Guest post by David Thompson, senior director, product management, LightCyber.
Healthcare organizations are stuck between being an ever increasing target of a data breach and generally having less security resources than a comparable enterprise. It’s a classic situation of needing more with less, with all of the urgency of a full-scale crisis.
Now it’s not uncommon to see the same organization suffer its second or third data breach, and patience (patients too) are wearing thin. At the same time, we know that many organizations have intruders that are lingering and have stayed hidden for a year or more. It’s possible the cybercriminals are using an undiscovered foothold in one organization to get to another within the same health or provider network.
Almost without exception, healthcare organizations of all sizes seem helpless to be able to stop a data breach. Stopping a breach means different things to different people, and that is part of the problem. A good portion of the industry is still focused on completely keeping an intruder from getting into their network. This is a fool’s errand and simply not achievable. Motivated attackers will find a way into any given network. Some professional vulnerability contractors will guarantee that they can break in to your network within two days. There are far too many ways for an attacker to get in, particularly through an employee account or computer.
So, you can’t keep a network intruder out, but you can try to detect their presence as quickly as possible. Almost all healthcare organizations currently lack this capability, but some newer solutions and procedures are showing great promise in making the speedy detection of a network attacker a reality. The good news is that these approaches might only require an hour or two of personnel time each day—and sometimes quite a bit less than that—so it is well within the means of a small healthcare IT group that wears multiple hats and is always pulled thin.
Guest post by Stephen Cobb, senior security researcher, ESET.
Whatever you thought of President Obama’s penultimate State of the Union address, you have to admit it set some sort of record for the most words devoted to issues of data privacy and security (198 by my count). Furthermore, those words alluded to a raft of statements and announcements on these topics that were published in the days leading up to the speech. In short, it is clear that this President wants to make some changes with respect to cybersecurity and data privacy. What is not yet clear is how those changes will affect healthcare IT and the management of electronic health records. Will breach notification requirements change? Will penalties for breaches be increased?
The answers are not entirely clear at the moment. For a start, the President is a Democrat, but Republicans control the House and Senate. In other words, it is hard to know which of his proposals will be enacted. That said, it is better to look at them now and ask questions, engaging in the debates they are bound to provoke rather than wait and see what new laws finally emerge. For example, the President proposes to erect a single national 30-day data breach notification law in place of the scores of different state data laws that companies currently have to comply with. How will that affect electronic health records?
The answer may be “very little” and that could be good news for electronic health records and health IT. In its current form, the proposed Personal Data Notification & Protection Act does not disrupt existing federal notification requirements related to health data breaches. The draft legislation does not apply to HIPAA covered entities and business associates, nor the FTC covered vendors of personal health records. Here is a boiled down version of the current language which I have put in quotes to show it comes from the bill: “Nothing in this Act shall apply to business entities to the extent that they act as covered entities and business associates subject to the HITECH act (section 17932 of title 42), including the data breach notification requirements and implementing regulations of that act. Nor will it apply to business entities to the extent that they act as vendors of personal health records and third party service providers subject to the HITECH act.”
If the law were to be passed with that language intact, it would leave in place what many of us still think of as the HIPAA 60-day notification deadline, as well as the FTC 30/60-day PHR regime. And when you’re trying to comply with a regulatory regime, a lack of change can be good. Another way of looking at the breach notification issue is that the healthcare sector, while often maligned for leaking data, is actually a pioneer in notification. The HIPAA privacy and security requirements were in play even before California passed the first of the state breach notification laws, which now exist in some form in more than 40 states (creating the patchwork regulatory nightmare that the President’s unified federal law seeks to dissolve).
Guest post by Daniel Piekarz, vice president of life sciences business development at DataArt.
The life sciences industry will be defined in 2014 by the growing market demand to apply newly developed technology, including big data analysis, to healthcare and medical device practices. While many of the amazing technological advances in the space are driven by a desire to aid humanity, the industry is also caught between increased economic and regulatory pressure that is forcing many to electronically collect heaps of data while looking for custom technology solutions that will allow them to leverage this valuable data and adhere to new industry standards.
Over the next year, trends that reflect newly available technology will start to develop. The adoption of healthcare big data technology will become a major theme in the sector this year, just as it has in several other industries. Many new technology offerings have been created to tie together data from multiple sources that can be accessed by researchers and physicians to allow them to easily exchange information. This also aids in research and development practices by offering another valuable tool to gather and analyze data.
Tied to the big data trend is the emergence of personal healthcare data aided by physicians’ adoption of EHR technology. By allowing patients to own and access their healthcare data on a healthcare information dashboard, patients can more easily understand risks and preventable care options. Pooling anonymized patient data together can also lead to better analysis, and physicians are already starting to work with vendors to develop big data diagnostic tools. These new technology advancements have started to create a generation of patients more committed to their own healthy future than ever before. Through an intelligent system database, patients and physicians can better understand patterns and symptoms that affect their healthy lifestyles. While this type of big data solution is gaining a foothold, there is still resistance from some doctors due to their concern over critical review of their procedures.
Guest post by: Jared Rhoads, Senior Research Specialist in CSC Healthcare.
There is no gentle way to put it—cyber criminals from around the world are out to steal your personal health and financial information. And, if recent studies are an accurate reflection of the state of security in the healthcare industry then criminals have ample opportunity to do harm.
The past five years has seen rapid growth in the digitization of healthcare records and the online sharing and transmission of personal and financial data. Healthcare organizations have taken many of their information capabilities online, and they have embraced new technologies like portable media and mobile computing. However, they have not always been able to keep up with leading edge security practices.
Experts warn that the healthcare industry lags in addressing known problems and implementing basic remedies. Many hospitals and practices, for example, have been slow to encrypt their data sources properly and to deploy basic network monitoring. An investigative report by The Washington Post found cases of medical staff at hospitals using unsecured computers to connect both to internal networks and the public Internet. A 2012 government review of industry security cautioned that the way in which some organizations offer remote connectivity to physicians could introduce additional security risks.
Inadequate security practices have enabled cyber crime activity to thrive. According to the federal government, an unprecedented 21 million Americans have had information from their medical records lost or stolen since 2009. Nearly three-quarters of healthcare organizations report having experienced some kind of data breach or security incident in the past 12 months, and 94 percent of report at least one data breach in the past two years.
While not every data breach is necessarily a case of cyber crime, the incentives attracting cyber criminals to the scene are high. According to the World Privacy Forum, a stolen medical record now has a street value of roughly $50, compared to $14-18 for a credit card number or $1 for a Social Security number. Thieves use the rich medical and financial information to commit various forms of identity theft, including receiving free care, filing false patient claims to payers, and forging prescriptions.
Fortunately, medical-related cyber crime is receiving increased attention and awareness is on the rise. Healthcare organizations are beginning to move beyond simple risk assessments and venture into implementing more sophisticated anti-cyber crime solutions.
To address vulnerabilities and combat cyber crime, organizations need to take aggressive action and augment their security strategy using a variety of new approaches and technologies. Here are six ideas that all healthcare organizations can consider in 2013:
Implement automated network monitoring tools. Use automated tools to assess network vulnerabilities and monitor for breaches and unauthorized activity. Monitor key egress points to see what is being sent outside the walls of the organization, where and when it is being sent, and to whom it is being sent.
Deploy adaptive multi-factor authentication. Biometric patient identification systems based on fingerprints, palm vein patterns and other physical attributes can help guard against certain types of medical identity theft and insurance card fraud. User authentication requirements should also change dynamically based on where users are logging in from and what they are trying to access.
Consider outsourcing some or part of your security needs. Researchers at the Ponemon Institute have found that roughly a third of health organizations admit that they do not have the technology, budget or trained personnel necessary to handle today’s security challenges. Managed security service providers (MSSPs) offer a cost-effective way to have 24-hour network monitoring, incident tracking and immediate incident response.
Offer training, guidance, and approved versions of mobile apps for employees. Role-based employee training on mobile device security and guidance is critical to maintaining good security practices. Additionally, hospitals can offer enterprise versions of mobile apps and provide safely partitioned areas of the network for the apps to run upon.
Patch, secure, and monitor medical devices. Medical devices such as IV pumps, pacemakers, and bedside equipment are a new target of choice for cybercriminals seeking to wreak non-financial havoc. To combat this threat, ensure that devices are virus-free prior to installation, and encourage biomedical engineering teams to communicate freely with IT support teams.
Consider cyber insurance. New insurance products are coming to market that are designed specifically with healthcare organizations and HIPAA-covered entities in mind. Policies can defray breach-related costs, such as legal defense, privacy notification and even federal fines and penalties.
Cyber crime is a serious threat to health IT security, and it is unfortunately not going away anytime soon. However, by moving beyond the simple risk assessment and adopting a multi-faceted security strategy, prudent healthcare organizations can take significant steps to protecting their patients’ information and mitigating risk.
Jared Rhoads is a Senior Research Specialist in CSC’s Healthcare group. He consults, researches, and writes on a broad array of topics relating to healthcare technology, trends, and legislation.