Data breaches and HIPAA violations became common, almost daily, news in 2015, exposing sensitive client information with devastating results. Understanding HIPAA compliance will be critical in 2016, especially since the Office for Civil Rights (OCR) will begin a new round of HIPAA audits.
In spite of record spending on firewalls, anti-virus software, malware detectors and the widget of the day, healthcare organizations keep getting hacked because the focus is in the wrong place. Here are three trends taking presence in 2016 that can help any organization fight the good fight against cyberattacks.
Buying Technology Alone is a Security Strategy That Does Not Work
Healthcare is under constant pressure to safeguard assets, however too many firms focus on security for HIPAA compliancy and then call it a day. Compliance is a legal necessity, but organizations expose themselves to cyberattack when use technology as a crutch. Many organizations will need to look at their operations as a critical network and seek ways to defend it.
A majority of breaches are from data that has been stolen, via record removal, virtually and physically. We see the trend in 2016 shifting from technology to people if healthcare organizations are going to defeat hackers.
Focus on the Human Element
Examine the largest data breaches of 2015. Technology did not protect the vast majority of these companies. In each case, data was breached due to hackers successfully exploiting humans.
The proliferation of mobile devices in healthcare like smartphones and tablets have also made the human element even more vulnerable because this area of security is often overlooked and is, in fact, the weakest link.
Technology is only as good as the people who use it and is merely a tool in the fight against cybercrime. Technology alone cannot fully protect an organization’s data, networks, or interests. This is a trend in 2016 and beyond that must be recognized if organization hope to safeguard patient records.
Health IT’s most pressing issues may be so prevalent that they can’t be contained to a single post, as is obvious here, the third installment in the series detailing some of the biggest IT issues. There are differing opinions as to what the most important issues are, but there are many clear and overwhelming problems for the sector. Data, security, interoperability and compliance are some of the more obvious, according to the following experts, but those are not all, as you likely know and we’ll continue to see.
Here, we continue to offer the perspective of some of healthcare’s insiders who offer their opinions on health IT’s greatest problems and where we should be spending a good deal, if not most, of our focus. If you’d like to read the first installment in the series, go here: Health IT’s Most Pressing Issues and Health IT’s Most Pressing Issues (Part 2). Also, feel free to let us know if you agree with the following, or add what you think are some of the sector’s biggest boondoggles.
The healthcare industry has undoubtedly become a bigger target for security threats and data breaches in recent years and in my opinion that can be attributed in large part to the industry’s movement to virtualization and the cloud. By adopting these agile, effective and cost-effective modern technological trends, it also widens the network’s attack surface area, and in turn, raises the potential risk for security threats.
We actually conducted some research recently that addresses evolving security challenges, including those impacting the healthcare industry, with the introduction of cloud infrastructures. The issue is highlighted by the fact that the growing popularity of cloud adoption has been identified as one of the key reasons IT and security professionals (57 percent) find securing their networks more difficult today than two years ago.
Paul Brient, CEO, PatientKeeper, Inc. No industry on Earth has computerized its operations with a goal to reduce productivity and efficiency. That would be absurd. Yet we see countless articles and complaints by physicians about the fact that computerization of their workflows has made them less productive, less efficient and potentially less effective. An EHR is supposed to “automate and streamline the clinician’s workflow.” But does it really? Unfortunately, no. At least not yet. Impediments to using hospital EHRs demand attention because physicians are by far the most expensive and limited resource in the healthcare system. Hopefully, the next few years will bring about the innovation and new approaches necessary to make EHRs truly work for physicians. Otherwise, the $36 billion and the countless hours hospitals across the country have spent implementing electronic systems will have been squandered.
Email security is one of healthcare’s top IT issues, thanks, in part, to budget constraints. Many healthcare organizations have already allocated the majority of IT dollars to improving systems that manage electronic patient records in order to meet HIPAA compliance. As such, data security may fall to the wayside, leaving sensitive customer information vulnerable to sophisticated cyber-attacks that combine social engineering and spear-phishing to penetrate organizations’ networks and steal critical data. Most of the major data breaches that have occurred over the past year have been initiated by this type of email-based threat. The only defense against this level of attack is a layered approach to security, which has evolved beyond traditional email security solutions that may have been adequate a few years ago, but are no longer a match for highly-targeted spear-phishing attacks.
Dr. Rae Hayward, HCISPP, director of education and training at (ISC)²
Dr. Rae Hayward
According to the 2015 (ISC)² Global Information Security Workforce Study, global healthcare industry professionals identified the following top security threats as the most concerning: malware (77 percent), application vulnerabilities (74 percent), configuration mistakes/oversights (70 percent), mobile devices (69 percent) and faulty network/system configuration (65 percent). Also, customer privacy violations, damage to the organization’s reputation and breach of laws and regulations were ranked equally as top priorities for healthcare IT security professionals.
So what do these professionals believe will help to resolve these issues? Healthcare respondents believe that network monitoring and intelligence (76 percent), along with improved intrusion detection and prevention technologies (73 percent) are security technologies that will provide significant improvements to the security posture of their organizations. Other research shows that having a business continuity management plan involved in remediation efforts will help to reduce the costs associated with a breach. Having a formal incident response plan in place prior to any incident decreases the average cost of the data breach. A strong security posture decreases not only incidents, but also the loss of data when a breach occurs.
Guest post by Amit Cohen, co-founder and CEO, FortyCloud.
Remote access is changing the practice of medicine – from data collected remotely from newly developed telemedicine devices, to surgery conducted by a surgeon in an offsite location. A smartphone application, currently in development, is set to monitor a user’s voice to detect mood changes for individuals with bipolar disorder. Devices and applications such as these not only improve the quality of care available to patients across the globe, their use also results in exponential growth in the sources and volumes of data. These cutting-edge technologies present new challenges for IT professionals who are responsible for ensuring high availability (always-accessible data), scalability and flexibility for their healthcare organizations.
To enable scalable, high performance from at lower costs, even from remote locations, healthcare and pharmaceutical IT have adopted the cloud. Since cloud data centers can be diversified across the globe, cloud computing provides quick access to globally diverse users.
The cloud also offers the scalability to handle the massive influx of new data generated by new health care applications expected from the implementation of the U.S. Patient Protection and Affordable Care Act (PPACA). The U.S. Department of Health and Human Services (HHS) Stage 3 Proposed Rule, is also likely to result in additional volumes of digital data. This Rule seeks to align the EHR Incentive Programs with other CMS quality reporting programs that use certified EHR technology to promote improved patient outcomes and health.
Therefore, it is not surprising that healthcare cloud computing is forecasted to grow to $9.48 billion by 2020, according a recent study; an impressive increase from the current, 2015 market value of $3.73 billion.
Guest post by Jay Schulman, managing principal, Cigital.
Throughout the past two years, if you’re like me, you’ve had your credit card number stolen a number of times. I’m up to six. In one case, someone purchased a $500 TV with my stolen card information. Yet, I sit here today having lost nothing. Every bank and institution has made me whole. The money that was taken was quickly replaced. While I can complain about the inconvenience, I haven’t lost anything.
The financial industry has the luxury of replacing what was taken. The healthcare industry does not.
Once your medical record is stolen, there is no way for the institution to take that information back. If an electronic medical record (EMR) or MRI system is breached, the information and images are out in the open. While the credit card companies can trace fraud back to a common source, it’s very hard for healthcare companies to figure out who has been breached. That’s why the security of healthcare information is so important.
While many healthcare organizations are HIPAA compliant, that only reflects on their ability to properly control personal health information. It doesn’t necessarily assert that you are secure.
As a healthcare organization, you need to take a holistic approach to secure your environment. This includes:
Understanding your portfolio – what applications and systems are in your environment? Understanding the applications, their development languages, what data they store and access, and other pertinent data points are key to understanding your portfolio. Understanding what needs to be secured is a critical and often missed first step.
Assessing the risk of the portfolio and making priorities. It’s easy to say “anything with personal health information (PHI) needs to be secured.” But, do you understand where PHI is stored or what areas of the network or systems can access systems with PHI? The retail breaches of the past two years have taught us that attackers aren’t always going directly to the critical systems but instead to weak links in the environment. Those weak links can give an attacker access to your data.
Performing a threat model to properly understand those weaknesses. A threat model looks at an environment, who the actors are that can breach your system, and what actions they could perform (steal data or cause a denial of service for example). Given the results of the threat model, you can develop a new ranking of the portfolio.
Determining the best ways to improve the security of the environment. If the organization writing the software is highly outsourced or primarily buys commercial software, assessing their risk is important. Otherwise, how can you be sure that they know how to write secure software? With medical devices, being able to assess the risk and impact of the device to your environment before you put it on your network is essential. Two years ago, many hospitals would assume the device was secure. Today many are starting assume they are not.
HIMSS organizers, in preparation of its annual conference and trade show and as a way to rally attendees around several trending topics for the coming show, asked the healthcare community how it feels about several key issues. I’ve reached out to readers of this site so they can respond to what they see as the future of healthcare innovation, data security, patient engagement and big data.
Their responses follow.
Do you agree with the following thoughts? If not, why; what’s missing?
Sean Benson, vice president of innovation, clinical solutions, Wolters Kluwer Health Future innovations in health IT, big data in particular, will focus on the aggregation and transformation of patient data into actionable knowledge that can improve patient and financial outcomes. The ever-growing volume of patient data contained within disparate clinical systems continues to expand. This siloed data often forces physicians to act on fragmented and incomplete information, making it difficult to apply the latest evidence. Comprehensive solutions will normalize, codify and aggregate patient data in a cloud system and run it against clinical scenarios to create evidence-based advice that is then delivered directly to the point of care via a variety of mobile devices. This will empower physicians with patient-specific knowledge based on the latest medical evidence delivered to the point of care in a timely, appropriate manner, ultimately resulting in higher quality treatment and more complete care.
Susan Reese, MBA, RN, CPHIMS, chief nurse executive, Kronos Incorporated
Gamification — the trend of creating computer-based employee games and contests for the purpose of aligning employee productivity with the organization’s goals — is currently a popular topic with business leaders and IT. For proof, consider that Gartner recently projected that by 2015, 50 percent of all organizations will be using gamification of some kind, and that by 2016, businesses will spend a total of $2.6 billion on this technology.
With numbers like these, it is clear that that gaming is serious business and that it is here to stay. But at this point, you may be asking yourself, “Could gamification work in my healthcare environment? What potential benefits could it have?””
Today, many healthcare organizations are looking to the future and considering gamification as a way to increase employee engagement, collaboration, and productivity as well as to align their behavior with larger business goals – but they don’t know how to do it quite yet. Also, gamification can be a delicate decision, complete with advantages and risks. After all, employees’ day-to-day work responsibilities and careers are not games and can’t be trivialized. Healthcare organizations must be careful to avoid sending the wrong message to their workforce, or the whole program could backfire, or even lead to more negative consequences.
Mike Lanciloti, vice president of product management and marketing, Spectralink
In today’s digital age, healthcare IT needs to come a long way to get up to speed in innovation and connectivity. However, as we begin to see mobile play a larger role in the industry, healthcare is moving the needle on innovation as well.
The mobile revolution has picked up in healthcare for both health IT professionals and in patient care. Primary as healthcare providers find ways to utilize smartphones, mobile devices and Wi-Fi networks to improve the communication and efficiency of their workforce.
Through mobile devices, clinicians have the ability to access what they need, when they need it. Mobile devices ensure nurses and mobile staff are equipped with the right technology to promote timely, efficient and reliable communication. This not only allows healthcare professionals to perform their jobs more effectively but also helps deliver a higher quality of patient care.
The growing mobile trend does present several questions for the industry. Hospital managers are quickly learning that an influx of smartphones into the hospital setting can become a larger problem than anticipated. Not only do personal devices lack the security required for enterprise-owned devices, they pose other risks, calling into question issues surrounding encryption, authorized access and mobile security. Personal phones aren’t designed to be equipped with the same encryption capabilities as enterprise-owned mobile devices.
Virtru allows user to choose when to keep their digital content private and secure even after it’s shared online. Manage and revoke access to emails, photos, files and other content at any time, right from within your favorite programs like Gmail, Outlook, and Mac Mail on your desktop or smartphone. The TDF is an open standard for securing content of all kinds. Virtru gives everyone the power of the TDF by integrating it with the tools you use every day, like Gmail and Outlook.
Virtru Pro makes it dead simple for physician practices and other organizations to easily, conveniently, and cost-effectively send PHI messages and files over email while complying with HIPAA. While hospital medical record systems often include a secure messaging component that supports safe communications, many organizations prefer to use regular email or do not want to incur the cost and complexity of heavyweight systems. This is especially true for small to mid-sized practices that have fewer financial or IT resources available to them. Virtru Pro is easy to set up and easy to use for doctors, administrative staff, and patients.
Virtru Pro is a cost-effective, easy-to-use, HIPAA-compliant email service for the healthcare industry. Offering the easiest, most secure way for healthcare organizations to comply with the Protected Health Information (PHI) requirements of HIPAA, Virtru Pro ensures these communications are secure, protected and integrated into the tools and processes used daily by physicians, administrators and patients:
Provider-to-provider communications including consult results, CT scans, diagnostic images, prescriptions and scheduling information;
Provider-to-patient communications including test results, prescription information, procedure preparation, and scheduling information; and
Patient-to-patient communications, such as the connection of patients who share a condition and can support each other as physicians offer group care.
With Virtru Pro, an entire organization can now easily send and receive secure, PHI-compliant encrypted emails, revoke sent messages, restrict forwarding and set expiry for emails and files to auto delete. Confidential information sent to colleagues and patients remains private, audit ready, and protected. Virtru Pro eliminates the risk of patient data being inadvertently forwarded to an unintended party and provides added controls so that physicians can determine how their patients’ health information is viewed and shared.
Virtru Pro works with all major email systems and is especially well suited to organizations using cloud-based email providers such as Google Apps for Work, Gmail and Microsoft Office 365.
Virtru was founded to bring true digital privacy to everyone – making end-to-end email encryption dead simple to use and integrated into the products people use every day.
CTO and co-founder, Will Ackerly, spent eight years at the NSA in various positions of senior management where as a cloud security architect he developed the standard for secure data transfer used today by various government agencies – The Trusted Data Format (TDF). He left the NSA to bring this technology to the consumer market, where he saw a real need for people to have control over the privacy and protection of their personal information online. As a senior technology adviser for the Bush White House, before and after the events of 911 followed by six years in the private equity business, co-founder and CEO John Ackerly also saw a real need to provide individuals with the power to protect their digital communications. Combining the technical knowledge and know-how brought by Will with the-on-the-ground experience of John has resulted in a perfect storm that is Virtru.
By Stephen Cobb, senior researcher, ESET North America.
The benefits of making health records available electronically would seem to be obvious. For a start, faster access to more accurate patient information – which is one of the promises of EHRs (electronic health records) and HIEs (health information exchanges) – could save lives. The author of a recent report on the many thousands of lethal “patient adverse events” that occur in America every year, Dr. John T. James, pointed to “more accurate and streamlined medical recordkeeping” as a top priority in the effort to reduce these deadly medical errors. Yet headlines about healthcare facilities exposing confidential patient data to potential abuse have been all over the media this year. So, will security issues and privacy concerns stymie EHR adoption or slow down HIE rollouts?
Today, more than half of all Americans probably have at least some part of their medical record stored on computer. In January, the CDC reported that roughly four out of five office-based physicians are now using some type of EHR system, up from one in five in 2001. A few months later, in a Harris poll sponsored by ESET, only 17 percent of adult Americans said that, to their knowledge, their health records were not in electronic format.
During that same survey of 1,734 American adults, we asked “are you concerned about the security and privacy of your electronic patient health records” and 40 percent said they were. Slightly more of them, 43 percent said they were not. However, if we take out the 17 percent whose records were not in electronic format, the “concerned or not?” question breaks down as 48 percent Yes, versus 50 percent No, a statistical tie.
Add to the list of known certainties: death, taxes, and the need to lower the cost of healthcare.
Neither HIPAA standards nor encryption were created with the purpose of lowering the cost of healthcare, but neither was penicillin originally purposed as an antibiotic. Both welcome side effects in the world of medicine.
Cloud Computing and Healthcare
Healthcare and medical companies are migrating to cloud computing in record numbers. The cloud offers flexibility and scalability to manage ever-growing databases of patient records. At the same time, it offers mobility to enable care providers to access patient information remotely and shareability to share data with colleagues, specialists, and labs. The cloud, perhaps most importantly, enables cost reduction on several levels.
It eliminates the need healthcare organization have to purchase, maintain, upgrade, and replace costly computing equipment and staff.
It saves costs of multiple providers running multiple tests by enabling them to share and track the results.
It saves time and money by enabling paperless transmission of prescriptions and insurance claims. It also increases the accuracy of reimbursement coding.
Now, HIPAA omnibus and the American Recovery and Reinvestment Act (ARRA) requirements stipulate everyone in the healthcare industry begin migrating patient records and other data to cloud computing. Essentially, by 2015, all medical professionals with access to patient records must utilize electronic medical and health records (EMR and EHR), or face penalties.
David Finn, health information technology officer for Symantec, discusses healthcare technology security, HIPAA and meaningful use and the most pervasive security issues health IT faces in the months and years ahead.
What issues do healthcare leaders face from a security perspective?
Well, that is part of the problem right there. Healthcare leaders are inundated with new requirements and market changes. So, there is Meaningful Use, ICD-10, ACO, HIE, new privacy and security requirements – – all in a relatively short time frame – – to name a few. On top of that, you are likely doing that with decreasing reimbursement, a difficult labor market and limited capital budgets. Security, while mandated, frequently falls to the bottom of the list because it doesn’t directly impact care or add to the bottom line. That is a short-sighted view of security. Security needs to be strategic to the business of healthcare, not just IT.
Why? What can they do about this?
Much of this has been driven by HITECH and the Affordable Care Act. So, there are regulatory components and that, in turn, has driven many changes in the healthcare market. Providers now have to do a lot of these things just to keep their heads above water – – not to mention the statutory requirements. The most important thing is to get started … you may not be able to do everything all at once. You do have to understand what needs to get done and then prioritize those things for your organization and get started.
How are HIPAA changes affecting care, coordination, tech implementation and the ability of physicians to do their jobs?
HIPAA has been around a long time and, frankly, if the industry had dealt with these things effectively starting back in 2003, which was the compliance date for the Privacy Rule and then 2005 when the Security Rule became the law, we’d be in much better shape today. Unfortunately, the incentives and drivers were not aligned to make that happen. Don’t get me wrong, a lot of things got started and don’t forget technology is very different than it was 10 years ago – – mobility, virtualization, cloud. We also have a much larger installed-base of EHRs across the entire continuum of care. So, now we have tools that really can aid the physicians and other clinicians in getting things done faster, wherever they are, at their convenience, but we’ve lagged in a lot of the security issues around those new technology tools. And, unfortunately, often systems are put in without proper attention to workflow or process improvement. Organizations that hurried to get some of these things in are now going back to “fix” them.
How is/will meaningful use impact healthcare? Are there security issues?
While the debate is still raging, few would argue that better access to information for providers and patients is a good thing. Meaningful use – capturing and using the right clinical data – over time, will improve the quality of care and outcomes and should reduce costs. It will not happen overnight. Yes, when you have confidential, legally protected information, you have security issues.
How has the push toward EHRs changed the security of healthcare? In what ways?
As healthcare has digitized, it has increasingly become a target for the “bad guys.” We not only keep names, addresses and dates of birth all together to make it easier to care for and bill patients, we also include social security numbers, credit cards and insurance accounts. And every time you share that information (between providers, with an HIE, a drugstore, registries, schools and more) you create another potential point for that data to go astray or someone to maliciously take the information. In the “paper days” a doctor might take home a dozen charts to review; today a jump drive can contain hundreds of thousands of patient records. When all the charts could be locked in a room at night at least you knew where most of them were and they were safe. Information now lives on networks – – in databases, in Word documents, spreadsheets. It can get cut and pasted from an EHR screen into an email and sent anywhere. While many of the issues are the same, the scope and scale of the problem is sometimes hard to imagine. It was horrible for those dozen patients if the doctor’s car was broken into and charts taken, but when you have breaches of hundreds of thousands or even millions of patient records, it can be very difficult to manage and address. And this doesn’t even begin to address the cost issue around a data breach.
In relation to security, what are some of the most pervasive issues physicians face? What are they more surprised by?
Well, mobility is here to stay and yet most organizations don’t even have policies around mobile devices. Social media is a growing concern, whether you are a large healthcare system or a single-physician practice. The underlying problem is not knowing where that patient data is. Nearly everyone is surprised when you start to show them how that information comes into your organization or practice, where it goes and who uses it and how it may leave the organization. There are tools to help you find, manage and track the data, but most people are still focused on the EMR, the PCs that clinicians use. The issue is the data and the problem is the data is everywhere.
What are some of the most overlooked security protocols?
First, is encryption. If you are focused on the data, the best thing to do is encrypt it. That said, encryption is not a panacea and just encrypting everything is not a good answer. Things like laptops, tablets, smart phones, backup tapes, jump drives – – those really need to be encrypted. The other thing is understanding your data and there are tools, like Data Loss Prevention tools, that help you find the data;who created it, how it is being used and so on. If you don’t understand the data, you can’t really protect it appropriately.
Is the health IT market overly paranoid when it comes to security and breeches?
Based on the number of records breached since 2009 — 20+ million — I’d say the IT market needs to do something. Being paranoid about breaches is one thing, actually managing your data and mitigating potential breaches is another. It is time for the industry to take the issues of privacy and security seriously, assess the problem, develop a plan, get the money and start fixing it. Healthcare has to realize this isn’t a technology issue – – this is an enterprise issue and it starts with your people.
How will health IT security change in the months or year ahead? What trends can we expect? What’s irrelevant? What’s not?
I think you will see privacy and security being addressed as part of a system implementation or a process improvement initiative instead of something you try to do after the fact. If you do it afterwards, the security is never is good and always costs more. You’ll see more training and policies that address mobility, social media. I think as enforcement picks up and fines increase, healthcare will recognize that this not just a technology problem. I think you’ll see a lot more training and awareness around privacy and security. More investment in tools that monitor data and in that sense are monitoring workforce behavior around patient data – – regardless if it is on email, the EHR, web sites – – it is still the patient’s data. You’ll also see more focus on identities and authentication, it is likely coming in future regulations, but the other part of protecting the data is making sure only the right people get it.
Here is what is irrelevant: 1) Policies that are not enforced or cannot be enforced; 2) Enforcing policy and procedure inconsistently; 3) Thinking this is an IT or security problem when it is an enterprise wide, cultural issue.
Anything else you’d like to mention that I haven’t asked?
First, I think now that we have all these EHRs up and running and are collecting all this data digitally, the industry is just figuring out how to use it to drive improvement. So, big data, analytics, informatics – whatever you want to call it – will be a huge driver. Big data comes with some unique security and data management issues.
The next tidal wave in health information technology that we are not doing a good job addressing, yet, is the medical devices. These are often patient-touching devices ranging from anesthesia machines to smart-pumps, which may deliver controlled substances or chemotherapy to pacemakers. More care is being driven to the home and remote home-care is a growing area. Yet, these devices tend to run old operating systems, can’t take the newer protective software, yet they are on hospital networks, connect to the Internet and are unmanaged in terms of information technology. Many of them store and transmit patient data and the issue just isn’t getting the focus it needs.
David Finn, CISA, CISM, CRISC is the Health Information Technology Officer for Symantec. Prior to that role he was the Chief Information Officer and Vice President of Information Services for Texas Children’s Hospital, one of the largest pediatric integrated delivery systems in the United States. He also served as the Privacy and Security Officer for Texas Children’s. Prior to that Finn spent seven years as a healthcare consultant with IMG/Healthlink and PwC. Serving last as the EVP of Operations for Healthlink.
Texas Children’s Hospital won the ECRI Institute 2007 Health Devices Achievement Award, and because of Finn’s departmental support, TCH also was awarded recognition for Employee Support of the Guard and Reserve. Finn also received the Symantec Visionary Award in 2008 for Security. He has presented nationally and internationally on such topics as project management, professional leadership and staff development, and privacy and security. He has contributed to or written articles on IT Management, Disaster Recovery and Security for such as journals as CIO Digest and Baseline.