This year, a series of global ransomware attacks, including WannaCry and Petya, drove home the importance of cybersecurity in the healthcare industry. In March, the FBI issued a stark warning about the potential vulnerability of private patient information—one of the most common targets for hackers. With so much at stake, Hixny knows there is no such thing as being too careful when it comes to information security.
As Director of Privacy & Security, Taiymoor Naqi is responsible for maintaining and establishing security protocols at Hixny. He holds a law degree from the State University of New York at Buffalo as well as a Master’s in Business Administration from the State University of New York at Albany. He also has a BS in Policy Analysis and Management and a certificate in Executive Leadership for Healthcare Professionals, both from Cornell University.
Here, he discusses the ways Hixny is working to protect vital patient data.
Q: What is Hixny doing to be proactive against cybersecurity attacks?
The world of cybersecurity is ever-evolving and therefore Hixny utilizes a multifaceted approach to ensure the security of our enterprise. First, we house our data within a SOC 2 certified data center. SOC 2 certification demonstrates that an independent expert has thoroughly audited an organization’s controls to ensure compliance with security best practices. For example, Hixny’s data center features multiple security controls that limit physical access to only select Hixny personnel. Logical access to the data is then protected via multiple security tools and platforms, including firewalls, an intrusion prevention system, and around-the-clock antivirus and malware defense. Our firewalls and intrusion prevention platforms allow us to strictly limit and monitor the internet traffic which flows through our systems. The firewalls and intrusion prevention systems are then supplemented by a robust vulnerability scanning software that Hixny employs around the clock, providing continuous threat intelligence and the ability to remediate issues in real time.
In addition to the above, it is important to understand that Hixny secures its data exchange by ensuring that data only flows via proper authentication and encrypted channels. Lastly, Hixny regularly undergoes third-party assessments, audits and certifications that require demonstrating our compliance with various security controls. These controls are based upon strict state and federal regulations, such as HIPAA, as well as widely accepted security best practices defined by the National Institute for Standards and Technology (NIST), among others.
Q: What can healthcare providers do to ensure the medical records of their patients are secure from hackers?
A multifaceted approach is best. First, providers should develop and maintain robust policies and procedures that help staff understand their role in securing their patients’ data. Staff should also be trained and regularly retrained on security awareness so that they are cognizant of new and developing programs and tactics used to penetrate information systems. These policies should consider both physical security as well as cybersecurity practices that rely on recognized standards and best practices. Secondly, for providers participating in electronic data exchange, they should ensure that all information is encrypted during data transmission. These connections should be revisited often to confirm that there are no vulnerabilities that could compromise the connections. Lastly, it helps to have resources within the organization that are directly responsible for information system security. I would recommend that providers looking to learn more about best practices start with the website for the Office of the National Coordinator for Health Information Technology (ONC).
Q: How does Hixny ensure that only authorized users access its systems?
This goes back to the manner in which we have configured our data exchange connections. Patients wishing to establish a Hixny For You account to access their own records cannot do so until their identity has been properly verified. Users at provider organizations cannot access the system until the organization, and the individual users, have been properly set up by Hixny for access. This involves a multistep process which requires the organization to indicate who is authorized to access Hixny. Then, before any data exchange occurs, a secure connection is established between Hixny and the organization. All data that is then accessed require secure, encrypted connections which, in turn, requires proper authentication. Lastly, Hixny maintains permanent audit history on every record accessed by all users of our systems. This history is subject to our New York State Qualified Entity Certification for which we must demonstrate that these records cannot be modified or deleted.
Q: What is the most common weakness in cybersecurity and why?
Personnel. Personnel are the best and most important, but often the weakest, line of defense and attackers know this. Phishing emails are often sent to employees and made to look quite legitimate. When employees fail to carefully assess emails they receive, and click on attachments, the ramifications can be catastrophic. This is the primary avenue through which malware infects a machine and, eventually, an entire system.
Q: What is the most important aspect in protection and preparedness?
Hope for the best and prepare for the worst. While this may sound cliché, the essence of being adequately protected and prepared requires combating and overcoming any sense of complacency. No enterprise is ever truly risk free; new threats are constantly being born, and existing threats are always evolving. Therefore, it’s critical to consistently revisit your security protocols and technology, identify gaps and vulnerabilities, and work to resolve them.
Q: What is HITRUST and why is it important?
HITRUST certification is a key indicator of a secure organization. Established in 2007, HITRUST represents a collaboration of healthcare, technology, and information security leaders who have established a Common Security Framework (CSF) to be used by various types of healthcare organizations to demonstrate security, privacy, and regulatory compliance. The CSF is based upon the HIPAA Security Rule and commonly accepted security standards and guidance. Therefore, achieving HITRUST certification provides both an organization and its customers with assurances that the certified entity is complying with a robust set of security control requirements. Beginning in 2018, New York State will require Hixny and all other Qualified Entities connected to the State Health Information Network for New York (SHIN-NY) to be HITRUST certified.
Q: What keeps you up at night?
I think and work better at night, so I’m usually up anyway. But if you’re asking what worries me the most, it’s a breach of our data and all the attack vectors that bad actors have at their disposal. We’re an HIE managing millions of healthcare records and we are expected to constantly ensure the confidentiality, integrity, and availability of that data. I am encouraged by the great participants and people we have at Hixny who are committed, every day, to keeping the data safe and secure. And what helps me sleep are the various tools, policies, and procedures we have implemented to ensure system security, the manner in which our data exchange connections are configured and the various subject matter experts and security resources we have at our disposal.