Breach Response: Minimizing The ImpactSeattle Children's Hospital's CISO Outlines Key Steps to Take
A robust incident response plan is essential to comply with the HIPAA Omnibus rule -- and to minimize the impact of a breach, says Seattle Children's Hospital CISO Cris Ewell.
Incident response "is not a technology problem, it's not a privacy problem, it's not just a security problem. It's an institutional problem," Ewell says in a recent interview with Information Security Media Group.
"You need to have roles and responsibilities clearly defined ahead of time. Know who's in charge of the incident, know your process, and have an investigation method that you use to ensure you're addressing all the risk elements."
In the interview, Ewell also discusses:
- The biggest emerging security threats he sees facing healthcare;
- Why privacy and security training is a high priority for the workforce and management team at Seattle Children's Hospital;
- How the hospital addresses security for mobile users, including BYOD.
As CISO of the not-for-profit pediatric hospital, which is an academic medical center and research institute, Ewell is senior leader in the organization's information security program. Previously, he served as the director of information security operations at the University of Washington, chief security officer for PEMCO Corp. and chief technology officer for Breakwater Security. Ewell also serves as a professor and guest lecturer at several universities. His current research area includes information security risk management.
Building a Robust Response Plan
MARIANNE KOLBASUK MCGEE: What are the most common information security incidents that your organization deals with on a day-to-day basis?
CRIS EWELL: I think that like the Department of Health and Human Services [HIPAA breach] website [indicates], as far as root causes [of data incidents] for the past year, we see our portion of lost and stolen devices, as well as privacy concerns with individuals potentially having unauthorized access to records. I see the trend of that changing to more malicious software-type activities; so the hacking in IT incidents, as we get more of those types of targeted attacks in 2014 and beyond.
Detecting and Managing Incidents
MCGEE: What are your biggest challenges in detecting and managing those incidents, and how are you dealing with those challenges?
EWELL: I think the challenge in any healthcare [organization] is ensuring that you understand where and how data is being exfiltrated to potential devices that may or may not be under your control as an institution. That is part of that challenge, having that monitoring capability, understanding what is on there, ensuring that there are adequate protection measures on those devices whether it is encryption, access control, or two-factor authentication; those types of controls that helps protect data at rest on mobile devices and external-type devices. Then it's the education program and really having a focus of information security privacy within your organization to understand when you can access records, when you can't, how to display those records, and ensuring that you have that information and program available. The last one, as far as hacker attacks [and] malware, is having a very active risk management program to really understand what the threats are; then having a process to identify and mitigate high risks within the organization to ensure proper controls on those particular devices.
Encrypting Mobile Devices
MCGEE: Do you have a robust program to ensure that all your mobile devices are encrypted?
EWELL: So with our mobile devices, once you connect into our system, it automatically gets installed with our security requirements from the information services department. You have to register that device with the department, so we know that's your device. Once you've registered, we keep track of that and are actually actively monitoring on a daily basis what devices are connecting to our system. If we see a new device, the IS department then reaches out to the user to ensure that it is in fact them connecting a brand new device, or maybe they replaced their device. Then we ask the follow questions, "Where is the old device? Did you replace it? Did you lose it?" We're actively monitoring there. Again, when you first log on [and] connect, you get the, "You have to have a PIN, it has to be encrypted," and very similar things that I think most organizations do. If you have laptops, we encrypt the laptops. If you have a personal laptop that you want to connect to our system, they require you to have the encryption, and then we do random audits on those devices to ensure compliance.
Breach Notification Rule Impact
MCGEE: What sort of impact has the HIPAA Omnibus Rule breach notification rule had in how you assess and respond to data incidents?
EWELL: Seattle Children's has a very robust risk management process and framework in the institution - [which is] one of my research areas that I do for my academic side of the house. We were already doing most, if not all, of the items related to the four areas that you have to address related to [assessing incidents under] the new HIPAA Omnibus breach notification rule. So it was not a stretch for us. We did come up with a framework and questionnaire, and adapted my incident response and incident report form to address all those particular areas. So we're addressing the nature and extent of the PHI involved. This really gets to, "Do we know the data that was potentially compromised?" Now in a particular situation, we have a very mature understanding of who the authorized user is of the data, so we understand contacts. I understand the threat actors, and so we were already doing that. We try to determine that whenever possible, and then we always have those mitigation steps...to reduce the risk. It was not a stretch for us to comply with the new requirement for the [Omnibus] breach notification rule.
MCGEE: Since HIPAA Omnibus came into effect, have you had any reportable breaches?
EWELL: Yes, we have reported one breach, but it has not significantly impacted our ability because we were managing the process and doing lots of education for our workforce. We actively monitor all of this and we have a very active compliance and audit program, which we had been doing for the last four years since I've been here. That has helped to decrease those amount of incidents that you would have, but we have had a reportable breach.
Preventing Data Incidents
MCGEE: What are your biggest challenges in preventing data incidents from occurring?
EWELL: The biggest challenge is still the human element within the organization. No matter what that person does, no matter what kind of technical controls you have, no matter administrative or physical controls you have in the organization, you still have a human element. All it takes is one click of the mouse and potentially you could have a significant incident, which may lead into a breach of protected health information. That continues to be the largest challenge in any healthcare facility, that human element.
How do you keep increasing your education and awareness along with all of the other education that our clinical workers need to have on an annual and ongoing basis? It's one of the things that we really try to focus on in this institution. We require all of our leaders to go through a privacy and security training that is taught by myself currently. We look at, "What does your workforce need to have and what are you as the leader instilling as far as good behavior and practices within the organization to protect our PHI and other confidential information?" We have active monitoring, audit, and compliance programs that go on, and all those things together help you identify and mitigate some of that risk, but it still is that human factor and will be I think for years to come.
Biggest Response Mistakes
MCGEE: What do you think are the biggest mistakes that health organizations tend to make in how they manage and respond to data security incidents?
EWELL: I think it's having a very active, robust information security and incident management program. You've identified all of the steps required, you have participation and cooperation of the entire enterprise. This is not a technology problem, it's not a privacy problem; it's not just a security problem, it is an institutional problem. So you need to have those roles and responsibilities clearly defined ahead of time. Know who is in charge of the incident, know what your process is for that, and have an investigation method that you use to ensure you're addressing all the risk elements that you need to, as well as all the things you need to talk about when you have a particular incident.
There is [so] much that you really need to find out for every single incident. You need to have that process built in to your organization to have an effective way to understand the incident, [and whether it was a] breach or not. Now institutions always have the ability to report all incidents as a breach, and can report that without having to do investigations. We choose to do investigations on every single incident as it comes through, and we have a process of escalation that we take within our organization, if it becomes something that involves PHI then my department gets involved. We involve the incident management team. We will report this to a board level if we have anything that needs to be escalated to those areas. I think that's critical, and a lot of institutions just don't have that robust process and wait until they have an incident to start their incident response program, and that's too late.
MCGEE: Does your organization do dress rehearsals for incidents?
EWELL: Yes and we do quality improvement on all incidents that we have, as well as once a year when we usually hold some type of tabletop related to a particular incident. I may do that as an IT type of tabletop. I may involve multiple departments. One of the things we're looking at potentially doing in 2014 is an entire institutional-wide type of exercise where it may impact a clinical information system. We're actually working on the details of that now and potentially will institute that. In any case, we'll always do some type of tabletop just to test our system.
MCGEE: What lessons do you think can be learned from HIPAA settlement cases and enforcement actions that are being taken by OCR?
EWELL: We have to protect mobile data, and one of the technical controls that you can put in place is encryption of that data at rest. Encryption by itself is not enough, and you have to have encryption with good access control. Those two things built together make a robust system where you could have a lost laptop or lost device and not have that [data] exposed on the outside. I think we have to understand in healthcare all of the places where data potentially is being exfiltrated, from internal devices to a portable or mobile-type device. Identify all of those areas and then come up with good risk mitigation and controls that you can put in place for that. So for example, our mobile phones [know that] if you guess the password or try to guess the PIN seven times incorrectly, then it deletes the entire data from that. Controls like that help to put in place additional controls besides just encryption to ensure you have the protection of that data.
We have done many awareness type of communications with our workforce saying, don't leave devices in locked vehicles. You need to have that device with you at all times if it leaves this institution. Understanding that data now is just not on laptops and mobile phones, it's also on medical devices. Understanding what those devices are. If you are transporting that device and it gets lost or stolen, that also is a potential breach, and so it's that education and awareness of your entire workforce. There is data that is more than just on a laptop or a mobile device, it's also on all these other devices within your institution, and you [need to be] actively managing that process and those controls that are on those devices. But first comes identifying where the data is, and if you don't know that and know where these devices are, then potentially you're going to have a large incident like we've seen.
Wiping Remote Data
MCGEE: Does your organization require employees to agree to the possibility of having a remote-wipe of their data on their personal devices if they use them for work?
EWELL: Our BYOD, when you bring your device in, especially your iPhone, Android, Windows-type device that you want to connect into our email system or connect into our internal system, part of those controls gives us the ability to remote-wipe that device and you agree to it. If it is lost or stolen and we know that, we're going to remotely wipe that device. That includes all of your personal data as well as all of our potential PHI on that particular device.