Guest post by Sean Hughes, EVP managed document services, CynergisTek.
Healthcare has spent a significant amount of both human and financial capital addressing the security of their environments over the last several years – but have we forgotten a major vulnerability?
Printers and print-related devices (e.g. copiers, fax machines, scanners, etc.) continue to be a major component of our infrastructure and a big part of our clinical and business workflows, yet in most organizations, they continue to represent a gaping hole in our defenses. The advent of the EHR has not equated to the perceived reduction in print, but rather some research shows it’s responsible for an 11 percent increase in print in healthcare over the same time as the implementation of this technology. This increase in print volume brings with it an increase in the number of devices required to process the paper.
The approach most organizations have taken related to the security of these devices falls into one of two categories: segmentation of the network or reliance on manufacturers for “secure” devices. These approaches vary significantly from the approach most organizations have taken for other endpoint computing devices and leaves an organization open to the possibility of negative outcomes.
The industry has seen an increase in the computing power of these devices (e.g. internal hard drives, scan to file or application, residual data on devices, mobile printing, USB-enabled device access, etc.) and the bad guys are aware of this. More and more we see stories in the news of print devices being used as entryways for bad guys to circumvent our protections and put our data and our organizations at risk. According to an article published by BBC News in February 2017, “Hacker Briefly Hijacks Insecure Printers,” a hacker was able to access more than 150,000 printers that were briefly left accessible via the web.
The most effective way to address this threat is to treat these devices no differently than all our other data endpoints, be it a desktop, server, or any other piece of infrastructure. We need to look at these devices and ensure they meet the same security standards.
The most effective way to mitigate risks starts with knowing what the risks are. The first step should be a comprehensive printer fleet security assessment that is part of your overall security program. This can be accomplished either through your internal processes or by engaging a competent third party. Either way, you need to know what you don’t know, and you need to know it now.
The results of that assessment will drive the remediation efforts as well as define the ongoing measures our organizations should take. These steps will be directly related to the vulnerabilities identified but will most likely fall into the following categories:
Digital technology is arguably the best gifts of the 20th century as it has largely influenced the way the world works. Right from business to education and health, there is no sector that has been left untouched or uninfluenced by the digital revolution. Especially when we speak of the healthcare industry, we can see the huge impact that digital revolution has left on it and took it to the next stage of evolution. There are a number of benefits offered by digital revolution to the healthcare industry that has helped both patients and healthcare professionals. Let us know some of the best benefits offered by digital revolution:
Easy communication between doctor and patient
Communication plays a vital role in a doctor-patient relationship. However, there are various factors that affect free communication including long waiting hours, concerns about disclosing personal details in front of other patients and language proficiency/expression disorders. Most importantly the present state of mind of patients of doctors (agitated, confused, angry, annoyed or absent) can ruin entire communication. Patient portals offer an excellent environment for hassle-free and instant communication between doctor and patient. The patient does not have to physically visit the doctor and wait for his turn. He can message him from comforts of his home. Besides, he does not have the hesitation in revealing any personal details of any nature as he is not in a public place. He does not have to go through the hierarchy (receptionist, attendant, assistants, etc.) and can directly communicate with the doctor one-on-one.)
Relation between multiple healthcare specialists
Many patients suffer from multiple diseases or disorders that need services of different specialists. Needless to say, it is very important for all the specialists involved to maintain constant communication and share details with one another to offer the best support. Besides, some medications don’t go along well with one another. With the help of constant information sharing the specialists can identify the other medications; the patients are taking and design their medication schedule accordingly. It can also speed up the treatment, eliminate unnecessary administration jobs like attending phone calls and also allows the specialists to create, monitor, manage and modify the referral flow.
Security of data even in most unfavorable conditions
No matter how secured physical records of a hospital may be, there are always the possibilities of losing them during unexpected conditions like staff negligence or disaster. However, that’s not the case with Digital Records. It can be saved online and can be accessed from anywhere. Besides it also saves time as the digital records can be accessed by multiple health professionals at the same time. It is especially helpful for the patients who are being treated for multiple health disorders by different professionals located in different areas. The shareable information is secured using best and foolproof technology.
Mobile technology is impacting every element of American healthcare–from insurance and billing to documentation and caregiving, the impacts are being felt. The truly transformative element of the mobile revolution is not the technology itself, or the way it changes the look and feel of the tasks it affects. Despite complaints of the depersonalizing effect of technology, the ultimate value of mobile in the sector will be how it enhances and encourages communication.
Providers are Going Mobile
Already, flexibility and functionality have already drawn providers to mobile devices and solutions. Voice-to-text technology and similar automated solutions are in the offing to relieve the documentation burden that has dampered some amount of enthusiasm toward digitization. Bolstered by these advancements, caregivers will go from subjects of their EHRs to masters of patient encounters.
One of the huge benefits of mobility–as opposed to simply being networked on desktop computers or having a digital health records solution–is the capacity for greater native customization and app development. Native apps are like the currency of the mobile, smart device world providers are entering. Developers can deliver personal, branded interfaces that allow doctors to choose precisely how they want their dashboards to look, giving their EHRs a custom touch that has been sorely lacking throughout their implementation.
App-centric development will further reduce the friction of adoption and utilization, giving doctors a sense of empowerment and investment, rather than the bland inertia that has carried digitization thus far.
The personalization of the technology through app development will help boost adoption, and return the focus to what the technology enables, rather than how it looks or what it has replaced. Mobile technology’s strength will be in reconnecting doctors and patients, and creating bridges of data and communication across the continuum of care.
Data breaches and HIPAA violations became common, almost daily, news in 2015, exposing sensitive client information with devastating results. Understanding HIPAA compliance will be critical in 2016, especially since the Office for Civil Rights (OCR) will begin a new round of HIPAA audits.
In spite of record spending on firewalls, anti-virus software, malware detectors and the widget of the day, healthcare organizations keep getting hacked because the focus is in the wrong place. Here are three trends taking presence in 2016 that can help any organization fight the good fight against cyberattacks.
Buying Technology Alone is a Security Strategy That Does Not Work
Healthcare is under constant pressure to safeguard assets, however too many firms focus on security for HIPAA compliancy and then call it a day. Compliance is a legal necessity, but organizations expose themselves to cyberattack when use technology as a crutch. Many organizations will need to look at their operations as a critical network and seek ways to defend it.
A majority of breaches are from data that has been stolen, via record removal, virtually and physically. We see the trend in 2016 shifting from technology to people if healthcare organizations are going to defeat hackers.
Focus on the Human Element
Examine the largest data breaches of 2015. Technology did not protect the vast majority of these companies. In each case, data was breached due to hackers successfully exploiting humans.
The proliferation of mobile devices in healthcare like smartphones and tablets have also made the human element even more vulnerable because this area of security is often overlooked and is, in fact, the weakest link.
Technology is only as good as the people who use it and is merely a tool in the fight against cybercrime. Technology alone cannot fully protect an organization’s data, networks, or interests. This is a trend in 2016 and beyond that must be recognized if organization hope to safeguard patient records.
Health IT’s most pressing issues may be so prevalent that they can’t be contained to a single post, as is obvious here, the third installment in the series detailing some of the biggest IT issues. There are differing opinions as to what the most important issues are, but there are many clear and overwhelming problems for the sector. Data, security, interoperability and compliance are some of the more obvious, according to the following experts, but those are not all, as you likely know and we’ll continue to see.
Here, we continue to offer the perspective of some of healthcare’s insiders who offer their opinions on health IT’s greatest problems and where we should be spending a good deal, if not most, of our focus. If you’d like to read the first installment in the series, go here: Health IT’s Most Pressing Issues and Health IT’s Most Pressing Issues (Part 2). Also, feel free to let us know if you agree with the following, or add what you think are some of the sector’s biggest boondoggles.
The healthcare industry has undoubtedly become a bigger target for security threats and data breaches in recent years and in my opinion that can be attributed in large part to the industry’s movement to virtualization and the cloud. By adopting these agile, effective and cost-effective modern technological trends, it also widens the network’s attack surface area, and in turn, raises the potential risk for security threats.
We actually conducted some research recently that addresses evolving security challenges, including those impacting the healthcare industry, with the introduction of cloud infrastructures. The issue is highlighted by the fact that the growing popularity of cloud adoption has been identified as one of the key reasons IT and security professionals (57 percent) find securing their networks more difficult today than two years ago.
Paul Brient, CEO, PatientKeeper, Inc. No industry on Earth has computerized its operations with a goal to reduce productivity and efficiency. That would be absurd. Yet we see countless articles and complaints by physicians about the fact that computerization of their workflows has made them less productive, less efficient and potentially less effective. An EHR is supposed to “automate and streamline the clinician’s workflow.” But does it really? Unfortunately, no. At least not yet. Impediments to using hospital EHRs demand attention because physicians are by far the most expensive and limited resource in the healthcare system. Hopefully, the next few years will bring about the innovation and new approaches necessary to make EHRs truly work for physicians. Otherwise, the $36 billion and the countless hours hospitals across the country have spent implementing electronic systems will have been squandered.
Email security is one of healthcare’s top IT issues, thanks, in part, to budget constraints. Many healthcare organizations have already allocated the majority of IT dollars to improving systems that manage electronic patient records in order to meet HIPAA compliance. As such, data security may fall to the wayside, leaving sensitive customer information vulnerable to sophisticated cyber-attacks that combine social engineering and spear-phishing to penetrate organizations’ networks and steal critical data. Most of the major data breaches that have occurred over the past year have been initiated by this type of email-based threat. The only defense against this level of attack is a layered approach to security, which has evolved beyond traditional email security solutions that may have been adequate a few years ago, but are no longer a match for highly-targeted spear-phishing attacks.
Dr. Rae Hayward, HCISPP, director of education and training at (ISC)²
Dr. Rae Hayward
According to the 2015 (ISC)² Global Information Security Workforce Study, global healthcare industry professionals identified the following top security threats as the most concerning: malware (77 percent), application vulnerabilities (74 percent), configuration mistakes/oversights (70 percent), mobile devices (69 percent) and faulty network/system configuration (65 percent). Also, customer privacy violations, damage to the organization’s reputation and breach of laws and regulations were ranked equally as top priorities for healthcare IT security professionals.
So what do these professionals believe will help to resolve these issues? Healthcare respondents believe that network monitoring and intelligence (76 percent), along with improved intrusion detection and prevention technologies (73 percent) are security technologies that will provide significant improvements to the security posture of their organizations. Other research shows that having a business continuity management plan involved in remediation efforts will help to reduce the costs associated with a breach. Having a formal incident response plan in place prior to any incident decreases the average cost of the data breach. A strong security posture decreases not only incidents, but also the loss of data when a breach occurs.
Guest post by Amit Cohen, co-founder and CEO, FortyCloud.
Remote access is changing the practice of medicine – from data collected remotely from newly developed telemedicine devices, to surgery conducted by a surgeon in an offsite location. A smartphone application, currently in development, is set to monitor a user’s voice to detect mood changes for individuals with bipolar disorder. Devices and applications such as these not only improve the quality of care available to patients across the globe, their use also results in exponential growth in the sources and volumes of data. These cutting-edge technologies present new challenges for IT professionals who are responsible for ensuring high availability (always-accessible data), scalability and flexibility for their healthcare organizations.
To enable scalable, high performance from at lower costs, even from remote locations, healthcare and pharmaceutical IT have adopted the cloud. Since cloud data centers can be diversified across the globe, cloud computing provides quick access to globally diverse users.
The cloud also offers the scalability to handle the massive influx of new data generated by new health care applications expected from the implementation of the U.S. Patient Protection and Affordable Care Act (PPACA). The U.S. Department of Health and Human Services (HHS) Stage 3 Proposed Rule, is also likely to result in additional volumes of digital data. This Rule seeks to align the EHR Incentive Programs with other CMS quality reporting programs that use certified EHR technology to promote improved patient outcomes and health.
Therefore, it is not surprising that healthcare cloud computing is forecasted to grow to $9.48 billion by 2020, according a recent study; an impressive increase from the current, 2015 market value of $3.73 billion.
Guest post by Jay Schulman, managing principal, Cigital.
Throughout the past two years, if you’re like me, you’ve had your credit card number stolen a number of times. I’m up to six. In one case, someone purchased a $500 TV with my stolen card information. Yet, I sit here today having lost nothing. Every bank and institution has made me whole. The money that was taken was quickly replaced. While I can complain about the inconvenience, I haven’t lost anything.
The financial industry has the luxury of replacing what was taken. The healthcare industry does not.
Once your medical record is stolen, there is no way for the institution to take that information back. If an electronic medical record (EMR) or MRI system is breached, the information and images are out in the open. While the credit card companies can trace fraud back to a common source, it’s very hard for healthcare companies to figure out who has been breached. That’s why the security of healthcare information is so important.
While many healthcare organizations are HIPAA compliant, that only reflects on their ability to properly control personal health information. It doesn’t necessarily assert that you are secure.
As a healthcare organization, you need to take a holistic approach to secure your environment. This includes:
Understanding your portfolio – what applications and systems are in your environment? Understanding the applications, their development languages, what data they store and access, and other pertinent data points are key to understanding your portfolio. Understanding what needs to be secured is a critical and often missed first step.
Assessing the risk of the portfolio and making priorities. It’s easy to say “anything with personal health information (PHI) needs to be secured.” But, do you understand where PHI is stored or what areas of the network or systems can access systems with PHI? The retail breaches of the past two years have taught us that attackers aren’t always going directly to the critical systems but instead to weak links in the environment. Those weak links can give an attacker access to your data.
Performing a threat model to properly understand those weaknesses. A threat model looks at an environment, who the actors are that can breach your system, and what actions they could perform (steal data or cause a denial of service for example). Given the results of the threat model, you can develop a new ranking of the portfolio.
Determining the best ways to improve the security of the environment. If the organization writing the software is highly outsourced or primarily buys commercial software, assessing their risk is important. Otherwise, how can you be sure that they know how to write secure software? With medical devices, being able to assess the risk and impact of the device to your environment before you put it on your network is essential. Two years ago, many hospitals would assume the device was secure. Today many are starting assume they are not.
HIMSS organizers, in preparation of its annual conference and trade show and as a way to rally attendees around several trending topics for the coming show, asked the healthcare community how it feels about several key issues. I’ve reached out to readers of this site so they can respond to what they see as the future of healthcare innovation, data security, patient engagement and big data.
Their responses follow.
Do you agree with the following thoughts? If not, why; what’s missing?
Sean Benson, vice president of innovation, clinical solutions, Wolters Kluwer Health Future innovations in health IT, big data in particular, will focus on the aggregation and transformation of patient data into actionable knowledge that can improve patient and financial outcomes. The ever-growing volume of patient data contained within disparate clinical systems continues to expand. This siloed data often forces physicians to act on fragmented and incomplete information, making it difficult to apply the latest evidence. Comprehensive solutions will normalize, codify and aggregate patient data in a cloud system and run it against clinical scenarios to create evidence-based advice that is then delivered directly to the point of care via a variety of mobile devices. This will empower physicians with patient-specific knowledge based on the latest medical evidence delivered to the point of care in a timely, appropriate manner, ultimately resulting in higher quality treatment and more complete care.
Susan Reese, MBA, RN, CPHIMS, chief nurse executive, Kronos Incorporated
Gamification — the trend of creating computer-based employee games and contests for the purpose of aligning employee productivity with the organization’s goals — is currently a popular topic with business leaders and IT. For proof, consider that Gartner recently projected that by 2015, 50 percent of all organizations will be using gamification of some kind, and that by 2016, businesses will spend a total of $2.6 billion on this technology.
With numbers like these, it is clear that that gaming is serious business and that it is here to stay. But at this point, you may be asking yourself, “Could gamification work in my healthcare environment? What potential benefits could it have?””
Today, many healthcare organizations are looking to the future and considering gamification as a way to increase employee engagement, collaboration, and productivity as well as to align their behavior with larger business goals – but they don’t know how to do it quite yet. Also, gamification can be a delicate decision, complete with advantages and risks. After all, employees’ day-to-day work responsibilities and careers are not games and can’t be trivialized. Healthcare organizations must be careful to avoid sending the wrong message to their workforce, or the whole program could backfire, or even lead to more negative consequences.
Mike Lanciloti, vice president of product management and marketing, Spectralink
In today’s digital age, healthcare IT needs to come a long way to get up to speed in innovation and connectivity. However, as we begin to see mobile play a larger role in the industry, healthcare is moving the needle on innovation as well.
The mobile revolution has picked up in healthcare for both health IT professionals and in patient care. Primary as healthcare providers find ways to utilize smartphones, mobile devices and Wi-Fi networks to improve the communication and efficiency of their workforce.
Through mobile devices, clinicians have the ability to access what they need, when they need it. Mobile devices ensure nurses and mobile staff are equipped with the right technology to promote timely, efficient and reliable communication. This not only allows healthcare professionals to perform their jobs more effectively but also helps deliver a higher quality of patient care.
The growing mobile trend does present several questions for the industry. Hospital managers are quickly learning that an influx of smartphones into the hospital setting can become a larger problem than anticipated. Not only do personal devices lack the security required for enterprise-owned devices, they pose other risks, calling into question issues surrounding encryption, authorized access and mobile security. Personal phones aren’t designed to be equipped with the same encryption capabilities as enterprise-owned mobile devices.
Virtru allows user to choose when to keep their digital content private and secure even after it’s shared online. Manage and revoke access to emails, photos, files and other content at any time, right from within your favorite programs like Gmail, Outlook, and Mac Mail on your desktop or smartphone. The TDF is an open standard for securing content of all kinds. Virtru gives everyone the power of the TDF by integrating it with the tools you use every day, like Gmail and Outlook.
Virtru Pro makes it dead simple for physician practices and other organizations to easily, conveniently, and cost-effectively send PHI messages and files over email while complying with HIPAA. While hospital medical record systems often include a secure messaging component that supports safe communications, many organizations prefer to use regular email or do not want to incur the cost and complexity of heavyweight systems. This is especially true for small to mid-sized practices that have fewer financial or IT resources available to them. Virtru Pro is easy to set up and easy to use for doctors, administrative staff, and patients.
Virtru Pro is a cost-effective, easy-to-use, HIPAA-compliant email service for the healthcare industry. Offering the easiest, most secure way for healthcare organizations to comply with the Protected Health Information (PHI) requirements of HIPAA, Virtru Pro ensures these communications are secure, protected and integrated into the tools and processes used daily by physicians, administrators and patients:
Provider-to-provider communications including consult results, CT scans, diagnostic images, prescriptions and scheduling information;
Provider-to-patient communications including test results, prescription information, procedure preparation, and scheduling information; and
Patient-to-patient communications, such as the connection of patients who share a condition and can support each other as physicians offer group care.
With Virtru Pro, an entire organization can now easily send and receive secure, PHI-compliant encrypted emails, revoke sent messages, restrict forwarding and set expiry for emails and files to auto delete. Confidential information sent to colleagues and patients remains private, audit ready, and protected. Virtru Pro eliminates the risk of patient data being inadvertently forwarded to an unintended party and provides added controls so that physicians can determine how their patients’ health information is viewed and shared.
Virtru Pro works with all major email systems and is especially well suited to organizations using cloud-based email providers such as Google Apps for Work, Gmail and Microsoft Office 365.
Virtru was founded to bring true digital privacy to everyone – making end-to-end email encryption dead simple to use and integrated into the products people use every day.
CTO and co-founder, Will Ackerly, spent eight years at the NSA in various positions of senior management where as a cloud security architect he developed the standard for secure data transfer used today by various government agencies – The Trusted Data Format (TDF). He left the NSA to bring this technology to the consumer market, where he saw a real need for people to have control over the privacy and protection of their personal information online. As a senior technology adviser for the Bush White House, before and after the events of 911 followed by six years in the private equity business, co-founder and CEO John Ackerly also saw a real need to provide individuals with the power to protect their digital communications. Combining the technical knowledge and know-how brought by Will with the-on-the-ground experience of John has resulted in a perfect storm that is Virtru.
By Stephen Cobb, senior researcher, ESET North America.
The benefits of making health records available electronically would seem to be obvious. For a start, faster access to more accurate patient information – which is one of the promises of EHRs (electronic health records) and HIEs (health information exchanges) – could save lives. The author of a recent report on the many thousands of lethal “patient adverse events” that occur in America every year, Dr. John T. James, pointed to “more accurate and streamlined medical recordkeeping” as a top priority in the effort to reduce these deadly medical errors. Yet headlines about healthcare facilities exposing confidential patient data to potential abuse have been all over the media this year. So, will security issues and privacy concerns stymie EHR adoption or slow down HIE rollouts?
Today, more than half of all Americans probably have at least some part of their medical record stored on computer. In January, the CDC reported that roughly four out of five office-based physicians are now using some type of EHR system, up from one in five in 2001. A few months later, in a Harris poll sponsored by ESET, only 17 percent of adult Americans said that, to their knowledge, their health records were not in electronic format.
During that same survey of 1,734 American adults, we asked “are you concerned about the security and privacy of your electronic patient health records” and 40 percent said they were. Slightly more of them, 43 percent said they were not. However, if we take out the 17 percent whose records were not in electronic format, the “concerned or not?” question breaks down as 48 percent Yes, versus 50 percent No, a statistical tie.