Protecting Electronic Health Records With Crypto-Agility

Without always thinking about it, patients willingly share Personally Identifiable Information (PII) destined to live in electronic health records (EHRs) with their trusted healthcare providers. Maintaining this data is an immense responsibility.  How reliable are the controls in place to ensure continual security and privacy? When data is physically and digitally shared across so many networks, any and all protection scenarios must be considered.

Let’s start with a definition. Simply put, a wildcard certificate is a public key certificate that can be used on multiple subdomains. For example, a wildcard certificate issued for https://*.examplecompany.com could be used to secure all subdomains, such as:

• blog.examplecompany.com
• mobile.examplecompany.com

Here comes the obvious benefit of using wildcard certificates: with a single digital certificate, I can secure and authenticate all my public facing subdomains, avoiding the hassle of managing multiple certificates. Instead of purchasing separate certificates for my subdomains, I can use a single wildcard cert for all domains and subdomains across multiple servers.

However, wildcard certificates cover only one level of subdomains since the asterisk does nοt match full stops. In this case, the domain resources.blog.keyfactor.com would not be valid for the certificate. Neither is the naked domain keyfactor.com covered, which will have to be included as a separate Subject Alternate Name.

Cyber criminals are becoming more inventive every day, demanding swift action from healthcare networks to move at pace with their adversaries. With increasing labor costs being a major concern across the industry, organizations must determine the most cost-effective and labor-efficient ways to build greater security and overall trust in care delivery.

Each time a patient is seen by a practitioner or medication is dispersed, a new entry is created in the EHR. When applied to the 953,000+ physicians serving the national population of 323 million people, the sheer volume of data being generated with each interaction is enormous. Without security in place, the opportunities for breaches, data theft, and privacy loss multiply exponentially. One compromised entry point can cause a rippling effect that impacts not only the consumer, but the business as well. Any business downtime equates to loss: productivity, revenue, and customer commitment.

The Breach Level Index estimates the healthcare industry lost 33.7 million files from breaches in 2017. And with so many of these files linking back to individual patients who have had their personal information, the stakes are high for IT and security teams to respond effectively.

So what are teams doing?  Increasing the number of security keys and certificates deployed across their organization. And with this increase comes the need for more robust public key infrastructure (PKI) management to ensure certificates remain current and effective.

In an ideal scenario, healthcare centers would have sizable IT departments monitoring and managing all devices and technology infrastructure 24/7. But tight budgets, finding the right talent and optimizing operations make it  hard to balance patient safety, privacy, and well-being with profitability.

Adopting automation is an ideal solution to address these issues head-on, allowing organizations to:

• Redeploy staff to other important initiatives
• Take control of complete lifecycle management of every certificate in your environment
• Re-use current certificates rather than investing in new ones
• Swap out PKI quickly and easily in IoT devices
• And perhaps most importantly, ensure encryption of data across every device so all personal information is kept safe from breach.

By making use of automated processes, administrators can complete PKI management tasks in less time with fewer resources, while still being available to quickly respond to threats. Automation changes the way PKI management has always been done and can meet the healthcare industry’s need for large-scale EHR protection.

• According to a recent report by McAfee (Navigating a Cloudy Sky Practical Guidance and the State of Cloud Security), organizations with a cloud-first strategy plan to migrate 80% of their IT budget to the cloud in 12 months. Additionally, the majority of organizations store some or all of their sensitive data in the public cloud with Healthcare leading the way at more than 90%.
• Leveraging the cloud when addressing the need for quick, collaborative data file management makes sense in the modern organization, but safety and security have to be primary components of cloud integration. Connected medical devices, the Internet of Things (IoT), and EHRs all contain PII, and they must have the right security measures in place to effectively protect the data, and be viable technologies in the future.

Not all PKI solutions are made equal. With the prevalence of cloud-based operations and PII data being generated and collaboratively managed, enterprises have to make use of scalable, agile, and cost-effective solutions. Be sure to find a technology partner that can support your specific needs to help you grow and operationalize digital security. By investing in the right technology today, you’ll be ready for the future of healthcare cybersecurity.

Watch Mark Thompson’s on-demand webinar the importance of securing EHRs with crypto-agility:

• The widening threat landscape for unmanaged medical devices and EHR breaches
• How to secure EHRs containing PHI at scale
• The benefits of investing in crypto-agile automation tools aimed at enhancing patient experience