HIPAA Regulatory Alert

Threat modeling to protect patient information

You can't afford not to

A health care organization might have in place the best information technology (IT) protections available, but complacency can be a dangerous thing considering the gold mine of personal information stored by a hospital.

Consider this: One Atlanta-based security services provider says it's blocking an average of 15,543 attempted hacker attacks a day per health care client, compared to an average 1,581 attacks per day per bank client.

To thwart an information thief, and thus comply with HIPAA requirements to protect personal health information, SecureWorks information security expert Jon Ramsey suggests thinking like an information thief.

"Sit your two best IT guys down for a while, and ask them how they'd break into your system, where they'd [attempt access], what they'd look for, and you'll come up with a pretty good threat model pretty quickly," Ramsey says. "Threat modeling means considering who is going to attack you, how, and what are the assets they're going to go after," says Ramsey.

Threat modeling has proved its value for a long time in the banking industry, and now is doing the same work in health care.

Threat modeling an ongoing process

While it would be nice to construct a mathematically precise threat matrix that, once put into place, would serve as a permanent threat model, in real life, threats change daily, so preemptive measures against those strikes have to change daily, too, Ramsey says.

Implementing HIPAA includes preventing privacy breaches and reacting to ones that occur, and since technology changes with each day — and hackers' knowledge broadens at the same pace — staying ahead means constant vigilance to anticipate potential problems.

When threat modeling for potential privacy vulnerabilities, health care organizations should consider some general questions:

  • What's the nature of potential threats? (Are disclosures likely to be made accidentally, or is information likely to be stolen for profit, or both?)
  • Who is the source of the threat? (Employees, visitors, vendors, outsider gaining access illegally.)
  • How might access be gained? (Hacking into a computer, stealing a laptop, breaking into an office.)
  • What data are vulnerable?
  • How many data are vulnerable?

And now is a good time to think "threat model," as the stakes recently increased. The Department of Health and Human Services (HHS) sent a clear signal earlier this year that it takes the safeguarding of patients' personal information very seriously when it took enforcement action against Seattle's Providence Health & Services over the theft or loss of health information of more than 386,000 patients.

Providence's patient information was compromised because electronic media, such as backup tapes and laptops that contained unencrypted information, were left unattended and eventually lost or stolen. While HHS has received more than 6,700 reports of breaches under HIPAA, the Providence case was the first time HHS imposed a fine ($100,000) for a data breach, and industry observers have written that it signals more to come.

Because "you can't protect everything from everyone," Ramsey points out, no security plan can monitor every single bit of data and every access point to those data; so it makes sense to put your greatest efforts toward the greatest risk.

In other words, he added (quoting former National Security Advisor McGeorge Bundy), "If you guard your toothbrushes and diamonds with equal zeal, you'll probably lose fewer toothbrushes and more diamonds."

Threat modeling allows a health care organization to take its limited IT and security budgets and use them to the greatest effect by narrowing down the areas of greatest vulnerability.

"You want to spend each dollar in a way that will make it more expensive for a threat to access your information," Ramsey adds.

Providers' need for quick access adds risk

Coupled with the attractiveness (to hackers) of the tremendous amount of personal identification data that's available from a health care patient record system is the vulnerability that's inherent when that information has to be readily and quickly accessible by those who legitimately need it — physicians, nurses, account managers, etc.

"It's the ubiquity of information; if you're an emergency room doctor and you need a patient's record, you get it right away," Ramsey says. Making that information easily administered and, at the same time, secure is why the field of IT in the health care setting has exploded in the last two decades.

"It's an organic thing; the threats change every day, so our clients have new threat models every day," Ramsey says. "What you need to say is, 'If I'm secure today and not tomorrow, what has changed?' and you have to ask yourself that every day."

With each new technology, there are new vulnerabilities; those multiply when you consider how many data systems within a hospital integrate or "map" to one another.

"The ubiquity of information and the need to integrate data across these systems leaves a lot of openness," Ramsey cautions.

And health care's use of existing technology is a boon to the "business" of information theft.

For example, Microsoft Windows has been around for 25 years, giving hackers a generation of time to learn its capabilities and vulnerabilities; now that the operating system is used in health care, "criminals have whole new business models to invade," Ramsey points out.

"We know from industries more advanced [than health care] in information security that threat modeling makes a whole bunch of sense," he concludes. "It's proven itself in other industries — you can't not do it."

[For more information: