Organizations fail to give security the attention it deserves, experts say
March 11, 2020
TORONTO – In recent years, healthcare organizations and individuals in Canada have been reprimanded, sued and fined for losing data or snooping on files. And yet, care-providers still aren’t paying enough attention to securing their data, industry experts say.
“Many hospitals aren’t taking it seriously until they have a breach – like a ransomware attack,” said Harley Rodin, general manager of healthcare at Compugen.
Even those who have implemented security and privacy measures could be in trouble as the health sector continues to evolve.
In this province, for example, Rodin pointed to the new Ontario Health Teams, which will see various healthcare providers – acute care hospitals, long-term care organizations, home care agencies and doctors’ offices – working more closely as partners.
“They’re being encouraged to share information,” observed Rodin. But if the weakest link in the chain is vulnerable to a hacker attack or breach of information, valuable patient information from all or any of the organizations in the OHT could be lost, he said. “We need to take this much more seriously.”
Rodin was part of a panel discussion on security and privacy held at the MaRS Discovery District in October. Other members of the panel included Dr. Jeff Goldstein, healthcare specialist at HP Inc., Jodi Moore, enterprise sales director for central Canada at Aruba, and Patrick Lo, CEO of Privacy Horizon.
The panelists stressed that as healthcare becomes more networked, security becomes more difficult.
Said Dr. Goldstein: “80% of healthcare happens outside the hospital.” He observed that security practices may be airtight in a hospital, but what if they’re lax in a doctor’s office or in a home care setting? When doctors in hospitals are working with colleagues outside their walls, “You have no control over their devices,” he observed.
Ensuring the integrity of data is even more difficult as the world becomes increasingly connected. “Many Canadians are snowbirds who go to Florida every year,” Rodin commented. They’re getting care in the United States and may be carrying data on USB keys or accessing files through portals – opening themselves up to breaches.
And places like the Hospital for Sick Children, in Toronto, is an example of a world leader in pediatric care that treats patients from around the globe. “The information is transcending borders,” said Rodin. “There’s an internationalization of data that’s going on.”
Precautions must be taken, he said, to ensure that data is as secure as possible.
At the same time, Rodin noted, there must be easy access to information for those who need it. “You don’t want to create an Alcatraz or a Fort Knox when it comes to your data,” making it impossible to get at. Clinicians and patients, too, need access to the data.
“You can’t police everything,” said Rodin. “You have to rely on people’s responsibility and integrity.”
In this situation, he continued, you want to conduct privacy impact and threat risk assessments, but you must also recognize that it’s not a matter of “if” a breach will happen, but “when” it will occur.
Often, the breach isn’t from an outside source – like a hacker – but from an insider, such as an employee who is looking at records that he or she shouldn’t.
This takes place with alarming regularity in Canada – last October, for example, the privacy commissioner in Alberta said the agency was flooded with reports of privacy breaches after requiring mandatory reporting by healthcare providers.
Many of the breaches concerned healthcare staff who snooped and looked at records when they shouldn’t have.
And yet, most hospitals assert that they train staff in privacy issues, as part of their onboarding processes and annually, during refresher courses.
That just isn’t enough, said Patrick Lo, CEO of Privacy Horizon, a privacy consulting firm and developer of software solutions.
“The healthcare sector is doing a poor job of educating staff,” said Lo. “They may use a checklist approach each year and check off various topics. But how do we know that people have really absorbed it?” Chances are, he said, they haven’t.
Instead, employees must be given more interactive training. As well, the training shouldn’t be limited to once a year.
Jodi Moore, enterprise sales director at Aruba, noted that organizations should regularly run tests and stage simulations. “Do a phishing attack on your own organization,” she said. If people see that they can fall for a staged attack, they’ll be less likely to succumb to a real phishing attack.
“This learning can be invaluable,” she said, and can help change the behaviour of staff so they’re more careful about clicking on links in unusual-looking e-mails.
Moore also pointed to the growing number of devices in organizations, through which hackers can stage attacks and obtain data. The amount of data flowing through these devices makes it nearly impossible to monitor using older techniques, which ultimately rely on human intervention.
Her company, Aruba, has instead created a system that uses artificial intelligence and “User Entity Behaviour Analytics” to monitor devices for unusual activities. “We can look at a user, and factor in the people he or she normally speaks to, the devices he normally touches, and even the countries he regularly talks with. If something odd happens, like unusual activity or downloads, we’ll spot it.”
Moore said various devices can be given risk scores, with different actions taken when various levels of risk are breached. “You might have an IV pump that starts talking to different devices. If it breaches its risk score, it can be automatically quarantined.”