Until Monday, March 21st, the cybersecurity industry was holding its collective breath over the Apple versus FBI security challenge. On one hand, Apple had worked hard to create security that actually keeps citizens’ personal data secure. On the other, a government agency wanted access to data in specific situations, namely, to track criminals.
While this incident is no longer on the table for now, the overall issue of accessibility versus security has not been resolved—and will likely rise up again in the near future. If it’s not with Apple, it could with Facebook, Google or other companies who “have lately improved the security of their mobile software and messaging systems, making it impossible for the companies to help with some requests that would previously have been fulfilled. Investigators claim they are being unfairly impeded in their work.”
This new battleground is just one of the ongoing accessibility versus security challenges facing today’s organizations. The health care industry, for example, is facing its own accessibility challenge around giving consumers access to their electronic medical records.
As this issue heats up, it is beginning to sound more and more like a Goldilocks and the Three Bears dilemma. Depending on your perspective, data is either too accessible or not accessible enough. It’s rarely just right for everyone.
Too Little Accessibility — Our Electronic Health Records
Nearly 53 percent of consumers say they cannot access their electronic health records (EHR), despite assuming more responsibility for both the cost and control of their health care in 2016, according to the October/November 2015 HealthMine survey.
Consumers want more access. Nearly 74 percent said that having easy electronic access to their health data would improve their knowledge about their health and improve communication with their physicians.
As of 2013, 78 percent of office-based physicians were using an EHR/EMR system. Yet electronic medical records are far from delivering on their promise for U.S. consumers, said the study’s CEO and president of HealthMine, Bryce Williams.
“Sitting in the driver’s seat of health requires transparency of health data,” he stated. “Consumers must be able to see the road, the potholes, the landmarks. Having access to complete health information is essential to managing health and health care dollars—and every consumer should have it.”
But no one can say exactly when or how all consumers will have easy access to their complete electronic medical records.
When viewing situations like access to EHR, it’s easy to rally on the side of creating greater accessibility. However, when examining other cases, it’s easy to rally for less accessibility. Take, for example, the Office of Personnel Management breach of 21.5 million people’s data being hacked.
Too Much Accessibility — U.S. Office of Personnel Management
The OPM breach was created because convenience and accessibility were prioritized over critical security practices, according to a recent report. Specifically, the problem boiled down to the OPM, like other federal agencies, using a cyber defense strategy based on known security signatures rather than a continuous-monitoring approach.
An analysis of the breach by the FBI and DHS emphasize that the severity of the OPM breach could have been mitigated had the agency employed tiered identity management controls for system administrators. This would have segmented the organization’s network from other agencies’ networks, thereby reducing accessibility while beefing up security.
According an official government timeline of the breach, hackers used stolen credentials from contractor KeyPoint Government Solutions to access OPM networks. The intruders likely accessed OPM’s local-area network on May 7, 2014, then planted malware and created a backdoor for exfiltration. It would be nearly a year before OPM officials knew they had a problem.
Despite new initiatives and laws to control access to data, the OPM has yet to control its too-accessible problem, and remains “at high risk for future intrusions,” investigators concluded. If anything, this incident illustrates just how challenging it is to strike the right balance between accessibility and security.
Striving for Balance
So how should health care organizations address the ongoing conundrum? What’s more, how can they strike the ideal balance in the face of mounting health care industry and government security and accessibility pressures?
The U.S. government is actively seeking solutions. For example, the recent passing by Congress of the Cybersecurity Information Sharing Act of 2015 is intended to ease sharing of information between corporations and the government. Further, HIPAA regulations are designed to support this ongoing challenge.
These initiatives and others may eventually, step by step, help organizations achieve a great security-versus-accessibility balance. However, there are giant steps organizations can take now to become both more secure and more accessible—risk analysis and timely remediation.
- Risk analysis. Effective information risk management (IRM) gives organizations a comprehensive structure for assessing any and all risks to their data and network security—including threats, vulnerabilities, impacts and likelihood of harm. The National Institute of Security Technology (NIST) has developed one of the most holistic and potent IRM processes—Information Cybersecurity Framework. It gives organizations a proven security infrastructure, along with an abundance of critical guidance on managing information risks.
- Timely remediation. With IRM knowledge in hand, organizations can create strategic remediation plans to deal with their known risks. This allows them to respond to the identified risks by creating a consistent, organization-wide response, including evaluating alternative courses of action and implementing risk responses based on selected courses of action.
These two steps can have a significant impact on organizations’ cybersecurity, as well as their ability to achieve an ideal balance—one that meets both their critical network security goals and their ability to make data securely accessible.
We have assisted more than 400 customers to operationalize and mature their information privacy, security, compliance and information risk management programs. And in the process, we are raising the bar for safeguarding PHI, protecting millions of Americans and driving real value for the organizations we support and the healthcare industry at large.