As a healthcare information technology system (HITS), storing protected healthcare information (PHI), from labs, hospitals, governments and countless patients, it is imperative to produce a secure and auditable technical system. In the management of sensitive information, the provider and its partners are responsible for the stewardship of the data, accumulating regulatory certification, and hosting third-party audits, to externally validate the internal work. When earth shattering outbreaks like COVID-19 and biological weapons like Anthrax are released, it has devastating impacts, that are the result of exposed and vulnerable security, both physical and technological.

Standard layers of security

When handling information in a secure system a layered approach provides unequivocal stages of security that require more involvement, the deeper the access goes. There are noticeable properties of a mature information technology (IT) system that are enforced, adapted, and maintained to achieve this posture of layered cybersecurity. A few examples of the most practical methods are as follows.

1. Multi-factor authentication (MFA)
2. Account-based role and attribute access control (RBAC/ABAC)
3. Privileged identity management (PIM) and just-in-time (JIT) access
4. Intrusion detection, prevention, and critical vulnerability updates
5. Secret rotation and secure storage of keys

All of these, ordered by common-day threat level, can allow users to extract information, gain access to deeper networks, and even expose the physical security of the operation. As devices become more connected, monitoring and data of patients scales in volume and devices, including wearables that are becoming more prominent, with the attack surface to protect increasing ten-fold.

Protecting from the global threat

The infamous leaks of COVID-19 and Anthrax, provide an evident picture that securing medical data, as simple or complex as it can become, needs to be protected to secure the public. Exposure of contagions and virus information, even the information about the possible construction of such a contagious disease or deadly substance could lead to pandemic sized terrorism.

In a simpler perspective, information of patients in a healthcare system could become valuable to individuals in a singular sense, say a politician and at scale, to observing and understanding an individual or a mass of people in a location. The relation is that often similar technologies are used to host this information, the typical security plan is often based off the best practices for those technologies. From contagious diseases to an individual’s information, the security system is often the same, though, for the gravity of the consideration, the advancement is often in the layers and connectivity of the complex systems, versus the more simplistic.

As healthcare continues to scale their digital presence and connectivity of devices, protocols like HL7 FHIR increase the ability to provide interoperability, while also scoping data responses, by codifying the interactions through context propagation. Through the lens of data as an interface, security and engineering teams can define standards and policies that are the building blocks of the interactions in healthcare systems, in a more reliable and deterministic way.

Abstracting the risk of low-level attacks

Systems supporting healthcare are ever-growing, despite the massive collections of data, there is a cumulative effect of security itself, which as the data grows, are still as effective as before they started at all. When implementing a security policy across an organization, several plain standards, carried through IT overtime come to mind, and can embolden even the most secure facilities with simple implementation.

A secondary mechanism for validation of the user, combining something they know (password), something they have (phone), something they are (face) can add nuances to the ability to surpass screens and gain access. In addition to these authorizations adding an automatic screen policy which many users see on their phones and devices, and an internal timer that without interaction, will timeout the screen and lock the device, can continue this security layer. When users must use a password in combination with these authentication factors, limiting and blocking the reuse of passwords, assures that each attempt to access one account, requires the same complexity. Each time an attacker tries to access another account, guessing and cracking passwords scales the complexity for the attackers to the number of accounts, they need access to, not multiple accounts, with one password.

A step following that, would be an application on a device or computer, that after a given period, requires the user to re-authenticate to access it, even better, if their account is allocated to their job-role, or even in that moment, based on the patient they are interacting with, their permissions can be even more granularly limited. When these actions are required, a JIT access control can enable the role of the user to take an action, in the inverse, can limit an attacker using the same user to block that action through PIM.

When it comes down to a stable system, automated OS updates and active security enable homeostasis amongst that system to build its capability and enact it to deter threats. These mechanisms can be difficult with distributed devices and varying machines, but a team tasked to modernize these known exploited vulnerabilities, can reshape the security posture, with a marginal amount of effort.

When the system is in tip top shape, it is beneficial to have monitoring to detect and mitigate an ongoing threat, even alerting the security team to the attackers presence in the system. Web application firewalls and SQL mitigations enable user interfaces to avoid indirect access to protected systems, creating an outer perimeter through the security of the technology interacting with the user directly. This goes hand in hand with storing secrets securely and rotating them, as interconnected systems often rely on TLS handshakes, the keys on these systems must exist to provide that authority. When certificates, keys, and other environment secrets are stored securely and changed through rotation, these systems become increasingly encrypted through autonomy.

All of these standards are common, sometimes obvious, though are still exploited exponentially across the globe, leading to attacks of all scale, which could have been avoided, through simple steps. These layers work as protections, obfuscating more beyond each layer, and in tandem creating a secure premises, within each step, towards the data layer that can affectively mitigate the most complex of attackers.

Standards and regulations like Health Insurance Portability and Accountability Act (HIPPA) enforce organizations involved with HITS and PHI to achieve a gold standard when it comes to protecting information. These achievable security standards start with the approachable day to day practices, taught to the employees through contextual learning, then elevated by more complex security measures upstream, towards the data. Avoiding these financially costly, potentially harming, and simple attacks can start at the first line of individuals, the employees. Focusing and educating to enable employees, through training individuals, and protecting the data from threat actors, should be the goal of every healthcare institution.

Engineering resilience, security, and future-ready software architecture. Follow on X, GitHub, and LinkedIn, and visit https://joealongi.dev/.