By Elizabeth Snell

August 13, 2015 - The US Office of Personnel Management (OPM) announced earlier this summer that it had fallen victim to a large-scale cybersecurity attack. The OPM data breach further proved that regardless of size, all organizations need to ensure they have comprehensive data security measures in place.

The Institute for Critical Infrastructure Technology (ICIT) recently submitted a report to Congress on its investigation into OPM's security systems, and ICIT Co-founder and Senior Fellow Parham Eftekhari discussed ICIT's findings with HealthITSecurity.com. Eftekhari also broke down what healthcare organizations can take away from the situation, and make changes to try and prevent the same situation from happening to them.

"Our fellows provide objective, non-partisan advising to members of the legislative community, as well as federal agencies as it relates to cybersecurity and technologies related to the healthcare sector," Eftekhari said. "Essentially, we help educate policy makers and lawmakers on the different technology issues that are affecting the healthcare industry."

One of the main issues with the OPM data breach, according to Eftekhari, was that it did not have adequate, multi-layered security. It's critical that companies protect both the perimeter and the core of its organization, he said.

"Hospitals need to change their mindset from 'we're going to keep the bad guys out' to 'we're going to put perimeter defenses in place to try and keep the bad guys out,'" Eftekhari said. "But for those insider threats that do occur, and the malicious actors – whether they're nation states or criminal groups – who do successfully penetrate perimeter defenses and go after the data, what internal defenses are in place to detect them as early as possible and to then stop them before they exfiltrate the data?"

There are several ways that this can be done, he explained. First, user behavior analytics can be greatly beneficial. This is essentially a family of technologies where an organization is able to first create a baseline to understand what are the typical behaviors on the network and the typical behaviors of its employees as they perform their job functions, Eftekhari said.

"Machine learning processes then kick in and will monitor the network for abnormal behavior," he stated. "It can tell you if a user profile is doing something it's not supposed to be doing or doesn't typically do."

Another key takeaway from the OPM data breach that healthcare organizations should take note of is the importance of encryption, according to Eftekhari. There are two main types of data encryption that can be beneficial as part of a multi-layered security strategy. First, there is split-key encryption, which is when half of the key is held by the vendor and half of the key is held by the healthcare organization. This makes it more difficult for a potential threat actor to obtain both halves of the key and put them together to access the data, Eftekhari explained.

"The other type of encryption you can use is field-level encryption," Eftekhari said. "They may access the data in the database, but as long as the database administrator doesn't actually have access to those field level encryption keys, you're basically slowing down the threat actor's ability to gain access to the information."

Governance and third-party management

Governance was another large issue at OPM, according to Eftekhari. Good governance policies, such as changing passwords, managing accounts, and disabling accounts when an individual has left the organization are key, he said.

"One of the things we identified in the report before the breach was identified was that governance was really missing and is something that healthcare organizations can and should be implementing," Eftekhari explained. "These are not new concepts. Governance is a basic idea that unfortunately a lot of organizations still don't get down."

Proper third-party management is another lesson that healthcare organizations can take away from the OPM data breach, Eftekhari added. OPM was using many contractors, he said, and the organization was breached through its vendors and its own systems.

"Facilities have to not only understand the cybersecurity resiliency of the vendors that they're using, but also have a good understanding of what their network looks like," he said.

Eftekhari used the example of cloud services providers, as they are increasing in popularity. Many services are being outsourced to these companies, which is fine, but healthcare organizations in particular need to have strong due diligence before they get into a relationship with vendors. It's essential to understand how those third-parties are securing the data and where they are securing the data. For example, if it's being stored in another country, the healthcare organization should know what that country's laws are that relate to cybersecurity.

"These third parties are business associates under HIPAA and there are laws that tie all of these actors in the healthcare community together," Eftekhari said. "It's also really in the vendors' interest as well to partner with the payer or provider to make sure that they're on the same page and are shoring up their defenses as a team rather than autonomously."

Prioritizing health data security measures

One of the more common oversights that Eftekhari is seeing in the healthcare industry is that there is a lack of an understanding of the attack surface that needs to be protected.

"We hear about the Internet of Things and how there are going to be billions of internet connected devices across the globe in the next five years, but the healthcare environment has a lot of internet enabled devices that are overlooked," he said. "All of these are end points, and since they are all interconnected, they are all pathways into the system."

It is also essential that CEOs and CFOs prioritize their organization's data security strategy. The IT community may understand what the current threats are, Eftekhari said, but there must be a concerted education and focused education for the business leaders within organizations.

"They control the budget, and for IT offices to get the funding to put in the systems they need and the security they need, they need to make sure the CEO and CFO and the board of directors understand that investing in security is investing in the financial future of the organization," Eftekhari explained. "It is not just an operating cost."

Even though there has been lots of media attention around recent large scale data breaches, such as the OPM data breach, Eftekhari said that it is helping the healthcare industry. No organization "wants to be the next Anthem," he said, as no CEO wants to take a hit on brand reputation and compromise patients' trust.

"But I think that all the media attention these breaches are getting is good for the thought process of these executive to change," Eftekhari said.

Overall, the basics are essential, and must be put in place to build a solid framework for a comprehensive data security plan. IT governance, including cybersecurity awareness training needs to be mandatory for all employees, according to Eftekhari. Moreover, dual factor authentication is important, which OPM systems did not have in place before it was attacked.

"Some of these basics are still missing," Eftekhari said. "I've been in the IT industry for about 10 years, and dual factor authentication has been talked about since day one. But people are still not doing it, and it's a simple solution to implement. Getting back to basics is important."