Health care gets a ‘D’ in cybersecurity, but no one scores high

The health care sector scored a ‘D’ grade in overall cybersecurity for 2016, but other industries didn’t fare much better, with the retail sector scoring a high ‘C,’ according to Tenable Network Security. Cybersecurity experts in most industries showed decreased confidence in their industry’s ability to assess risks and mitigate threats. New and increased challenges, including new platforms and environments and continued use of mobile devices, contributed to the decrease.

Tenable asked 700 security practitioners from seven industries and nine countries about their attitudes and beliefs toward security defenses, rather than actual effectiveness. Health care security professionals’ average confidence level in their risk assessments was only 54 percent, down 18 percent from Tenable’s 2015 report. Professional were more confident in their ability to mitigate threats through security assurances, showing an average 76 percent confident level, an increase of 1 percent from 2015. They were most comfortable in their ability to convey risks to executives and board members, measure security effectiveness, and view network risks continuously. However, a common theme across industries and countries were professionals’ concerns that the executive level did not responds effectively once given information about risks.

Tenable noted health significant health care sector weaknesses in assessing mobile devices. Confidence in risk assessment for mobile devices dropped 8 percent across all industries from 2015, and the web application security rating dropped 18 percent, the largest drop in any risk assessment category. The health care sector also showed weakness in assessing risks with respect to two new categories, developmental operations (DevOps) environments and containerization platforms. DevOps is a set of practices that emphasizes collaboration and communication between software developers and other information-technology (IT) professionals that also includes an automation component with respect to software delivery and infrastructure changes. Containerization technologies allow multiple isolated systems to run on a single control host by packing them in a “container” within their own operating environment.

Webinar helps covered entities with third-party risk management

Third-party risk management requires a comprehensive vendor risk management program capable of verifying that vendor security controls are effective, according to a Health Care Compliance Association (HCCA) webinar presented by Nadia Fahim-Koster, of Meditology Services, and Alex Masten, of CORL Technologies. Masten noted that risk management is ultimately about “assurance” and, therefore, the development of a risk management program requires data and monitoring designed to assure covered entities (CEs) under the Health Insurance Portability and Accountability Act (HIPAA) (P.L 104-191) that vendors are adequately safeguarding protected health information (PHI).

Risks

Fahim-Koster detailed the scope of third-party breach risks, including: HIPAA violations, negative media coverage, undermined patient trust, undermined employee trust, HHS Office for Civil Rights (OCR) penalties, lawsuits, breach notification costs, and the uncertainty of business associate reimbursement. Additionally, all of the risks are developing as technology changes. For example, Fahim-Koster reminded providers that third party breach risks have increased in complexity with the expansion of disruptive technologies like the Internet of Things (IoT) and migration to the cloud.

Data

Masten noted that part of the problem with third-party risk management stems from the fact that the majority of vendors with access to PHI are small. Masten explained that this fact is unfortunate because small vendors are vastly more likely, when compared to a larger vendor, to be involved in a breach. Additionally, small vendors are more likely to enter subcontracts, leaving CEs confused or ignorant of the subcontractor’s breach protection measures. Masten also noted that only 26 percent of vendors have a security certification and many vendors don’t have designated security personnel. In fact, only 39 percent of vendors have at least one designated security personnel. Above all, Masten cautioned that breaches can happen at any time to any kind or size of vendor.

Vendor security program

To implement a vendor security program, Masten said CEs should take the following four steps: (1) profile vendors and rank them by risk; (2) conduct due diligence through risk assessments; (3) apply a risk strategy based upon the results of gaps identified by the risk assessment; and (4) monitor vendors for breaches, third party assurances, and implementation of the risk strategy. Due to the complexity of monitoring what can be as much as thousands of vendor contracts, Masten suggested that entities may need multiple full-time employees dedicated to the data collection and monitoring of third parties. He also suggested that providers increase efficiency by developing a comprehensive vendor questionnaire to assess the risks associated with each vendor.