Host of Payment Matters
What’s the difference between security and compliance? In this episode of Payment Matters, Jeff Lin is joined by two security experts to discuss security and compliance in healthcare payments. Tune in as Jon Sternstein, Principal at Stern Security, and Noah Dermer, Security Officer at InstaMed, answer questions about healthcare payment security, PCI compliance and what healthcare organizations needs to know about protecting data at their organization.
Listen to the full podcast on SoundCloud, or read the full transcript below.
Jeff Lin: Today’s topic is security and compliance in healthcare payments. Security concerns in healthcare have been around for quite some time and aren’t going away. The healthcare industry continues to be a target for cyber-attacks. And industry stakeholders are concerned, especially when it comes to healthcare payments. We’ve seen metrics such as 94% of providers report that security is of critical importance when collecting healthcare payments.
What do payers and providers need to know when it comes to protecting payment data, especially as they work to deliver more and new, convenient ways to collect payments from consumers?
I’m excited to say that joining us today are Noah Dermer, Security Officer at InstaMed, and Jon Sternstein, Principal at Stern Security. Thank you both for taking the time to chat with me today. Noah and Jon, starting with Noah, can you introduce yourselves?
Noah Dermer: My name is Noah Dermer and I’m InstaMed’s Security Officer. I’m formerly Epic’s Chief Security Officer and Chief Privacy Officer. Having worked at Epic for just under a decade, I collectively now have over two decades of IT experience. It’s a pleasure to be on the show today.
Jeff Lin: It’s nice to have you on board. Jon, do you mind doing a brief introduction about your experience and your role?
Jon Sternstein: Sure. I’m Jon Sternstein, Founder and Principal at Stern Security, a cybersecurity company focused on protecting healthcare organizations. Prior to starting the company, I was a Healthcare Security Officer at a large healthcare organization, and prior to that I was in several security engineering roles.
I also teach ethical hacking classes, and the recently released healthcarebreaches.com interactive dashboard providing insight into healthcare breaches.
Jeff Lin: We have two great guests today who have a wealth of experience across the continuum of security and compliance. I’m going to ask Noah the first question. Security and compliance – sometimes these terms are interchangeable. What’s your definition of security and compliance and how should people view the differences between them?
Noah Dermer: It’s a great question, because we often see people get confused. Or when they’re going through and working with different vendors or solution providers, they start confusing the two.
When you talk about security, you’re really talking about the tools, technologies, policies and procedures that organizations put in place to protect data. Things as simple as virus scanners with up-to-date virus and malware definitions or patch management – rolling out patches in a timely manner from Microsoft, Apple, etc. Security also includes more expensive technologies like firewalls, intrusion detection and intrusion prevention systems. You layer those on top of each other to provide security for either a healthcare organization or a business more generally.
In contrast, compliance is the ability to align your security policies and procedures to standards like HITRUST, HIPAA, EHNAC, PCI or more generally like a SOC 1 or SOC 2 report.
One thing you want to look at when you’re talking with a vendor or looking at a program is the vendor’s ability to align and build in their security program. If the vendor built a strong security program from day one, it will naturally flow into their compliance initiatives. In contrast, if compliance is driving the program, it’s going to be a puzzle that they’re always trying to fit together. They will keep trying to align their technologies and security with whatever the latest compliance program is, or with whatever market feedback tells them they need to align with.
When you build the foundation of a good security program from the ground up, it flows naturally. In contrast, if you reverse the two and compliance is driving security, it gets much more challenging.
Ultimately, what you want is a vendor who has layers of security to protect the data that you’re trusting them with. You want a vendor with a compliance program such that you don’t have to dig deep into reports to understand what they’re doing. You’re comfortable that they understand healthcare, that they understand payments or whatever other industry that they’re in. You want to make sure what they’re doing aligns with your organizational needs.
Jeff Lin: Let me ask this to Jon. From this perspective of security and compliance, is one more important than the other?
Jon Sternstein: You really need both. Noah’s right on point with what he mentioned about the differences between the two. I look at compliance as the bare minimum criteria that you need to protect yourself. But, as Noah mentioned, you also need to have a strong security program in place.
However, I know that many organizations probably would not even look into security, no matter how important it is, if compliance regulations weren’t telling them they had to. I think you really need both.
Jeff Lin: Continuing with Jon here, as we talk about the nature of security and compliance and how critical they are, what kind of threats do you see? Why should a healthcare organization be focused on this?
Jon Sternstein: Hopefully, they’re focused on it because they really, truly do care about protecting the information that their patients are trusting them with. Hopefully that’s the number one reason. There are many threats targeting healthcare organizations, hacking for one. Medical records are incredibly valuable. Intruders have discovered this and they’re taking full advantage. There’s also malware, which is a huge threat related to the hacking incidents that we’re seeing on the news. We’ve seen ransomware attacks that have completely immobilized healthcare organizations, many of them going back to paper records for days. There are many other threats too, whether it’s phishing or staff members accessing records they shouldn’t. There’s quite a bit of human error as well, organizations simply losing track of patient information by mistake or releasing records when they did not mean to. Plenty of issues there with security.
Jeff Lin: Let me ask Noah. Jon alluded to the variety of attacks out there including phishing, malware and human error. What are the financial repercussions of these attacks?
Noah Dermer: It’s difficult to give a specific number, to quantify it perfectly, but you can start by thinking about the potential financial impact of this occurring. Obviously, in the example Jon mentioned, the reverting of a healthcare organization from electronic to paper records, that’s a distinct thing, right? You’re talking about your operating rooms not being fully utilized, perhaps even diverting patients, the changing of patient care. And then you can think about what it takes to analyze the problem and remediate it. Remediation includes requests from the people who have trusted you with their cardholder information or checks information for access to various credit monitoring services or otherwise.
Then you think about things like, how do you make certain that the intruder that was in your network is now out of it? And of course, there’s a reputational risk. I think that’s probably the hardest one to quantify and also the most significant – what does it mean for your reputation in the community or throughout the nation, and what is it going to do to you in the long term?
It’s important to think about all those aspects. Jon, I know you’ve done some work on this. Can you speak a bit about the penetration testing that you’ve done to help organizations understand where they’re vulnerable and how to remediate the risks?
Jon Sternstein: Sure. Part of our services include testing to find vulnerabilities before intruders do. It’s very common that from the internet we’re able to look at vulnerabilities in the healthcare organization and completely gain access to their internal network and fully access all patient records in there. We then help the organization to fix those issues so nobody else can connect and exploit those. We help them remediate everything so moving forward, they don’t run into issues like that again.
Those types of issues are fairly common. I’m sure we have all heard them on the news. The numbers recently released for healthcare breaches are that it costs a healthcare organization about $408 per record lost. That’s a pretty high number – more than any other industry.
Jeff Lin: That’s an interesting point. There are clear financial impacts and Noah alluded to reputational impacts. Jon, I’m interested in your perspective here. As someone who has been doing this for quite some time, without naming names, can you allude to any examples of security gaps you’ve seen as you work with healthcare organizations? Any interesting anecdotes or stories that you can share from your experience?
Jon Sternstein: Sure. We definitely come across similar issues across organizations. One of the issues that we commonly see is weak passwords. I remember a few different engagements we’ve been on where an organization will say, hey, this is our patient portal, this is probably the main target from the internet that we need to worry about. This is the one that you should examine. However, we find other systems connected to the internet that have very weak passwords. We notice that once we gain access to those weak systems, we can fully access the patient systems. Whereas the patient system by itself might be pretty locked down. Notice that you have to protect your entire environment. You’re only strong as your weakest link.
We often see test systems that are connected to the internet, systems with default passwords or organizations that don’t have two-factor authentication enabled. Individuals can login to their EHR or their email account with just a username and password, instead of tying their phone to their access. Most of the time, if an organization doesn’t have basic security features in place like changing passwords and using two-factor authentication, it’s pretty simple for somebody to get into the environment from the internet.
Jeff Lin: That’s pretty scary stuff, to think about how easy it is for someone to get into a healthcare organization’s network.
Let me ask Noah this. Jon alluded to the gaps and you alluded to the financial repercussions – what should healthcare organizations do to protect themselves? What are best practices healthcare organizations should follow to protect their data?
Noah Dermer: One of the things they should start off with is a risk assessment, which, according to HIPAA they should already be doing and I’m sure most are doing it. They should take a look at the entire organizational picture, to understand what their risks are.
If you go back to the mid-nineties, there was a hacker named Kevin Mitnick. He realized you don’t need all this technology to hack into organizations. You can basically just use a combination of social engineering and human interest. If you drop floppy disks labeled “HR Salary Files” in the parking lot of an organization that you want to get into, human nature gets the best of most people. The next thing you know, they’ve inserted that floppy disk into their computer at work or home. You can quickly translate that example to the modern equivalent of a USB thumb drive or maybe a DVD, CDROM, something like that.
You should think about the aspects of your organization that you can improve to further protect both healthcare data and healthcare payment security. Doing a risk assessment, either internally or with the help of a third party if this process is new to you, is a great first step to understand the risks in your organization. And then you need to educate your employees. Your employees are the ones who will be dealing with social engineering attacks, potential human error, phishing emails and the like. You can build in lots of technologies and tools such as spam filters and disabling removable media, but in the end, you want to make sure that your employees understand what it is you’re trying to do. Ultimately, you want to provide a great healthcare experience to the consumer, to the patient, but also protect the underlying data. Employees should feel free to report potential incidents, even if they’re not 100% sure it’s an actual problem. Encourage them report these potential incidents to the security officer or security team without feeling like they’re going to be judged or punished for doing so. You want an open culture where people report potential issues so you can evaluate them, hopefully before they become actual issues.
That’s one of the biggest things to do. The other the other big thing is that if there’s data you don’t need, don’t process it directly. Healthcare payments is a great example of that. For example, you should be using encrypted credit card terminals to keep credit card data off your network. With the modern terminals today, there’s no need for unencrypted cardholder data information to be flowing through your computers whether it be front office, back office or the patient portal that Jon referenced earlier. You should be outsourcing that to someone who actually is focused exclusively on healthcare payments. Have the vendor develop those tools and technologies and make it easier for your patients to make their payments while keeping that data off your network.
Jeff Lin: Jon, Noah talked about all the things that healthcare organizations should do. It’s a long list and those are important things, including third-party assessments and so on. Large organizations probably have budget and people allocated to security and compliance. What would you recommend for smaller organizations that don’t have large IT budgets or may not have dedicated security staff? What should they be thinking about to protect themselves from these attacks?
Jon Sternstein: That is a great question and a lot of organizations are struggling with that. There are definitely some things that they can do. Small organizations have to protect their information just as much as larger organizations and there are resources that are available to smaller organizations.
One thing that they could do is to go to the Health and Human Services website. There’s a tool there that they can use to do a self-assessment for HIPAA compliance. It’s a risk assessment questionnaire that it walks you through. Once you find some of the areas that you’re weak in, you can focus on those areas to get additional help on, perhaps doing an entire assessment; you could hire somebody to do that right off the bat. You can find out what areas you are generally weak in and then hire somebody to tackle those areas. Or you can just use the questionnaire to understand how far behind you are and start saving some budget for that.
You can also work with third-party organizations. It’s tough, because security professionals can be very expensive, especially nowadays with the large shortage. But these security organizations will tend to work with smaller organizations. You don’t have to do your entire assessment all in one week; you can spread it over time. It’s important to remember that security is not a single point in time. Small organizations could benefit from stretching out the security assessment process over several months.
Jeff Lin: It sounds like security and compliance is a marathon, not a sprint, and should have a long-term strategy and roadmap.
Let me ask Noah. When we talk about security and compliance, we have to balance it with user experience – making life easier for the consumer or the people that work for health organizations. How should an organization find the balance between being ultra-conservative with security and locking things down, versus having an easy user experience?
Noah Dermer: I think they can actually be aligned. A few years ago, an organization was trying to figure out if they were going to roll out a mobile app. The mobile app would allow patients to take pictures of their conditions and send them back to the doctor for analysis. The security team was doing an in-depth analysis of the app, trying to understand what it was. Someone finally asked what the current workflow was. They realized the current workflow was that the patient would text or email it to the doctor using either the doctor’s Gmail account or their corporate email account.
The first thing when you’re doing this analysis is to step back and find out the status quo. Because, yes, there may have been a vulnerability or issue with the app, but the actual status quo was pretty bad. After you determine what you are doing today, you can consider how to align security and compliance with user experience. The payment industry, in particular, has had a lot of advances that actually improve both the security and compliance and the patient experience.
Consider Apple Pay® – the ability to show up and make a payment with a phone. If I can use it at Whole Foods and other places, why can’t I show up to my doctor’s office and do the same thing? And digital wallets – we often view this as a technology that helps consumers make their payments in an efficient manner, much like they can on Amazon. But by creating tokens and not throwing out the actual credit card numbers, we get both a security win and an improvement to the overall consumer experience.
When you find the right industry partners who can help you align security and compliance with user experience, you should definitely work with them. If your vendor is not keeping up with the latest trends, not only will your consumers be disappointed, but your security may be falling behind, as well.
Jeff Lin: Sometimes the best solutions have both in mind, and that makes it more secure.
Jon, a question for you. As more and more data breaches occur, and I’m hearing ransomware, ransomware, ransomware, across the board, what should organizations learn from these incidents? What can they do to prevent them? Are there key tactics?
Jon Sternstein: Reviewing past breaches is incredibly important. That’s why we created healthcarebreaches.com where you can see trends in healthcare data breaches. As we look through past breaches from 2009 to today, we can see that many organizations have been breached through actions such as phishing. From there we can see that maybe these organizations did not have security awareness training for their staff or two-factor authentication. We can learn from those breaches and say, well, quite a few organizations are getting hacked through their email accounts. Maybe it’s time to educate staff about these types of threats and also implement security measures such as two-factor authentication.
Quite a few breaches involve cases where organizations have a wealth of information that they may not need. That goes back to Noah’s point – if the data doesn’t need to be stored, or you don’t need to store the data yourself, then why hold it? If you don’t store information, then you don’t need to protect it. If you can defer the risk to another company that’s focused on secure data storage, then definitely do that.
The huge spike in ransomware and breaches teaches us the importance of having really good backups in place, of having good endpoint protection and learning how to quickly recover if parts of your network are down. There are so many different ways to protect your information from malware. There really isn’t anything new that we just discovered this year to protect organizations. These are common things, where if you have a good security program in place, you should be able to respond.
In looking at past breaches, everything is not negative or doom and gloom. We’re actually getting better in some areas. If you look at the trends, you will see that breaches due to theft of laptops, desktops and USB drives are down. I don’t believe that is because fewer people are stealing laptops. I think it’s directly related to everyone getting better at using encryption – full disk encryption, encrypting their USB drives or not even putting that information on USB drives.
Going back to small organizations and how they can use this information. I understand this all can be overwhelming, but no organization needs to do this on their own. I highly encourage organizations both large and small to work with other organizations. Network with similar organizations. Join healthcare security groups such as NCHICA and HIMSS. Listen to this podcast. Join local security groups. It is a team effort across the industry.