a complete circumvention of all the others. You need to overlay your prevention strategy with detective and response capabilities that can rapidly identify and react to an unwanted action related to PHI.
Q: Any future plans to make PHI even more secure?
Stephan: Yes, we are working toward a multiyear security plan to help us elevate our security posture in a sustainable manner. Some of this includes:
- optimize and automate many of our identity and access management processes
- adaptive authentication for our patient portal
- security event/incident management (SEIM)
- mobile device management (MDM)
- governance, risk, and compliance (eGRC).