Healthcare Cyber Security – TSCM & Risk Management

By J. D. LeaSure, President/CEO ComSec LLC

Healthcare related cybercrime continues its very remarkable upward trend. Electronic Health Records (EHRs), online healthcare portals, the street value of stolen Protected Health Information (PHI / e-PHI) / Individually Identifiable Health Information (IIHI) and limited cyber security programs have all contributed to this steady increase. And, as healthcare related cybercrime rises, regulators continue to develop or modify laws and regulations aimed at protecting the information, and ultimately the consumer.

Healthcare companies tasked with protection of personal and/or protected health information must implement a thorough and effective risk analysis and risk management program to comply with the legal and regulatory requirements. If your cyber security risk program focuses too strongly on IT security, the program needs to be reevaluated. Electronic eavesdropping devices are inexpensive, easy to use, and can capture a great amount of data in an inconspicuous manner. Data breaches are costly, create criminal and civil liability and can irreparably damage your company’s reputation and future earnings potential. Omitting Cyber TSCM and TSCM from your risk management process could be a very costly mistake.

Breach Statistics & Costs:

According to the Identity Theft Resource Center (ITRC), in 2013 health / medical related data breaches accounted for 43.8% of all breaches. Hacking, subcontractors, data on the move and insider theft, respectively, were the most frequent sources of data breaches. And, within the health / medical category, release of social security numbers was the most frequent type of data breach, with credit or debit card information exposure a close second.

The per capita cost of a data breach in the US for 2013 was $188 per record according to the Ponemon Institute’s 2013 Cost of Data Breach Study: Global Analysis. In 2013, the number of health / medical records breached was 8,811,051 according to ITRC. That amounts to a staggering cost of $1,656,477,588 within the healthcare / medical market. Yes, that’s $1.6 BILLON in 2013 alone!

Legal & Regulatory Landscape:

There are more than thirty (30) federal laws and a multitude of state laws that deal with privacy issues. Not all are related specifically to healthcare, but each affects the cyber security of healthcare companies in one form or another.

Laws specifically regarding cyber security for health related information include, but are not limited to:

Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule

The Patient Safety and Quality Improvement Act of 2005 (PSQIA) Patient Safety Rule

The Health Information Technology for Economic and Clinical Health Act (the HITECH Act)

If your healthcare organization fails to comply with the requirements, criminal, civil and monetary penalties can result.

Risk Analysis & Management:

Among the provisions of HIPAA Security Rule, are the requirements for Risk Analysis and Risk Management. The provision states that covered entities must “implement policies and procedures to prevent, detect, contain, and correct security violations.” Further guidance provided by The Computer Security Division of National Institute of Standards and Technology‘s Guide for Conducting Risk Assessments for Information Security (9/2012), identifies the types of threat sources to be considered during the risk analysis and risk management process as: (i) hostile cyber or physical attacks; (ii) human errors of omission or commission; (iii) structural failures of organization-controlled resources (e.g., hardware, software, environmental controls); and (iv) natural and man-made disasters, accidents, and failures beyond the control of the organization. NISTS’s Guide further classifies threat sources as adversarial, accidental, structural, and environmental, and provides representative examples of threat events to include in the cyber security program.

Risk analysis and risk management are best accomplished by involving a number of personnel with varying levels of authority and different areas of responsibility. While an IT professional may be focused on the IT perspective of data security, a security manager, the CIO, the CFO, and the Human Resources Director may all have valuable input in developing a comprehensive cyber security risk program.

Importance of TSCM / Cyber TSCM:

Technical Surveillance Countermeasures (TSCM) is a highly skilled process to discover electronic eavesdropping devices, security hazards or security weaknesses by executing a systematic physical and electronic examination by an expertly trained, qualified and equipped person(s). Cyber TSCM is executed similarly to TSCM, but its objective is to discover devices that are used to capture data and information traveling through cyberspace.

Network penetration testing does not include TSCM / Cyber TSCM survey testing. The specialized nature of the TSCM detection equipment, the skill set(s) of the specialist, and the knowledge of eavesdropping devices and tactics used exceed the realm of IT testing. However, electronic eavesdropping devices present a very real threat to healthcare data security. Whether the eavesdropping devices are utilized in an adversary or accidental manner, their introduction into the data system, the physical work environment or when used on personal electronic devices can result in the release of PHI, e-PHI or IHII.

A TSCM / Cyber TSCM survey provides very valuable input into the current state of your organization’s cyber security program. And, when conducted periodically as changes occur, new vulnerabilities and potential exposures can be detected often before a breach occurs.

If your healthcare organization’s risk analysis and risk management program does not include TSCM and Cyber TSCM, your program could be vulnerable to a breach, and subsequent costly legal or regulatory actions. ComSec LLC provides TSCM and Cyber TSCM services to healthcare companies, and their subcontractors, in the US and abroad. Contact ComSec LLC today to discuss your needs!

J.D. LeaSure, CCISM, is the President/CEO of COMSEC LLC, a premier provider of Cyber TSCM, TSCM and Counterespionage Advisory Services to corporations, government and hi-profile individuals worldwide. Visit https://comsecllc.com for more information.

*Cyber TSCM ™ is a trade mark of ComSec LLC
© 2015 ComSec LLC