Security continues to be a major problem in health IT. The coming year will only bring more breaches and problems that must be addressed by those leading their organizations. In 2013 alone, millions of people were affected by breaches.
Breaches can be attributed to something as simple as a stolen device — flash drives and laptops, for example – to unauthorized access or disclosure of information by health system employees. For example, Healthcare IT News recently reported a four-year long breach by a single employee at the five-hospital Riverside Health System in southeast Virginia.
Health IT security issues are only going to get more pervasive, aggressive and encompassing in the years ahead. So, what can we expect as we look ahead? Here are some predictions about health IT security from the industry’s leading minds:
Doug Mow, CMO, Courion
Remaining in compliance with these codes and regulations, like HIPAA, is key from a security point of view for healthcare organizations. Being compliant and ensuring that only the appropriate healthcare staff members and contract workers have access to the information they need to do their jobs ensures that the information remains secure and does not end up in the wrong hands.
Because of the sensitivity of the information accessed on a daily bases within a healthcare organizations and the number of people accessing the information – doctors, nurses, clinical and admin personnel, and contractors – IT security concerns will be slightly different than the highly publicized breaches we read about, like the recent Target breach that originated outside the organization.
Healthcare organizations will have to focus on privacy issues and threats within the organization. These security concerns are similar to the NSA and Snowden attacks that came from inside the organization and were perpetrated by someone using legitimate, but stolen, credentials to leak sensitive information.
So, my prediction for the biggest health IT security issue of 2014 will be insider threats, and the improper access and use of private patient information. No matter the motive, healthcare organizations need to get a better understanding of how to manage access to this information. The first solution is maintaining compliance with codes and regulations; the second solution will be giving healthcare IT staff a real-time view into who is accessing what information, when and from where so they can better identify and remediate potentially damaging activity.
Sam Glines, CEO, Norse
The Internet of Things will continue to turn healthcare networks into attack platforms. With the Internet of Things taking off, more and more devices are now being delivered to end-user organizations with a built-in network stack and in many cases full-blown Web servers. While this may offer advantages, these same devices often come with inadequate security protections. In the rush to connect devices, software and applications to improve performance, management and care, healthcare organizations are going to leave themselves open to compromises and breaches, and become platforms for criminals to launch coordinated cyberattacks.
This isn’t just a prediction pulled from thin air. In a sample of Norse data from October 2013, 375 US-based healthcare-related organizations generated 49,917 attacks that were detected by the Norse global threat intelligence infrastructure. Attacks that could be aimed at the compromised organization, part of global botnets, used to spread malware, or to execute DDoS attacks against selected organizations.
Mike Tierney, COO, SpectorSoftMike Tierney
Prediction 1: New rules = new people: 2014 EHR expansion will increase access, security and compliance risks. The American Recovery and Reinvestment Act requires meaningful use of electronic health records by 2014. This means demand for health informatics skilled workers could increase by as much as 20 percent to meet the new requirements, according to the U.S. Bureau of Labor Statistics. Suddenly, many paper-based practices will find the need for EHR keepers, specialists in healthcare IT systems, or even informatics directors and consultants. Additional staff dedicated to EHR management means expanded access to some of the most sensitive and regulated information available, a situation that will increase data breach and compliance risks to the highest levels yet seen.
Prediction 2: More EHR = more defense-in-depth; 2014 EHR initiatives will require new technologies. As EHRs become more accessible in different medical practices to improve care coordination, organizations are going to become more aware of outsider and insider threats that lead to breaches and compliance violations. To secure records against outsider-driven breaches, organizations may generally rely on classic perimeter-based security measures. However, to ensure that trusted employees with authorized access to records only use them properly, healthcare providers will have to deploy a defense-in-depth approach to provide visibility into precisely how and why EHRs are being accessed and used. This will require a way to collect data to see the context around document, application and system access, usage and activity.
Prediction 3: Better proof = better compliance; HIPAA, HITECH will require greater details. Delivering better compliance with HIPAA, HITECH and the many other regulations used to govern EHR data will require not only early warning of insider threats but also better proof that security measures are in place. Proof that can only be delivered via detailed visibility into precisely how information is being accessed and used. With detailed visibility, new-to-EHR organizations will be in a very advanced position and able to safeguard information as well as avoid costly fines and regulations.
Manmeet Singh, co-founder and CEO, DataguiseManmeet Singh
Prediction 1: Health information sharing in the cloud will result in a significant breach. The emergence of cloud-based healthcare operations, such as healthcare.gov, has led millions of individuals and countless organizations — from insurance providers to federal agencies — to provide and share Personally Identifiable Information (PII) in the cloud. Cybercriminals recognize that Internet-connected health exchanges are ripe for the picking. It is only a matter of time before they take advantage of vulnerabilities in order to siphon information that can be sold on online black market exchanges for a profit.
Prediction 2: End-of-life support for Windows XP will lead to security issues. Countless healthcare organizations — from hospitals to private practice doctors’ offices to insurance carriers — have standardized on the Windows XP operating system. It is likely that a significant number of these will not have an opportunity to migrate to Windows 7 or Windows 8 by the end-of-life support deadline of April 8, when security patching is scheduled to also end. The absence of patching, the fact that the XP OS is already six-times more likely to be successfully hacked than 7 or 8, and inability to migrate in time will create security issues that could result in everything from breaches to compliance violations.
Prediction 3: Big data and the cloud will force healthcare organizations to move beyond regulatory compliance. The Target data breach is teaching everyone that regulatory compliance such as PCI DSS simply isn’t doing enough to protect data. Healthcare organizations recognize that this lesson applies to their industry, and that regulations such as HIPAA are also not sufficient. Increasing reliance on cloud-based systems and the emergence of big data is exacerbating an already serious security situation. In the face of massive change, in order to reduce the risk of data breaches that impact patient Personally Identifiable Information (PII), healthcare organizations are going to start implementing multi-layer data security strategies that include data masking, encryption and tokenization.
Stephen Cobb, CISSP, senior security researcher, ESETStephen Cobb
Serious insecurity consequences: What sort of penalties are we talking about when HIPAA violations come to light? Consider this table of amounts levied in 2012, totaling almost $10 million:
Clearly, HHS does not like people storing unencrypted PHI on mobile devices. And when OCR comes to investigate, you will be in trouble if you don’t have well-documented risk analyses, policy and controls. You can find more HIPAA enforcement cases online. What you won’t see yet are fines levied against business associates.
I predict we will see the first of these towards the end of next year, with possible headlines like this:
- Cloudy with a chance of lawsuits: Data center dinged over medical record handling
- Tip trip trashes clinic reputation: Record management firm faces five figure fine over health data flub!
Apart from the excessive alliteration, such stories are entirely feasible. Now is the time to ask if your organization needs to revisit HIPAA compliance. Remember, not every PHI breach ends in a fine. If you can show your organization has made a reasonable effort to comply with HIPAA 2.0 you may not be dinged (as in subject to a fine and subject of a national press release).