Some people jokingly say they’re “addicted” to their smartphones or to browsing online. They use their devices to visit social media platforms and websites and send texts throughout the day. But the vulnerability created by these activities for employers is no joke, and the risks extend to every industry, including healthcare, since most data breaches are caused by human error.
In doctor’s offices and other clinical operations, the risk is especially acute for providers who use cloud-based systems that require constant connection to the internet. The always-connected nature of these solutions exposes offices to ransomware and malware designed specifically for Windows, which can exploit the internet connection to steal sensitive patient information.
While many high-profile hacking and ransomware incidents have occurred over the past several years, security experts project that 2017 will be even worse as cybercriminals exploit new vulnerabilities introduced by the Internet of Things (IoT) and hackers increasingly turn to Distributed Delay of Services (DDoS) attacks. These are techniques for data theft that are only used to compromise remote data centers with shared servers, commonly called ‘the cloud’.
Practice leaders can respond with training, instructing staff on how to avoid “phishing” scams, fake web sites, fake links, and other temptations and traps, but stopping hackers will take a concerted and comprehensive effort. Encryption, platform and common sense security measures can all play a key role in protecting patient data.
Encryption’s Role in Data Protection
Encryption — the use of an algorithm to make data indecipherable to criminals without an encryption ‘key’ — is an essential component of data security. To comply with HIPAA standards, practices should use software and/or hardware that utilizes Advanced Encryption Standard (AES), the only standard that can be called encryption according to the National Institute of Standards and Technology (NIST).
HIPAA requires that providers use secure, encrypted email. HIPAA also states that providers have a duty to encrypt electronic patient health information (ePHI) that is ‘at rest’ (i.e., on a server, terminal, backup device, etc.) and ‘in motion’(i.e., traveling through an office network or to and from remote connections, etc.) and that their database be further protected with a unique, encrypted password.
Unfortunately, most practice software does not have built-in AES encryption and some do not even have a unique password. Practices with software that does not have built-in encryption who use Windows will have to purchase outside expertise to implements and monitor security and make to help them be HIPAA compliant with regard to encryption.
Platform and Security’s Role in Keeping Data Safe
Practices that use Windows software without built-in encryption must pay for IT security services to deploy encryption on every device that houses ePHI. Mac users can handle the safety of data at rest by turning on FileVault in preferences. This is a glaring example of the difference platforms make in keeping data safe and the cost to the doctor.
Virtual private networks (VPNs) are an option for practices to compensate for practice management and EHR software that does not encrypt data in motion, but VPNs increase costs and complexity and can degrade network responsiveness. But even with a VPN, practices must make sure their software provides a unique, encrypted database password; otherwise, they’re well advised to get software that does.
Hacking is on the rise, and ransomware is a huge problem for practices that operate on Windows. In March 2016 alone, 56,000 Windows users reported attacks. Practices that use native Mac software have not been affected by ransomware. Macs are also less expensive to operate in the long run: IBM gave employees the option to use PCs or Macs and found that each PC required twice as much support and cost IBM $535 more than a Mac during a four-year period.
Cloud software and hosting server farms aren’t the solution: Malware, including ransomware, can infect every device that connects to an infected computer, including offsite cloud servers and backup devices. The FBI says the only sure way to recover is to restore data from an uninfected backup that is not connected, followed by reformatting devices.
Note about “the cloud”: You have heard from cloud vendors that “everyone is going to the cloud.” What you may not have heard is that 40 percent of organizations that migrated their data and applications to the cloud are now bringing all or some of them back because of security and cost concerns. Also a recent survey of dentists indicated that of the top dental software perhaps no more than 3 percent of dentists are using cloud software, although it has been available to them for eight years.
Now that electronic health records have become the norm, healthcare providers — as well as healthcare systems and insurers — have access to unprecedented amounts of patient data. As a result, the practice of data mining, or analyzing data sets to identify trends and patterns, has become commonplace in healthcare, with the ultimate intent of improving patient care, improving efficiencies in the delivery of care, and reducing costs. Simply put, data mining has the potential to save lives and save money, but that doesn’t mean that it isn’t without risk.
As you might expect, using patient data for any purpose beyond providing care for the individual patient brings with it some tricky issues regarding privacy, and keeping the information from falling into the wrong hands. There are significant legal issues related to the use of patient data in data mining efforts, specifically related to the de-identification, aggregation, and storage of the data. Failing to take the appropriate steps when using personal health data as a tool for population health could lead to serious consequences, including a violation of HIPAA.
The question, then, is how to protect patient privacy while still gaining the insights that data mining can provide.
Protecting Patient Privacy for Data Mining
One of the major security concerns related to data mining is the fact that many patients don’t even realize that their information is being used in this way. Considering the way in which mined information can be used, this is of concern to many privacy advocates.
For example, in one noted example, Carolinas HealthCare, which runs more than 900 care facilities in the southern U.S., has purchased consumer data on more than two million people, which they use in algorithms to determine the risk for illness. The data includes purchase information collected from credit cards and consumer loyalty programs, as well as public records, to determine which people are at the most risk of getting sick. Providers can potentially use this information to remind patients to visit the gym more often, or encourage them to stop eating so much fast food. Other hospitals have used general demographic information about home and vehicle ownership or family makeup, to gain insight into a patient’s health and well-being, as well as identify potential barriers to care. However, what sets this type of data mining apart from healthcare data mining is that it’s data collected via other sources, and therefore not covered by HIPAA rules.
Still, many patients who have been contacted as a result of this type of data mining have noted that the practice feels intrusive. Even more intrusive is the potential for their personal health data to be used in this way, especially without their permission. Under HIPAA rules, data mining is a secondary, future use of health data, and thus requires the explicit permission of the patient before being used.
By the very definition, data mining is the process of looking for previously unknown patterns in data, so there is no way of knowing from the beginning what data is useful, or what relationships will be uncovered, meaning that there is potential for identifying information to be used or revealed. This highlights an important consideration when it comes to collecting and using personal information for data mining: Permission from the individual. Privacy advocates recommend offering patients the option to opt-in, opt out of specific uses, or opt-out entirely.
As developers of electronic health record (EHR) software, my company gets into a lot of conversations with providers about their expectations for the future. This information helps us make decisions about what to build next. Here are three trends we’re hearing from our customers right now:
Low-tech beats high-tech in telemedicine
Unlike the way it was imagined decades ago by science fiction writers, telemedicine does not necessarily mean holographic images or live video conferencing with a physician half a continent away. Patients would rather receive “low tech” remote care from their primary care physician who has a full picture of their health status.
This form of telemedicine happens whenever an EHR system adds to a patient’s clinical chart the messages, pictures, or videos sent securely via smartphone. It happens whenever a smartphone connects to a remote health monitoring device for collection of real-time data such as blood pressure, oxygen levels, and heart rate.
The new rules allowing reimbursement of telemedicine and other non-face-to-face services will encourage physicians to bill for these remote care activities. Medicare’s recently expanded set of billing codes for Chronic Care Management (CCM) is a good example of how the future of value-based care goes beyond the office visit to keep patients out of hospitals and emergency rooms. The ability to securely and rapidly receive and answer a patient’s questions via text, and then capture those activities in the patient’s permanent clinical record is a critical step in that direction.
Primary care providers are trying new types of practices
Primary care physicians are frustrated with the hassle and expense of dealing with insurance companies. The new Medicare fee-for-value quality payment program is creating uncertainty about future reimbursement levels and requires additional reporting. Also, there is an acute level of burnout with “corporate medicine,” which has providers booked for dozens of daily appointments, only to spend less than 15 minutes with each patient.
In order to remain independent, a small but growing group of primary care practitioners are becoming more financially creative and experimenting with new models of practice. One example is direct care, in which a financial relationship is established directly between patient and provider, cutting out insurance altogether. This model includes concierge and direct primary care (DPC), where patients become “members” of a practice and pay a fixed monthly fee for unlimited primary care – similar to a gym membership, but for healthcare. Another example of direct care is the cash-only practice that sees walk-in patients for urgent care.
EHR interoperability will catch FHIR
Physicians and their patients are frustrated with the lack of interoperability in health IT. The concept of having a patient’s medical records accessible to any authorized provider at any time is still a rare occurrence. When a patient switches primary care physicians, the first office typically prints out and faxes their medical records to the second office, which introduces the possibility of errors, HIPAA violations, and others.
Healthcare is experiencing major breakthroughs in technology with the rise in digital transformation. mHealth – a terminology that combines mobile technology with healthcare is proliferating and bringing up an opportunity to revamp public health.
Mobile technology is playing a vital role in delivering healthcare seamlessly, with ease of access to both providers as well as consumers.
The magnitude and scope of development of mHealth is beyond explanation. As per GreatCall, mHealth is projected to be a $26 billion industry by the end of 2017. Surely, 10 years from now healthcare mobile devices will become smarter than they already are.
This technology has a potential to reduce the risk of errors and save the time and money that is often wasted. As more and more care providers are shifting to mobile health technologies, consumers have a plethora of options to choose from. Its adoption rate is at an all-time high since it has a variety of utilities to offer.
Development of point of care medical devices, fitness and wellness smartphone apps, clinical medication apps, medical resources, journals and patient records is on the surge. Mobile technology is helping increase patient engagement and connected care. Almost, 83 percent physicians believe in the power of mHealth for patients.
There is a whole new world of possibilities and challenges that mobile has opened for healthcare along with its growing development and support. For instance, end point app security, data breaches and HIPAA violations have sharply increased and there is a need to regulate them. Despite these, mHealth proves to be the most promising industry trend for caregivers and consumers alike.
To understand the general consumer response, usage trends security concerns governing mHealth, Kays Harbor has come up with an infographic. This infographic depicts interesting facts and numbers reported by surveys conducted by firms like SkyCure, Research2Guidance, Great Call, etc.
Guest post by Santosh Varughese, president of Cognetyx
Cybersecurity is a serious concern for every industry in America, but healthcare has been particularly hard hit. It is the most likely industry in the U.S. to suffer a data breach. According to the Ponemon Institute, nearly nine out of 10 healthcare organizations have been breached at least once, and nearly half have been breaced three times or more. Cyber-criminals are clearly winning this war, despite more funding, more firewalls, and more scrutiny. Here are five reasons why healthcare organizations are losing the cybersecurity war.
C-level healthcare executives still aren’t taking data security seriously.
Although the epidemic of healthcare cyber-attacks has C-suite executives claiming they finally realize the gravity of the situation, their actions tell a different story. A recent survey by HIMSS found that while most facilities have given information security a higher priority, healthcare IT personnel still complain of insufficient funding and staffing for cybersecurity. The same concerns were expressed by IT personnel surveyed in the Ponemon study and an earlier study conducted by IBM.
Frontline employees aren’t taking it seriously, either.
A group of security researchers from the University of Pennsylvania, Dartmouth and USC recently conducted an ethnographic study of cybersecurity practices among nurses, doctors, and other frontline medical personnel. The results showed a flagrant, widespread, shocking disregard for even the most basic data security practices; among other things, workers were observed:
Writing passwords on sticky notes and tacking them on machines in full view of anyone who wandered by.
Allowing other staff members to use their login credentials out of “professional courtesy.”
Purposefully defeating automated system timeouts by placing foam cups over sensors or by having another employee tap a spacebar at intervals.
Criminal hackers are fully aware of these types of practices and do not hesitate to take advantage of them; 95 percent of breaches occur when hackers get their hands on legitimate login credentials, either by obtaining them from a malicious insider or by taking advantage of an employee’s negligence or carelessness.
Too many facilities think that HIPAA compliance is sufficient to secure their data.
Most healthcare organizations focus primarily or exclusively on HIPAA compliance, erroneously thinking that complying with HIPAA is all they need to do to secure their systems. However, HIPAA was never meant to be a blueprint for a comprehensive data security plan. The law primarily addresses documentation and procedures, such as specifying when a patient’s medical records can legally be released, not technical safeguards. Information security experts surveyed by the Brookings Institution stated that HIPAA does very little to address the types of security challenges faced by large healthcare organizations with hundreds of employees and highly complex, interconnected data environments. The proof is in the numbers; if HIPAA compliance were enough to protect patient data, 90 percent of healthcare organizations would not have experienced breaches.
In the age of the digital hospital and the connected patient, security will likely improve the less it depends on providers.
Everything from HIPAA to patient engagement treats physicians as the white hot sun of the healthcare universe, holding everything together and keeping it all in stable orbit. They are accountable for health outcomes, for patient satisfaction, for guiding patients to online portals, and for coordinating with care teams to keep data secure — even as mobility and EHR dominance complicates every node in the connectivity chain. All this digital chaos brings more diminished security.
Only as Strong as the Weakest Link
Every business out there has learned — usually the hard way, or by watching someone else learn the hard way — that whatever the security infrastructure, users are the weakest link. More devices means more users, and more connectivity and data-sharing means more weak spots all along the chain. By design, the EHR system adds vulnerability to healthcare data security through a long chain of users.
Patients don’t have a systemic, accountable role in all of this. Our whole approach fosters passivity on the part of the patient and paternalistic assumptions on the parts of caregivers and policymakers. We give tacit acknowledgement of this imbalance whenever malpractice law or tort reform is mentioned — and promptly left behind in the face of other, patient-exculpatory programs and initiatives.
Patients are a part of this. Clearly they are invested in their own security — the costs of health data breaches contribute to the rising costs of care, besides exposing personal financial and medical information that can carry its own universe of costs.
Patients are implicated, but they must also be accountable for security in the new high tech healthcare system.
An Old Problem with New Importance
Getting patients included in the evolution and delivery of healthcare requires engagement. The same goes for digital security. The ethical and financial dilemmas of the security situation is an expensive distraction for administrators and caregivers, but it is a learning opportunity that could empower patients. A new emphasis on digital security and privacy could be the start of a cascade of engagement with further questions of use and responsibility for outcomes.
Already, patients are key players in making telemedicine effective. Access is on the shoulders of the patients, and utilization depends on their technical literacy. The incentives–time and money savings, improved access to care–are powerful, but come with the obligation to learn the platform through which remote care is delivered. Utilizing any telehealth solutions requires patients to think about what information they want to share, whether they trust the new platform, communicating effectively with their provider, and gaining confidence for the new medium.
This same model can be applied more broadly to EHRs, and the patient role in the digital healthcare system.
Guest post by Ben Oster, product manager, AvePoint.
Balancing the strategic needs of a business with the user-friendliness of its systems is a daily struggle for IT pros in every industry. But for healthcare organizations, safeguarding the data living in these systems can be especially daunting. According to a study by the Ponemon Institute, healthcare is a minefield for various security hazards. Within the last two years, 89 percent of healthcare organizations experienced at least one data breach that resulted in the loss of patient data. As healthcare businesses and the patients they serve adopt a mobile-first approach, providers must strike a balance between innovation and risk to prevent patient data (and internal information) from falling into the wrong hands.
The use of mobile devices and apps certainly enhance patient-provider relationships, but these complex information systems present new concerns surrounding compliance, security, and privacy. As employees and patients increasingly adopt smartphones, tablets, and cloud-based software into their daily lives, healthcare leaders must prioritize users’ needs while mitigating security risks. Mastering this dynamic requires healthcare companies to balance mobility trends like BYOD and cloud computing with regulatory requirements like HIPAA.
To lower the risk of data breaches, healthcare organizations need to defend their systems by identifying, reporting on, and safeguarding sensitive data. Here are a few steps the healthcare industry can take to join the mobile revolution without compromising security:
Start with discovery – Traditionally, healthcare organizations have taken a “security through obscurity” approach to protecting data. In other words, relying on the ambiguity of the data in their systems to ward off malicious attacks and breaches. But as technology emerges that personalizes patients’ end-user experience – such as online patient portals and electronic medical records – the less obscure healthcare organizations’ data becomes. With patients and medical staff accessing this data through a range of devices and workflows, knowing precisely what content exists in a healthcare organization’s infrastructure is essential to security. That’s why discovery is the first step to safeguarding content. Healthcare IT teams should also roll out internal classification schemas to determine which user groups need access to this data. By categorizing content based on these factors, healthcare companies can lay the framework for a truly secure system.
Guest post by Gillian Christie, health innovation analyst, Vitality.
An era of self-quantification of health behaviors using technology is emerging outside of the doctor’s office. Consumer-facing health technologies empower individuals to monitor their health in real-time, employers to understand the health of their workforce, and researchers to uncover health trends across geographies. Eventually, the data from these technologies will re-enter the hospital setting by linking to our electronic medical records.
Deluges of data are rapidly being generated by these technologies. An estimated 90 percent of the world’s data has been created in the past two years. IBM’s CEO, Ginni Rometty, indicates that data is the “next natural resource.” But how are these data protected and secured?
In the United States, laws have historically protected consumers from the misuse or abuse of their medical information. The Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) have protected medical data from inappropriate uses. Data generated by consumer-facing health technologies, however, are not covered by these Acts. Companies can use the data for their own purposes. This means that companies must be ever more vigilant in ensuring the trust of their consumers through their data practices.
How can we collaborate across sectors to maintain and enhance trust? As a start, Vitality, Microsoft and the Qualcomm Institute at the University of California, San Diego, published an open-access, peer-reviewed commentary that outlined ethical, legal and social concerns associated with emerging health technologies. The call to action was for guidelines to be developed through a consultative process on the responsible innovation of these technologies and the appropriate stewardship of data from the devices. Between July and October 2015, we hosted a global public consultation to identify best practices. On Mar. 2, 2016, at HIMSS, we released the finalized guidelines for personalized health technology. They include five recommendations:
In August 2015, my colleague Moshe Ben Simon contributed an Electronic Health Reporter story about how hospitals can protect against data breach using deception technologies. Since then, TrapX Labs, the research and development group within TrapX Security, has seen substantial evidence that cyber attackers have continued their attacks on healthcare targets. The number of attacks, quantity of data stolen and the sophisticated human attackers that TrapX Labs continues to track are increasing quarterly. Out of the top seven data breaches of 2015, three of them (Excellus BlueCross BlueShield, Premera Blue Cross and Anthem) lost more than 100 million records combined.
On Jan. 4, 2016, the Identify Theft Resource Center (ITRC) reported that 66.7 percent of all records breached came from the healthcare industry. Healthcare continues to be targeted because of the high value of the data and the vulnerabilities healthcare institutions are susceptible to, such as the medical device hijack (MEDJACK). More information on MEDJACK can be found here.
The convergence of this healthcare cyberwar with incomplete HIPAA compliance creates a double jeopardy situation for healthcare professionals. Not only must healthcare institutions deal with the damage inflicted by a cyber attacker and then manage the data breach penalties, but they also face investigation and additional penalties from HHS. Hospitals, accountable care organization (ACO) networks, large physician practices, health insurance companies, diagnostic laboratories, radiology/skilled nursing facilities, surgical centers and others are high value targets for attackers and all face these risks.
Training is Essential
New strategies to prevent healthcare data breaches have evolved in many areas. Regular training for both clinicians and non-clinicians can have a positive impact on reducing successful attacks.
Clinicians and non-clinicians need to recognize that their “connected” healthcare environment needs to be tightly controlled. IBM’s “2014 Cyber Security Intelligence Index” noted that 95 percent of all security incidents seem to involve human error. Even a MEDJACK usually starts with an email or website based attack. Assuming a healthcare organization’s network perimeter and internal defenses are properly configured and updated, the next step a healthcare organization should take to substantially reduce its risk is implement a rigorous employee training program.
The first component of training comes during orientation. New employees typically receive passwords and authentication information from information technology (IT), the help desk and supervisors in their area, and it’s imperative they manage them in a safe manner (no yellow sticky notes, please).
Patient-centricity , patient centered thinking, and the rise of the “p-suite” in pharma companies continued a trend established over a year ago when Sanofi broke new ground by hiring Dr. Anne Beal, former deputy executive director of the Patient Centered Outcomes Research Institute (PCORI), to the newly created role of chief patient officer. Her new responsibilities included elevating the perspective of the patient within Sanofi and finding better ways to incorporate the unique priorities and needs of patients and caregivers.
Yet as life sciences companies continue the pursuit of a 360-degree view of “customers” typically classified as healthcare professionals (HCPs), a view of patients has been even harder to come by. Partly because of HIPAA and privacy requirements, but also because, unlike healthcare providers and payers who have regular contact with patients, life sciences companies engage primarily at the level of clinical trials and consumer marketing.
Better understanding of the patient is top priority in life sciences for 2016, and executives will continue to push cultural change facilitation, enhanced cross-functional collaboration, and increased employee engagement. But what would a life sciences company consider to be a key patient engagement metric and a measure of ROI?
With data about patients spread across a significant number of sources, including internal, external and social, merely identifying and collating that data can be a challenge – let alone deriving insights that can support patient-centric strategies and programs. Technology exists today to turn patient data into actionable insights for better R&D and commercial efficiency, as well as to deliver better services to the patient. In order to rapidly analyze data and target audience needs with products and services, life sciences will need to close the loop by tracking and monitoring the effectiveness of their offerings. In other words, they have to be both patient-centric and data-driven.
Healthcare Providers and Payers Will Take Data-driven to the Next Level
Healthcare providers and payers have approved access to member and patient data, as compared to life sciences companies, so are able to develop a new breed of data-driven solutions built to serve individuals, employers, providers, brokers and more. These tools, products and services bring value to every stakeholder, and ultimately benefit the patients themselves in the form of better care, lower premiums and improved efficacy.
However, being able to do so requires a significant step up in data management capabilities. Today’s modern data management platforms are not just cloud-based, but include a reliable data foundation that in generations past, used to cost IT teams millions of dollars in hardware, software and implementation resources alone to produce.