Equifax and the Small Health Care Provider

By TDMR President Gregory Ewing

On September 7, 2017, Equifax, one of the nation’s three credit-reporting companies reported that it had discovered a cybersecurity breach that compromised the personal information of as many as 143 million Americans, roughly half of the population of the United States.  Also, Equifax disclosed that the credit card information of roughly 209, 000 of its customers were exposed, along with the personally identifiable information of its customers who had filed credit disputes with the company.  Potential data elements exposed included social security numbers, addresses and driver’s licenses.

The breach occurred between mid-May and July as a result of not applying a software patch released earlier in March to repair a widely reported critical flaw in Equifax’s modern Java web applications in a timely manner.  This unpatched flaw created a vulnerability to Equifax, which National Institute of Standards (NIST) Special Publication (SP) 800-66 rev. 1 defined as a “weakness in a system security procedure, design, implementation, or control that could be intentionally or unintentionally exercised by a threat”.

Security Incidents, Data Breaches and Software Defect

The U.S. Department of Homeland Security (DHS) stated that 90 percent of all security incidents are the result of cyber criminals exploiting software defects.  Coincidentally, in its latest Global Threat Landscape Report, Fortinet, a global leader in high-performance cybersecurity solutions, noted that, in Q2 2017, 90% of organizations recorded exploits for vulnerabilities that were three or more years old.  It would seem that for a number of reasons, such as inadequate information security resources, outdated and/or unsupported software, or general inattention, many organizations continue to struggle to maintain adequate vulnerability management practices and stay current with their software patching activities.  Small health care practices face this problem as well.

While the Equifax breach impacts the American public in general, it should serve as a wakeup call to small health care providers. After all, if a multi-billion dollar company that handles the information of over 800 million individual consumers lacks the resources or inhibited a level of intention that limited its ability to fight off cyber criminals, then how could a small health care provider fare better?

Small Practices and Information Security

In June 2017, the Health Care Industry Cybersecurity Task Force (Task Force), in its Report on Improving Health Care Industry Cybersecurity, noted that smaller practices and rural hospitals “continue to use unsupported legacy systems, and lack access to proper security training [and] have not crossed the cybersecurity digital divide”.  While larger organizations can afford to spend millions on their IT, according to the report, “small organizations cannot afford to retain in-house information security personnel, or designate an IT staff member with cybersecurity expertise”.

HIPAA requires health practices to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.

Top Ten Cybersecurity Tips

In 2015, healthIT.gov published “Top 10 Tips for Cybersecurity in Health Care” which consisted of the following:

·       Establish a Security Culture

·       Protect Mobile Devices

·       Maintain Good Computer Habits

·       Use a Firewall

·       Install and Maintain Anti-Virus Software

·       Plan for the Unexpected

·       Control Access to Protected Health Information

·       Use Strong Passwords and Change Them Regularly

·       Limit Network Access

·       Control Physical Access

Several of these tips are applicable for ensuring your practice has a robust vulnerability management program.  Under the tip that directs organizations to maintain good computer habits, the article advised health care organizations to keep software up-to-date and address identified vulnerabilities.  The article recommends that small practices automate patch updates on a weekly basis and monitor vendor messages for critical and urgent patches and updates that require immediate application.These tips could serve as a quick checklist for practices to evaluate the adequacy of their information security controls.

Another tip advises practices to plan for the unexpected.  HIPAA requires health care practices to “establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information”.  Having a contingency plan includes establishing a process for conducting incident response exercises on a regular basis to identify potential risks and develop and practice responding to those risks.

Guidance for Patch Management

NIST SP 800-40 rev. 3, Guide to Enterprise Patch Management Technologies, provides detailed guidance to organizations on how to develop a framework for patch management and ensure timely and appropriate patching.  The guidance advises organizations to follow three broad principles.  Specifically, organizations should:

• Deploy enterprise patch management tools using a phased approach.
• Reduce risks associated with enterprise patch management tools by applying standard security techniques. Specifically, ensure that patches aren’t being altered, credentials aren’t being misused, vulnerabilities in the tools aren’t being exploited, and health care practices monitor patch management tool communications to identify vulnerabilities.
• Balance security needs with the needs for usability and availability. In other words, test the patches first before applying to ensure the patches’ applications do not “break” software or inhibit business operations.

Information Security recommendations and Small Healthcare Practices

The Task Force recommended that the organizations engage managed security service providers (MSSPs), companies that provide information system security services to organizations that outsource these activities.  MSSPs could provide information security services in a cost-effective manner and address the needs of small and medium-sized organizations, allowing health care organizations to focus on providing services to needy patients.

In its report, the Task Force noted smaller practices and rural hospitals provide most of the health care in the country but lack the information security resources to implement and rapidly deploy protections against ongoing, ever changing tactics, threats and attack vectors.  In short, small health care practices should not let the recent Equifax date breach defer them from developing and maintaining appropriate security controls to protect its data.  HIPAA requires these protections, patients expect it and implementing the appropriate safeguards are well within reach.