Transcript
Marianne McGee: I am Marianne Kolbasuk McGee, executive editor at Information Security Media Group. Today, I'm speaking with Mark Ballister, who is CISO of the University of Rochester in Rochester, New York, including its Medical Center, and Jon Moore, who is chief risk officer at privacy and security consulting firm Clearwater. So what I understand is that you're discussing some of the critical lessons learned in the aftermath of a financial settlement and corrective action plan that the University of Rochester signed in 2019 - we'll be discussing this at HIMS - and that corrective action plan was with the Department of Health and Human Services Office for Civil Rights. In the wake of OCR's investigation into two HIPAA breaches that were reported in 2013 and 2017, those breaches involve the loss of unencrypted flash drive and an unencrypted laptop. But as OCR has found, in many, if not most of its other HIPAA breach investigations, the agency cited URMC for several potential HIPAA violations that included failure to conduct an enterprise-wide risk analysis. So with all that said, what steps has URMC taken to improve its security risk analysis? And what went wrong in the past? Mark?
Mark Ballister: Yes, thank you. So one of the major things that we changed with the risk analysis is we brought on Clearwater to help us from a service provider perspective. We had been doing these since 2012, but the OCR didn't believe that we were doing it in an exhaustive fashion. So we've increased the process of the risk analysis every year since the 2012 timeframe. But it wasn't satisfying what the OCR was looking for. It's also worth mentioning that the two incidents that we're talking about were both BYOD. They were not sanctioned by the organization, they were actually brought in by the medical staff. So I just wanted to mention that because it does kind of play into it.
McGee: And so now, Jon, you work with a lot of clients across the healthcare sector, in addition to Mark's organization, what sorts of difficulties do you see healthcare sector entities having with this, you know, enterprise-type thorough risk analysis that OCR is looking for, especially if they start looking under the hood.
Jon Moore: Right. So unfortunately, the experience that Mark and URMC had is not unique by any means when you look at the instances where there's been a settlement or fine related to HIPAA compliance as a result of a breach. And typically around 90% of those cases, you'll see that the organization is found to have not completed a satisfactory risk analysis. And I think there's a number of reasons for that, really, Marianne. One is that in the cybersecurity world, there's a lot of things called risk analysis. But under the HIPAA security rule, it's a very specific thing. And it's more carefully described in the OCR final guidance for risk analysis under the HIPAA security rule. And there's a number of elements that are included in that and organizations struggle with some of those. One is the need for it to be comprehensive. So it should include all of the systems and associated components used to create, maintain, transmit or receive ePHI. And for a large organization like URMC or others around the country, that's not a trivial undertaking. You know, we're talking about large complex infrastructures with a lot of systems and components that are processing ePHI on a regular basis. So that scope is a challenge. And in addition to incorporating all that scope, we need to understand all the controls associated with the protection of ePHI. And probably one of the most difficult things for many organizations to do is to identify all the reasonably anticipated threats and vulnerabilities to that infrastructure. And we're not talking simply about running a vulnerability scan, we're talking about all reasonably anticipated threats and vulnerabilities. So things that went beyond technical vulnerabilities that you would find with an automated type scan.
McGee: And so overall, we're also seeing a lot fewer breaches being reported to OCR these days, involving lost or stolen laptops and flash drives that are unencrypted. And the breaches that URMC reported happened in 2013-2017. And Mark, you mentioned it was sort of a BYOD sort of situation. With that said, what steps have you taken since then to ensure that even the devices that people bring into your facilities are encrypted if they're mobile devices, and they might contain PHI. Any tips for other organizations struggling with those same issues?
Ballister: Yes. So we're working on right now the plans around disabling any type of portable media that comes into the organization, making sure that the BYOD - if somebody does bring a BYOD device that it has to meet a certain security threshold, and we're working through having them go to a separate network, we're not quite there yet. As we didn't have a BYOD policy. So just having the policy in place to be able to state that, you know, this is unacceptable to have ePHI on these devices and plug it into the network. It is something that we did shortly after the incident. But it's trying to control that data. And like Jon was saying, there are some use cases that require having information on to portable media, but we have to ensure that it's encrypted, so that if it is lost or stolen, that it is, you know, it's a useless device, or it could just be erased and started from scratch, but the data has not been compromised.
McGee: And has the pandemic thrown any monkey wrenches for that, because maybe you have more people who are working at home one day, sometimes they go into the office, you have perhaps more people bringing mobile devices, either to work or at home. How do you sort through all that? Mark, what are you doing? And Jon, what advice do you give entities?
Ballister: Yeah, so we're doing a lot in that space. You know, when the pandemic first hit, it was just like everybody was kind of in that rush to figure out, "Okay, how are we going to keep the doors open?" You know, what can we do, because there's some folks that weren't generally working from home or even worked off-site. So we did allow people to bring their desktops home, which we generally didn't do. And we also opened it up a little bit more for BYOD depending on the specific area and the specific need, that in itself has some challenges. Because, you know, working from home, we don't have the same controls that we would have in the office, where we could lock the devices up, or we could, you know, maintain, go do a walkthrough and see if people are doing the right security things from a physical and cyber perspective. So we're trying to incorporate all of these other types of controls, like the posture assessment, where when they log into the network, there's a posture assessment done so that we know that there's at least that baseline standard.
Moore: Marianne, Mark's giving you sort of what we're seeing is the best practices now under this scenario. I mean, in an ideal world, organizations would have been prepared to issue appropriate hardware to folks who are working from home and that hardware would be configured in a secure way. And we'd be doing those checks before it's connected to the network. Now, unfortunately, there's a lot of organizations out there that didn't necessarily have the resources nor were they prepared to do that. They have really struggled and it's introduced a lot of additional risk into their environment. You know, particularly when folks are using their own devices at home, oftentimes, you know, there's multiple users and some of those devices, there's a much higher probability that they're going to be infected with some sort of virus or other type of malicious type of software application. So I mean, it's a particular challenge, but at the end of the day, just like any of these scenarios, what we need to do is understand the risks and make sure that we have appropriate controls in place to mitigate those risks to an acceptable level for the organization.
McGee: And so now Mark, how has the corrective action plan with OCR impacted URMC? What sort of organizational changes did you have to make in order to meet OCR's expectations, especially as they relate to managing risk on an ongoing basis?
Ballister: Yeah, a lot, so the security program, I started approximately three years ago at the organization and it has a fairly matured program, but it really kind of brought it even up another level. The organization has always taken the security serious, but now these are being - the conversations are happening at the board level on a consistent basis. That has really helped a lot. Because if we do need, you know, additional funding or additional resources, there's an avenue to get them. And we haven't taken advantage of that but we have, you know, when necessary, we look to the board to help us justify and bring the additional resources in. The organization is very aware of the changes that need to happen and have happened. So, overall, from a cultural perspective, it's been positive, because that, you know, the OCR does carry a pretty big stick with the fines that they do have, and the corrective action plan itself is very strict. So, it's helped out the security posture fairly well.
McGee: And Jon, you work with clients that have had significant breach, or some sort of OCR or other regulatory action after a breach. What kinds of changes do you see them more willing to make, you know, post the incident versus, you know, before when everybody thought everything was fine?
Moore: It sort of depends, Marianne, for this reason. So a lot of times what organizations don't understand and I think this points to what you mentioned earlier is that when you have a breach, in particular, a reportable breach like this, that if and when OCR initiates any sort of inquiry or compliance review or investigation associated with that, they're not just going to look at sort of the circumstances associated with the breach itself, but they're going to look at your broader HIPAA compliance. So when we talk to an organization, let's say they've experienced a breach, but they maybe haven't gotten an inquiry from OCR yet, or they anticipate getting that soon, or maybe they just got it. What we typically tell them is now is the time to do a review of your overall HIPAA compliance and make sure that your ducks are in a row for lack of a better word. Because you're going to be asked for a number of things, you're going to be asked for the risk analysis, you're going to ask for policies and procedures, you're going to be asked for records of training, you're going to be asked for all of that evidence of an ongoing HIPAA compliance program, cybersecurity program. And to the extent that you're unable to provide that evidence, even if you're doing some of these things, the Office for Civil Rights is going to interpret that as not having an appropriate program in place, and then you're going to have some challenging conversations with them probably over several years. If past experiences are any indication.
McGee: Mark, you know, besides dealing with OCR's corrective action plan and everything you need to do for that, what other top security and privacy-related priorities or projects do you have for the remainder of this year and into 2022? Are there certain things that aren't kind of high on that priority list right now?
Ballister: Yes, one of the highest priorities that we have right now is securing the medical device as well as the IoT device. That's been an effort that we've been working down for the last about a year now. We've brought in tools from, you know, that do the discovery and the behavioral analysis for the specific devices, as well as trying to segment off the devices so that if there is some type of a compromise, we can isolate it and not have it impact the rest of the organization. That's been a major effort, like I said, over the last couple of years. But another one that's really just popped up over the last few years as well is the security talent pool. Right now, it is very difficult to find security professionals, because there's a negative unemployment rate in this market, as well as having the world kind of moving to a work-from-home or work-from-anywhere kind of a scenario. We're now competing with the larger markets that can pay them, you know, 20-30% more than we can, which makes it very difficult to find the top talent. So those are the kind of things that we've been really kind of dealing with over the last couple of years.
McGee: And, Jon, in terms of cybersecurity struggles that you see your other healthcare clients dealing with these days, what's causing them the most problems? What's putting these organizations at risk for falling victim to some of the kinds of attacks, other incidents we've been seeing, what do they need to be spending more attention on?
Moore: And I think Mark probably got two of the top three that we're seeing right now, certainly. Just ongoing concern, and this has been for a number of years now around the security associated with medical device and medical Internet of Things. Particular challenge with those in the healthcare environment, especially at large healthcare organizations like URMC, the ability to get the right resources is a challenge, you know, not just for someone like Mark, but even for our organization, we're recruiting the best folks we can get all the time. So we're always out there and trying to find those folks and identify them and get them on board, which is a challenge, particularly now. The third thing that we're seeing many organizations focusing on and it has a lot to do with some of the big breaches we've heard about lately is risk associated with third parties, vendor risk management, sometimes you'll hear it called cybersecurity supply chain risk management. Sometimes you'll hear it referred to as I think the last two years in a row - the largest breaches in healthcare were really driven by third-party breaches that have software companies that impacted their healthcare customers. And, you know, that continues to be a struggle. It's a - currently anyway - pretty expensive process to do that kind of work for many organizations. And so they're all trying to sort of figure that out. How best to manage that risk.
McGee: Well, I want to thank you both, Mark and Jon. I've been speaking to Mark Ballister and Jon Moore. I'm Marianne Kolbasuk McGee of Information Security Media Group. Thanks for watching.