In August 2015, my colleague Moshe Ben Simon contributed an Electronic Health Reporter story about how hospitals can protect against data breach using deception technologies. Since then, TrapX Labs, the research and development group within TrapX Security, has seen substantial evidence that cyber attackers have continued their attacks on healthcare targets. The number of attacks, quantity of data stolen and the sophisticated human attackers that TrapX Labs continues to track are increasing quarterly. Out of the top seven data breaches of 2015, three of them (Excellus BlueCross BlueShield, Premera Blue Cross and Anthem) lost more than 100 million records combined.
On Jan. 4, 2016, the Identify Theft Resource Center (ITRC) reported that 66.7 percent of all records breached came from the healthcare industry. Healthcare continues to be targeted because of the high value of the data and the vulnerabilities healthcare institutions are susceptible to, such as the medical device hijack (MEDJACK). More information on MEDJACK can be found here.
The convergence of this healthcare cyberwar with incomplete HIPAA compliance creates a double jeopardy situation for healthcare professionals. Not only must healthcare institutions deal with the damage inflicted by a cyber attacker and then manage the data breach penalties, but they also face investigation and additional penalties from HHS. Hospitals, accountable care organization (ACO) networks, large physician practices, health insurance companies, diagnostic laboratories, radiology/skilled nursing facilities, surgical centers and others are high value targets for attackers and all face these risks.
Training is Essential
New strategies to prevent healthcare data breaches have evolved in many areas. Regular training for both clinicians and non-clinicians can have a positive impact on reducing successful attacks.
Clinicians and non-clinicians need to recognize that their “connected” healthcare environment needs to be tightly controlled. IBM’s “2014 Cyber Security Intelligence Index” noted that 95 percent of all security incidents seem to involve human error. Even a MEDJACK usually starts with an email or website based attack. Assuming a healthcare organization’s network perimeter and internal defenses are properly configured and updated, the next step a healthcare organization should take to substantially reduce its risk is implement a rigorous employee training program.
The first component of training comes during orientation. New employees typically receive passwords and authentication information from information technology (IT), the help desk and supervisors in their area, and it’s imperative they manage them in a safe manner (no yellow sticky notes, please).
Patient-centricity , patient centered thinking, and the rise of the “p-suite” in pharma companies continued a trend established over a year ago when Sanofi broke new ground by hiring Dr. Anne Beal, former deputy executive director of the Patient Centered Outcomes Research Institute (PCORI), to the newly created role of chief patient officer. Her new responsibilities included elevating the perspective of the patient within Sanofi and finding better ways to incorporate the unique priorities and needs of patients and caregivers.
Yet as life sciences companies continue the pursuit of a 360-degree view of “customers” typically classified as healthcare professionals (HCPs), a view of patients has been even harder to come by. Partly because of HIPAA and privacy requirements, but also because, unlike healthcare providers and payers who have regular contact with patients, life sciences companies engage primarily at the level of clinical trials and consumer marketing.
Better understanding of the patient is top priority in life sciences for 2016, and executives will continue to push cultural change facilitation, enhanced cross-functional collaboration, and increased employee engagement. But what would a life sciences company consider to be a key patient engagement metric and a measure of ROI?
With data about patients spread across a significant number of sources, including internal, external and social, merely identifying and collating that data can be a challenge – let alone deriving insights that can support patient-centric strategies and programs. Technology exists today to turn patient data into actionable insights for better R&D and commercial efficiency, as well as to deliver better services to the patient. In order to rapidly analyze data and target audience needs with products and services, life sciences will need to close the loop by tracking and monitoring the effectiveness of their offerings. In other words, they have to be both patient-centric and data-driven.
Healthcare Providers and Payers Will Take Data-driven to the Next Level
Healthcare providers and payers have approved access to member and patient data, as compared to life sciences companies, so are able to develop a new breed of data-driven solutions built to serve individuals, employers, providers, brokers and more. These tools, products and services bring value to every stakeholder, and ultimately benefit the patients themselves in the form of better care, lower premiums and improved efficacy.
However, being able to do so requires a significant step up in data management capabilities. Today’s modern data management platforms are not just cloud-based, but include a reliable data foundation that in generations past, used to cost IT teams millions of dollars in hardware, software and implementation resources alone to produce.
Guest post by James Carder, CISO of LogRhythm, VP of LogRhythm Labs.
This year’s biggest health data breach victims include insurers Premera and Anthem, where incidents affected nearly 100 million patients combined. It’s clear that healthcare organizations must strengthen their cyber security programs to protect themselves and their patients, or they’ll be targeted again and again. Strategically, healthcare organizations must change the way they have operated for the past 30+ years with regard to their behaviors and their use of IT. Cyber security is now a key business differentiator as both patient care and safety are paramount to a hospital’s ability to remain a trusted provider. The hospital of the future is one that incorporates these protection measures into its business brand, thereby recruiting, retaining and reinvesting in patients.
As we start out 2016, here’s what I think we’ll see going forward:
Healthcare IT security will continue to fall further and further behind the rest of the industry verticals
Healthcare IT security will continue to fall further behind the rest of the industry verticals. Healthcare organizations are focusing on functionality for patient care (rightfully so), and security is an afterthought. Many organizations are overly dependent on antiquated hardware and software, with inherent vulnerabilities, that could inadvertently put patients in danger. There has never been a real investment in information security, so the cost to catch up to industry standards and shed the label of being the hackers’ “low hanging fruit” is that much more expensive. The industry will continue to be targeted by sophisticated and organized attackers until a serious investment is made in both technological and human capital.
The medical record is a relative goldmine of information and, as such, a highly valuable target for all classes of attackers, ranging from financial crime groups to nation state threat actors. The number of items a hacker has access to and the way in which the information can be used is more extensive. Stolen data can be re-used by a hacker over and over again. So, in addition to this general prediction, I also think that at least one of the U.S. News and World Report top 10 hospitals will go public with a breach through outside channels.
Healthcare IT (security) spend will be the highest it has ever been, doubling the spend of 2015
Despite my first prediction, healthcare organizations will invest a lot of money in IT security technology and human resources, doubling the spend of 2015. Although the executives may fund the security department, a security culture might not trickle down to the rest of the organization. The person in charge of security might be accountable for security, but the buy-in must come from the board of directors down through every level of the organization. Staff and the clinicians must understand what they are doing is making the organization a safer place for them and their patients–their effective security behaviors allow clinicians to do their job in treating patients better.
At least one major medical device manufacturer will have to go public with a vulnerability that could fatally affect patients
Medical device vendors and manufacturers have never taken security seriously. They are primarily looking for functionality for patient care and ease of administration and maintenance. A medical device is a computer system with one end attached to the patient, providing critical patient care, and the other end attached to the corporate network or Internet. Just like most devices on the network, a medical device runs a known operating system; vulnerable to the myriad exploits that effect any computer. Based on the risk profile of a medical device, it should be subject to the highest security standards in the industry but unfortunately they are not. If someone can hack into a Windows XP box that is unpatched with exploitable vulnerabilities, someone can hack into an XP-based medical device. I predict that another medical device manufacturer will disclose an easily exploitable vulnerability that could patients at direct risk. I also predict that an attacker will exploit a medical device and use it as a bridge into a company’s corporate network to facilitate a breach.
Guest post by Mohan Balachandran, co-founder and president, Catalyze.
As we look back upon 2015, we can reflect, review and based on that and other factors, make some predictions about what next year will bring us. John Halamka had an interesting post that reflect on the bigger challenges, such as ICD-10, the Accountable Care Act and its implications on data analytics, the HIPAA omnibus rule and its impact on cybersecurity and audits and the emergence of the Cloud as a viable option in healthcare. We can expect to see some of these trends continue and grow in 2016. So based on these key learnings from 2015, here are a few predictions for 2016.
Cybersecurity will become even more important
In 2015, insurers and medical device manufacturers got a serious wake up call about the importance and cost of cybersecurity lapses. Healthcare data will increasingly be looked at as strategic data because we can always get a new credit card but since diagnoses cannot change, the possibilities of misuse are significant. Just as the financial industry has settled on PCI as the standard, expect the healthcare industry to get together to define and promote a standard and an associated certification. HITRUST appears to be the leader and recent announcements are likely to further cement it as the healthcare security standard. Given all that, one can safely expect spending on cybersecurity to increase.
IoT will get a dose of reality
The so-called Internet of Things has been undergoing a boom of late. However, the value from it, especially as applied to quantifiable improvement in patient outcomes or improved care has been lacking. Detractors point out that the quantified-self movement while valuable, self selects the healthiest population and doesn’t do much to address the needs of older populations suffering from multiple chronic diseases. Expect to see more targeted IoT solutions such as that offered by those like Propeller Health that focus on specific conditions, have clear value propositions, savings, and offer more than just a device. Expect some moves from Fitbit and others who have raised lots of recent cash in terms of new product announcements and possible acquisitions.
Lightning Bolt invests heavily in research and software development to solve complex problems in the area of medical staff scheduling.
Lightning Bolt is the leading provider of automated physician scheduling for hospitals around the world. The company manages more than 3 million physician hours each month, helping to create shift schedules that promote work-life balance, productivity and patient safety.
Lightning Bolt’s cloud-based scheduling platform helps hospitals create dynamic staff schedules with a few clicks, automatically optimizing hundreds of complex scheduling rules. Physicians are able to request time-off and shift changes through the platform, creating transparency and a fair system that balances staff needs. The system also includes HIPAA-compliant messaging and detailed analytics.
Working as a staff scientist at the Los Alamos National Laboratory to schedule massively parallel supercomputers in 1998, Lightning Bolt founder Suvas Vajracharya, Ph.D. was approached by a high school friend, a doctor, for help with a big frustration. The doctor noticed that the seemingly simple task of creating call schedules for his group was deceptively complex, time consuming, and often proved an inaccurate science where equitable distribution of staffing resources, or the honoring of individual physician requests, would often conflict or simply could not be met.
Suvas saw that his own technology experience with scheduling supercomputers could provide the foundation for creating an elegant, easy to use solution to solve the inherent complexities in medical staff scheduling. Both supercomputing and medical staff scheduling share fundamental requirements, including the need to distribute tasks equally and efficiently in the presence of complex and often changing rules with varying priorities. Within a few months, Suvas developed a prototype scheduling system to tackle his friend’s challenging problem and Lightning Bolt was born.
The company’s growth has largely been through word-of-mouth between physician executives and hospital operations leaders who have discovered the software and become loyal customers. Lightning Bolt also attends several industry events each year, including HIMSS, MGMA and RSNA.
The vast majority of physician scheduling is still done manually today at America’s 5,700 hospitals. There are emerging players in the space of automated scheduling but nowhere near as established as Lightning Bolt. The company is part of a growing sector of hospital operations technology, including companies such as Silversheet, Modio Health, HealthLoop and AnalyticsMD.
How does your company differentiate itself from the competition
Lightning Bolt is the only platform that considers significant and complex relationships to auto-generate the best possible schedules for large medical organizations. Also, they are the only scheduling system that provides transparency across a healthcare workforce. Since manual scheduling using spreadsheets or paper is the largest competitor, Lightning Bolt’s biggest differentiators tend to be time and efficiency. In one case study, iNDIGO Health Partners generated a $38M ROI over 5 years by switching from manual to automated scheduling with Lightning Bolt.
More and more healthcare practitioners are turning to social media to disseminate health related information and communicate with customers and others in their field. However, healthcare practitioners should pay close attention to the information that they share out there to ensure that they comply with HIPAA Security Rule. Here are a few guidelines to assist you in implementing a social media strategy that complies with HIPAA standards.
What is HIPAA?
First, let’s begin with a basic understanding of the law. The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a federal law mandating the non-disclosure of private and personal patient information by healthcare professionals and their business associates. The exception to this rule is that the patient’s information can be shared internally within the confines of the hospital between doctors and healthcare professionals, or between the hospital and the insurance company for payment purposes. Unless the patient voids the non-disclosure, their information has no place outside of the databases of both the hospital and the insurance company.
Guidelines for remaining HIPAA compliant
An accidental error in the information that has been shared on social media can mean that HIPAA compliance has been inadvertently violated. While the mistake may not be on your part, it could mean a host of problems for you, your business, and your reputation. Staying cautious about the information that is disseminated through your organization’s Facebook, Twitter, or other social media pages is significantly important to your career.
Seek patient consent before you post anything – Before you write about a case, seek your patient’s consent. Confidentiality is a fundamental aspect of the relationship you share with those who have sought your professional assistance. Acquiring prior consent should never be overruled, regardless of whether your client’s identity has been omitted from the information you shared online.
Inform before you engage – Some patients are less private about their medical conditions, and would like to communicate with you through social media. You should attempt to take the conversation into the privacy of your workplace. If your patient persists on an online dialogue, inform them of the risks associated with revealing personal information online, then acquire the patient’s consent before communicating through social media.
Guest post by Pawan Sharma, director of operations for healthcare at Chetu.
Healthcare is quickly adapting to the digital environment by leveraging web-based technologies, electronic health records (EHR) and mobile devices to facilitate the movement of information. With innovative software technology comes great responsibility. One of the unfortunate downsides to increasing the use of technology for data sharing in the healthcare world is the risk of data falling into the wrong hands. Full measures need to be put in place to protect patient’s Protected Health Information (PHI). The Health Insurance Portability and Accountability Act (HIPAA) mandates that all PHIs be secured. Any breach, if not handled appropriately under established procedures, can lead to grave consequences including heavy penalties, jail time, or both. Needless to say that proper mechanisms need to be implemented to secure data while it is stored, transmitted and consumed.
Understanding Regulatory Standards
Knowledge is power. It is paramount that software providers look for back-end development partners that have Healthcare IT experience. This includes extensive knowledge and proficiencies with federal regulations like American Recovery and Reinvestment Act (ARRA), meaningful use stage 1 and 2, Accountable Care Act, etc. Also, regulatory health information exchange (HIE) standards such as Health Level 7 (HL7), Health Information Exchange Open Source (HIEOS), Fast Healthcare Interoperability Resources (FHIR), Consolidated-Clinical Document Architecture (C-CDA), Continuity of Care (CCD/CCR) as well as clinical and financial work flows.
With information traveling over a network it may be subject to interference. Hence, it is important that data be encrypted in transit. Vendors must include encryption technology to prevent disclosure of patient health information while data is communicated between the application and the server. Web traffic must be transmitted through a secure connection using only strong security protocols such as Secure Sockets Layer (SSL) or Transport Layer Security (TLS). SSL/TLS certificates are light weight data files that are purchased and installed directly onto the server. Once implemented, a user will be able to connect to the web-based application server via a secure tether with an internet browser.
Organizations have been keen on securing networks and internal infrastructure from external threats. With this in mind, malicious entities are looking to breach data at the application level. Healthcare software proprietors must protect their application from security threats by employing hardening tactics, which shields bugs and vulnerabilities in the coding. This technique primarily includes code obfuscation. Code obfuscation is the act of intentionally creating obscure source code to make it difficult for entities to decipher. Properly employing this tactic hinders a threats ability to reverse engineer and tamper with an application to facilitate a breach.
Guest post by Lucy Doyle, Ph.D., vice president, data protection, information security and risk management, McKesson, and Karen Smith, J.D.,CHC, senior director, privacy and data protection, McKesson.
Today there are opportunities and initiatives to use big data to improve patient care, reduce costs and optimize performance, but there are challenges that must be met. Providers still have disparate systems, non-standard data, interoperability issues and legacy data silos, as well as the implementation of newer technologies. High data quality is critical, especially since the information may be used to support healthcare operations and patient care. The integration of privacy and security controls to support safe data handling practices is paramount.
Meeting these challenges will require continued implementation of data standards, processes, and policies across the industry. Data protection and accurate applications of de-identification methods are needed.
Empowering Data Through Proper De-Identification
Healthcare privacy and security professionals field requests to use patient data for a variety of use cases, including research, marketing, outcomes analysis and analytics for industry stakeholders. The HIPAA Privacy Rule established standards to protect individuals’ individually identifiable health information by requiring safeguards to shield the information and by setting limits and conditions on the uses and disclosures that may be made. It also provided two methods to de-identify data, providing a means to free valuable de-identified patient level information for a variety of important uses.
Depending on the methodology used and how it is applied, de-identification enables quality data that is highly useable, making it a valuable asset to the organization. One of the HIPAA- approved methods to de-identify data is the Safe Harbor Method. This method requires removal of 18 specified identifiers, protected health information, related to the individual or their relatives, employers or household members. The 18th element requires removal of any other unique characteristic or code that could lead to identifying an individual who is the subject of the information. To determine that the Safe Harbor criteria has been met, while appearing to be fairly straightforward and to be done properly, the process requires a thorough understanding of how to address certain components, which can be quite complex.
The second de-identification method is the expert method. This involves using a highly skilled specialist who utilizes statistical and scientific principles and methods to determine the risk of re-identification in rendering information not individually identifiable.
We need to encourage and support educational initiatives within our industry so more individuals become proficient in these complex techniques. At McKesson, we are educating our business units so employees can better understand and embrace de-identification and the value it can provide. This training gives them a basic understanding of how to identify and manage risks as well as how to ensure they are getting quality content.
Embracing Social Media and New and Improved Technologies
One of the challenges we face today in de-identifying data is adapting our mindset and methodologies to incorporate new emerging technologies and the adoption of social media. It is crucial to understand how the released data could potentially be exposed by being combined with other available data. New standards are needed.
While de-identifying data can be challenging and complex, the task is made easier when we remember and adhere to our core directive to safeguard data. With this in mind incorporating new technologies is part of an ongoing process of review.
When done properly, de-identification enables high quality, usable data, particularly when the expert method is used. De-identification should not be viewed as an obstacle to data usage, but rather as a powerful enabler that opens the door to a wealth of valuable information.
Guest post by Chris Strammiello, Vice President of Global Alliances & Strategic Marketing, Nuance.
The growing use of smart devices at the point of care exacerbates the dual, yet contradictory, challenges confronting hospital IT directors and compliance officers: Making patients’ health information easier to access and share, while at the same time keeping it more secure.
A major problem is that there are just too many touch points that can create risk when sharing protected health information (PHI) inside and outside of the hospital. In addition to securing communications on cell phones, tablets and laptops, these tools can send output to smart multi-function printers (MFPs) that not only print, but allow walk-up users to copy, scan, fax and email documents. This functionality is why the Office of the National Coordinator for Health Information Technology now defines MFPs as workstations where PHI must be protected. These protections need to include administrative, physical and technical safeguards that authenticate users, control access to workflows, encrypt data handled on the device and maintain an audit trail of all activity.
Accurate, Effective and Secure Use of Patient Information at Point of Care
Hospitals need to adopt an approach that automatically provides security and control at the smart MFP from which patient information is shared and distributed. This approach must also support the use of mobile computing technologies, which are helping to bring access to patient information and electronic health records (EHR) to the point of care. Advanced secure information technology and output management solutions can help hospitals protect patient health information as part of achieving HIPAA-compliant use of PHI with software by adding a layer of automated security and control to both electronic and paper-based processes. These solutions can minimize the manual work and decisions that invite human error, mitigate the risk of non-compliance and help hospitals avoid the fines, reputation damage and other costs of HIPAA violations and privacy breaches.
With this approach, vulnerabilities with capturing and sharing PHI are reduced with a process that ensures:
Authorization — only authorized staff can access specific devices, network applications and resources with password or smartcard based authentication. Network authentication is seamlessly integrated with the document workflow and to ensure optimal auditing and security, the documents containing PHI are captured and routed to various destinations such as email, folders, fax and EHR systems.
Authentication — user credentials must be verified at the device, by PIN/PIC code, proximity (ID), or by swiping a smart card access documents containing PHI. Once authenticated, the solution controls what users can and cannot do. It enables or restricts email or faxing and prohibits documents with PHI from being printed, faxed or emailed.
Encryption — communications between smart MFP’s and mobile terminals, the server and destinations, such as the EHR, are encrypted to ensure documents are only visible to those with proper authorization.
File destination control — simultaneously monitors and audits the patient information in documents, ensuring PHI is controlled before it is ever gets to its intended destination.
Content filtering — automatically enforces security policies to proactively prevent PHI from leaving the hospital by filtering outbound communications and intercepting documents – rendering misdirected or intercepted information unreadable to unauthorized users.
Electronic protected health information (ePHI) is patient information that is protected under the Health Insurance Portability and Accountability Act (HIPAA). HIPAA compliance is a complex and confusing topic, and it only gets more daunting when it comes to communication between providers and patients. If you are sending protected health information over email as a healthcare organization or a healthcare organization’s business associate, HIPAA compliance applies to you. With fines for breaches that can land upwards of a million dollars, it’s a subject that is not to be taken lightly by any organization. Let’s take a moment to settle the score on the myths and facts revolving around ePHI and HIPAA-compliant emails.
Myth: All email is HIPAA-compliant
This is a dangerously false assumption. It may come as a surprise that most free email services are not HIPAA-compliant. This includes big players such as Yahoo!, Gmail, and Hotmail. No, ePHI should never be sent through these systems. If you must send ePHI to run your business, seek out an email provider that specializes in HIPAA compliance and is specifically geared towards protecting you and the patient data that flows through your organization.
Myth: My business is too small to worry about HIPAA
Practices and organizations of all sizes get hit with HIPAA violation fines – no one is exempt. HIPAA regulations apply across the board, regardless of the size of your business. Penalties for not being compliant can range from a simple slap on the wrist to a fine of $100 per email that contains ePHI sent through an unencrypted avenue. HIPAA compliance is everyone’s responsibility, and no business is too small to suffer a surprise audit that results in business-crushing fines. Protect yourself up-front by adhering to HIPAA guidelines, and you won’t find your business under the gun for non-compliance.
Myth: Any email with PHI must have encryption
If emails are sent in-office over a secure network, encryption over e-mail is not necessary. But once that email is sent out of the office over a wide area network, or through the internet, encryption is a must.
Myth: The recipient must have encrypted email
The majority of patients use a free, non-encrypted email host. According to the HIPAA Omnibus Rule, patients have the right to request that their ePHI be sent to them via an unsecured email system. Many secure email systems can send secure messages to people without secure email – and that can be okay. But it’s important to document that request from the patient and also to inform them that when using unsecured email and waiving their right to receive their ePHI privately, they inherit the risk of a potential security breach. Documentation protects you from future accusations of negligence.