How Health Data Security Benefits from Industry Sharing

Health data security is not a new issue in the healthcare sector, but with health information exchanges (HIEs) springing up all over the country, facilities have to be aware of systems other than their own. In order to ensure that patient data and company information remain secure, some cybersecurity experts state that more healthcare organizations should work together to achieve common goals.

Rich Mahler, director of commercial cyber solutions for Lockheed Martin, explained to HealthITSecurity.com that communication is key for any industry – healthcare in particular – when it comes to keeping data secure.

It is also important for healthcare organizations to constantly be aware of the depth of information that they are handling. PHI is extremely sensitive and as paper records become digitized and more facilities implement HIEs, the appropriate protections need to be put in place for strong health data security, he said.

“[Healthcare organizations] also have to make sure that all of the partners that they are exchanging information with are equally protected,” Mahler said.

Moreover, this is where industry sharing can be greatly beneficial, according to Mahler, adding that his organization encourages its use.

“It’s to our advantage to get together and share,” Mahler said, explaining that Lockheed Martin tries to instill that methodology framework of sharing in numerous industries – healthcare included.

“If that continues to grow, sharing with government sources, harvesting open sources and sharing with peers, you make all kinds of organizations better,” he said. “The adversaries only develop attacks once…when you get with a peer who’s in the same environment and who is facing the same struggles, it can help. We strongly encourage that [sharing] to help build those relationships as well.”

According to Mahler, there are different levels that organizations typically use to keep their information secure. The most basic is the regulatory compliance factor, which is the bare minimum that a company has to do. It’s required, but not fully efficient, Mahler said.

From there, facilities can build to what he refers to as “good cyber hygiene,” which involves keeping a system updated and secure. Regularly reviewing the system is key, he said.

Beyond that, there is the more advanced security aspect, which is when intelligence is leveraged to targeted threats. This is where Mahler said his company uses Cyber Kill Chain, a defense process that helps companies proactively mitigate threats.  Essentially, organizations use a multi-step defense approach to prevent hackers in numerous spots.

“In the old days, people would say the defender had to be right all the time, while the attacker only had to be right once,” Mahler explained. “The whole point of Cyber Kill chain was that it’s not really one thing. When you break it down into those steps an attacker has to go through, they’re not successful until they do those seven things in a row and all seven are successful.”

Mahler said that companies can use that to their advantage. An important part though is to learn from every step. For example, if a firewall is blocked or a phishing scam prevented, the healthcare organization shouldn’t just stop there. Instead, facilities should see what they can learn from the attacker and work to enhance their knowledge about a particular group.

“If we block one of those seven steps, we win,” Mahler said. “They didn’t get what they were after. They weren’t able to steal data, compromise a systems’ effectiveness of operation or delete data. They may have gotten further than we’d like in some client environments, but we can learn from that.”

Over time, this will be especially beneficial, according to Mahler. For example, when organizations can attribute that level of information about a particular group they can start to build profiles. When that is built up over 10 to 15 years, industries can get to the point where they can predict attacks.

“As you utilize this framework and built up the intelligence, your security team starts to attach personas to that,” Mahler said. “While they’re working through an event, rather than starting from scratch they’ll say ‘Hey this looks like group X.’”

By taking the time to learn from each attack – or attempted attack – an organization can become more efficient and effective because they will have that common framework from using that model and sharing it with their peers.