Guest post by Santosh Varughese, president of Cognetyx
Cybersecurity is a serious concern for every industry in America, but healthcare has been particularly hard hit. It is the most likely industry in the U.S. to suffer a data breach. According to the Ponemon Institute, nearly nine out of 10 healthcare organizations have been breached at least once, and nearly half have been breaced three times or more. Cyber-criminals are clearly winning this war, despite more funding, more firewalls, and more scrutiny. Here are five reasons why healthcare organizations are losing the cybersecurity war.
C-level healthcare executives still aren’t taking data security seriously.
Although the epidemic of healthcare cyber-attacks has C-suite executives claiming they finally realize the gravity of the situation, their actions tell a different story. A recent survey by HIMSS found that while most facilities have given information security a higher priority, healthcare IT personnel still complain of insufficient funding and staffing for cybersecurity. The same concerns were expressed by IT personnel surveyed in the Ponemon study and an earlier study conducted by IBM.
Frontline employees aren’t taking it seriously, either.
A group of security researchers from the University of Pennsylvania, Dartmouth and USC recently conducted an ethnographic study of cybersecurity practices among nurses, doctors, and other frontline medical personnel. The results showed a flagrant, widespread, shocking disregard for even the most basic data security practices; among other things, workers were observed:
Writing passwords on sticky notes and tacking them on machines in full view of anyone who wandered by.
Allowing other staff members to use their login credentials out of “professional courtesy.”
Purposefully defeating automated system timeouts by placing foam cups over sensors or by having another employee tap a spacebar at intervals.
Criminal hackers are fully aware of these types of practices and do not hesitate to take advantage of them; 95 percent of breaches occur when hackers get their hands on legitimate login credentials, either by obtaining them from a malicious insider or by taking advantage of an employee’s negligence or carelessness.
Too many facilities think that HIPAA compliance is sufficient to secure their data.
Most healthcare organizations focus primarily or exclusively on HIPAA compliance, erroneously thinking that complying with HIPAA is all they need to do to secure their systems. However, HIPAA was never meant to be a blueprint for a comprehensive data security plan. The law primarily addresses documentation and procedures, such as specifying when a patient’s medical records can legally be released, not technical safeguards. Information security experts surveyed by the Brookings Institution stated that HIPAA does very little to address the types of security challenges faced by large healthcare organizations with hundreds of employees and highly complex, interconnected data environments. The proof is in the numbers; if HIPAA compliance were enough to protect patient data, 90 percent of healthcare organizations would not have experienced breaches.
In the age of the digital hospital and the connected patient, security will likely improve the less it depends on providers.
Everything from HIPAA to patient engagement treats physicians as the white hot sun of the healthcare universe, holding everything together and keeping it all in stable orbit. They are accountable for health outcomes, for patient satisfaction, for guiding patients to online portals, and for coordinating with care teams to keep data secure — even as mobility and EHR dominance complicates every node in the connectivity chain. All this digital chaos brings more diminished security.
Only as Strong as the Weakest Link
Every business out there has learned — usually the hard way, or by watching someone else learn the hard way — that whatever the security infrastructure, users are the weakest link. More devices means more users, and more connectivity and data-sharing means more weak spots all along the chain. By design, the EHR system adds vulnerability to healthcare data security through a long chain of users.
Patients don’t have a systemic, accountable role in all of this. Our whole approach fosters passivity on the part of the patient and paternalistic assumptions on the parts of caregivers and policymakers. We give tacit acknowledgement of this imbalance whenever malpractice law or tort reform is mentioned — and promptly left behind in the face of other, patient-exculpatory programs and initiatives.
Patients are a part of this. Clearly they are invested in their own security — the costs of health data breaches contribute to the rising costs of care, besides exposing personal financial and medical information that can carry its own universe of costs.
Patients are implicated, but they must also be accountable for security in the new high tech healthcare system.
An Old Problem with New Importance
Getting patients included in the evolution and delivery of healthcare requires engagement. The same goes for digital security. The ethical and financial dilemmas of the security situation is an expensive distraction for administrators and caregivers, but it is a learning opportunity that could empower patients. A new emphasis on digital security and privacy could be the start of a cascade of engagement with further questions of use and responsibility for outcomes.
Already, patients are key players in making telemedicine effective. Access is on the shoulders of the patients, and utilization depends on their technical literacy. The incentives–time and money savings, improved access to care–are powerful, but come with the obligation to learn the platform through which remote care is delivered. Utilizing any telehealth solutions requires patients to think about what information they want to share, whether they trust the new platform, communicating effectively with their provider, and gaining confidence for the new medium.
This same model can be applied more broadly to EHRs, and the patient role in the digital healthcare system.
Guest post by Ben Oster, product manager, AvePoint.
Balancing the strategic needs of a business with the user-friendliness of its systems is a daily struggle for IT pros in every industry. But for healthcare organizations, safeguarding the data living in these systems can be especially daunting. According to a study by the Ponemon Institute, healthcare is a minefield for various security hazards. Within the last two years, 89 percent of healthcare organizations experienced at least one data breach that resulted in the loss of patient data. As healthcare businesses and the patients they serve adopt a mobile-first approach, providers must strike a balance between innovation and risk to prevent patient data (and internal information) from falling into the wrong hands.
The use of mobile devices and apps certainly enhance patient-provider relationships, but these complex information systems present new concerns surrounding compliance, security, and privacy. As employees and patients increasingly adopt smartphones, tablets, and cloud-based software into their daily lives, healthcare leaders must prioritize users’ needs while mitigating security risks. Mastering this dynamic requires healthcare companies to balance mobility trends like BYOD and cloud computing with regulatory requirements like HIPAA.
To lower the risk of data breaches, healthcare organizations need to defend their systems by identifying, reporting on, and safeguarding sensitive data. Here are a few steps the healthcare industry can take to join the mobile revolution without compromising security:
Start with discovery – Traditionally, healthcare organizations have taken a “security through obscurity” approach to protecting data. In other words, relying on the ambiguity of the data in their systems to ward off malicious attacks and breaches. But as technology emerges that personalizes patients’ end-user experience – such as online patient portals and electronic medical records – the less obscure healthcare organizations’ data becomes. With patients and medical staff accessing this data through a range of devices and workflows, knowing precisely what content exists in a healthcare organization’s infrastructure is essential to security. That’s why discovery is the first step to safeguarding content. Healthcare IT teams should also roll out internal classification schemas to determine which user groups need access to this data. By categorizing content based on these factors, healthcare companies can lay the framework for a truly secure system.
Guest post by Gillian Christie, health innovation analyst, Vitality.
An era of self-quantification of health behaviors using technology is emerging outside of the doctor’s office. Consumer-facing health technologies empower individuals to monitor their health in real-time, employers to understand the health of their workforce, and researchers to uncover health trends across geographies. Eventually, the data from these technologies will re-enter the hospital setting by linking to our electronic medical records.
Deluges of data are rapidly being generated by these technologies. An estimated 90 percent of the world’s data has been created in the past two years. IBM’s CEO, Ginni Rometty, indicates that data is the “next natural resource.” But how are these data protected and secured?
In the United States, laws have historically protected consumers from the misuse or abuse of their medical information. The Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) have protected medical data from inappropriate uses. Data generated by consumer-facing health technologies, however, are not covered by these Acts. Companies can use the data for their own purposes. This means that companies must be ever more vigilant in ensuring the trust of their consumers through their data practices.
How can we collaborate across sectors to maintain and enhance trust? As a start, Vitality, Microsoft and the Qualcomm Institute at the University of California, San Diego, published an open-access, peer-reviewed commentary that outlined ethical, legal and social concerns associated with emerging health technologies. The call to action was for guidelines to be developed through a consultative process on the responsible innovation of these technologies and the appropriate stewardship of data from the devices. Between July and October 2015, we hosted a global public consultation to identify best practices. On Mar. 2, 2016, at HIMSS, we released the finalized guidelines for personalized health technology. They include five recommendations:
In August 2015, my colleague Moshe Ben Simon contributed an Electronic Health Reporter story about how hospitals can protect against data breach using deception technologies. Since then, TrapX Labs, the research and development group within TrapX Security, has seen substantial evidence that cyber attackers have continued their attacks on healthcare targets. The number of attacks, quantity of data stolen and the sophisticated human attackers that TrapX Labs continues to track are increasing quarterly. Out of the top seven data breaches of 2015, three of them (Excellus BlueCross BlueShield, Premera Blue Cross and Anthem) lost more than 100 million records combined.
On Jan. 4, 2016, the Identify Theft Resource Center (ITRC) reported that 66.7 percent of all records breached came from the healthcare industry. Healthcare continues to be targeted because of the high value of the data and the vulnerabilities healthcare institutions are susceptible to, such as the medical device hijack (MEDJACK). More information on MEDJACK can be found here.
The convergence of this healthcare cyberwar with incomplete HIPAA compliance creates a double jeopardy situation for healthcare professionals. Not only must healthcare institutions deal with the damage inflicted by a cyber attacker and then manage the data breach penalties, but they also face investigation and additional penalties from HHS. Hospitals, accountable care organization (ACO) networks, large physician practices, health insurance companies, diagnostic laboratories, radiology/skilled nursing facilities, surgical centers and others are high value targets for attackers and all face these risks.
Training is Essential
New strategies to prevent healthcare data breaches have evolved in many areas. Regular training for both clinicians and non-clinicians can have a positive impact on reducing successful attacks.
Clinicians and non-clinicians need to recognize that their “connected” healthcare environment needs to be tightly controlled. IBM’s “2014 Cyber Security Intelligence Index” noted that 95 percent of all security incidents seem to involve human error. Even a MEDJACK usually starts with an email or website based attack. Assuming a healthcare organization’s network perimeter and internal defenses are properly configured and updated, the next step a healthcare organization should take to substantially reduce its risk is implement a rigorous employee training program.
The first component of training comes during orientation. New employees typically receive passwords and authentication information from information technology (IT), the help desk and supervisors in their area, and it’s imperative they manage them in a safe manner (no yellow sticky notes, please).
Patient-centricity , patient centered thinking, and the rise of the “p-suite” in pharma companies continued a trend established over a year ago when Sanofi broke new ground by hiring Dr. Anne Beal, former deputy executive director of the Patient Centered Outcomes Research Institute (PCORI), to the newly created role of chief patient officer. Her new responsibilities included elevating the perspective of the patient within Sanofi and finding better ways to incorporate the unique priorities and needs of patients and caregivers.
Yet as life sciences companies continue the pursuit of a 360-degree view of “customers” typically classified as healthcare professionals (HCPs), a view of patients has been even harder to come by. Partly because of HIPAA and privacy requirements, but also because, unlike healthcare providers and payers who have regular contact with patients, life sciences companies engage primarily at the level of clinical trials and consumer marketing.
Better understanding of the patient is top priority in life sciences for 2016, and executives will continue to push cultural change facilitation, enhanced cross-functional collaboration, and increased employee engagement. But what would a life sciences company consider to be a key patient engagement metric and a measure of ROI?
With data about patients spread across a significant number of sources, including internal, external and social, merely identifying and collating that data can be a challenge – let alone deriving insights that can support patient-centric strategies and programs. Technology exists today to turn patient data into actionable insights for better R&D and commercial efficiency, as well as to deliver better services to the patient. In order to rapidly analyze data and target audience needs with products and services, life sciences will need to close the loop by tracking and monitoring the effectiveness of their offerings. In other words, they have to be both patient-centric and data-driven.
Healthcare Providers and Payers Will Take Data-driven to the Next Level
Healthcare providers and payers have approved access to member and patient data, as compared to life sciences companies, so are able to develop a new breed of data-driven solutions built to serve individuals, employers, providers, brokers and more. These tools, products and services bring value to every stakeholder, and ultimately benefit the patients themselves in the form of better care, lower premiums and improved efficacy.
However, being able to do so requires a significant step up in data management capabilities. Today’s modern data management platforms are not just cloud-based, but include a reliable data foundation that in generations past, used to cost IT teams millions of dollars in hardware, software and implementation resources alone to produce.
Guest post by James Carder, CISO of LogRhythm, VP of LogRhythm Labs.
This year’s biggest health data breach victims include insurers Premera and Anthem, where incidents affected nearly 100 million patients combined. It’s clear that healthcare organizations must strengthen their cyber security programs to protect themselves and their patients, or they’ll be targeted again and again. Strategically, healthcare organizations must change the way they have operated for the past 30+ years with regard to their behaviors and their use of IT. Cyber security is now a key business differentiator as both patient care and safety are paramount to a hospital’s ability to remain a trusted provider. The hospital of the future is one that incorporates these protection measures into its business brand, thereby recruiting, retaining and reinvesting in patients.
As we start out 2016, here’s what I think we’ll see going forward:
Healthcare IT security will continue to fall further and further behind the rest of the industry verticals
Healthcare IT security will continue to fall further behind the rest of the industry verticals. Healthcare organizations are focusing on functionality for patient care (rightfully so), and security is an afterthought. Many organizations are overly dependent on antiquated hardware and software, with inherent vulnerabilities, that could inadvertently put patients in danger. There has never been a real investment in information security, so the cost to catch up to industry standards and shed the label of being the hackers’ “low hanging fruit” is that much more expensive. The industry will continue to be targeted by sophisticated and organized attackers until a serious investment is made in both technological and human capital.
The medical record is a relative goldmine of information and, as such, a highly valuable target for all classes of attackers, ranging from financial crime groups to nation state threat actors. The number of items a hacker has access to and the way in which the information can be used is more extensive. Stolen data can be re-used by a hacker over and over again. So, in addition to this general prediction, I also think that at least one of the U.S. News and World Report top 10 hospitals will go public with a breach through outside channels.
Healthcare IT (security) spend will be the highest it has ever been, doubling the spend of 2015
Despite my first prediction, healthcare organizations will invest a lot of money in IT security technology and human resources, doubling the spend of 2015. Although the executives may fund the security department, a security culture might not trickle down to the rest of the organization. The person in charge of security might be accountable for security, but the buy-in must come from the board of directors down through every level of the organization. Staff and the clinicians must understand what they are doing is making the organization a safer place for them and their patients–their effective security behaviors allow clinicians to do their job in treating patients better.
At least one major medical device manufacturer will have to go public with a vulnerability that could fatally affect patients
Medical device vendors and manufacturers have never taken security seriously. They are primarily looking for functionality for patient care and ease of administration and maintenance. A medical device is a computer system with one end attached to the patient, providing critical patient care, and the other end attached to the corporate network or Internet. Just like most devices on the network, a medical device runs a known operating system; vulnerable to the myriad exploits that effect any computer. Based on the risk profile of a medical device, it should be subject to the highest security standards in the industry but unfortunately they are not. If someone can hack into a Windows XP box that is unpatched with exploitable vulnerabilities, someone can hack into an XP-based medical device. I predict that another medical device manufacturer will disclose an easily exploitable vulnerability that could patients at direct risk. I also predict that an attacker will exploit a medical device and use it as a bridge into a company’s corporate network to facilitate a breach.
Guest post by Mohan Balachandran, co-founder and president, Catalyze.
As we look back upon 2015, we can reflect, review and based on that and other factors, make some predictions about what next year will bring us. John Halamka had an interesting post that reflect on the bigger challenges, such as ICD-10, the Accountable Care Act and its implications on data analytics, the HIPAA omnibus rule and its impact on cybersecurity and audits and the emergence of the Cloud as a viable option in healthcare. We can expect to see some of these trends continue and grow in 2016. So based on these key learnings from 2015, here are a few predictions for 2016.
Cybersecurity will become even more important
In 2015, insurers and medical device manufacturers got a serious wake up call about the importance and cost of cybersecurity lapses. Healthcare data will increasingly be looked at as strategic data because we can always get a new credit card but since diagnoses cannot change, the possibilities of misuse are significant. Just as the financial industry has settled on PCI as the standard, expect the healthcare industry to get together to define and promote a standard and an associated certification. HITRUST appears to be the leader and recent announcements are likely to further cement it as the healthcare security standard. Given all that, one can safely expect spending on cybersecurity to increase.
IoT will get a dose of reality
The so-called Internet of Things has been undergoing a boom of late. However, the value from it, especially as applied to quantifiable improvement in patient outcomes or improved care has been lacking. Detractors point out that the quantified-self movement while valuable, self selects the healthiest population and doesn’t do much to address the needs of older populations suffering from multiple chronic diseases. Expect to see more targeted IoT solutions such as that offered by those like Propeller Health that focus on specific conditions, have clear value propositions, savings, and offer more than just a device. Expect some moves from Fitbit and others who have raised lots of recent cash in terms of new product announcements and possible acquisitions.
Lightning Bolt invests heavily in research and software development to solve complex problems in the area of medical staff scheduling.
Lightning Bolt is the leading provider of automated physician scheduling for hospitals around the world. The company manages more than 3 million physician hours each month, helping to create shift schedules that promote work-life balance, productivity and patient safety.
Lightning Bolt’s cloud-based scheduling platform helps hospitals create dynamic staff schedules with a few clicks, automatically optimizing hundreds of complex scheduling rules. Physicians are able to request time-off and shift changes through the platform, creating transparency and a fair system that balances staff needs. The system also includes HIPAA-compliant messaging and detailed analytics.
Working as a staff scientist at the Los Alamos National Laboratory to schedule massively parallel supercomputers in 1998, Lightning Bolt founder Suvas Vajracharya, Ph.D. was approached by a high school friend, a doctor, for help with a big frustration. The doctor noticed that the seemingly simple task of creating call schedules for his group was deceptively complex, time consuming, and often proved an inaccurate science where equitable distribution of staffing resources, or the honoring of individual physician requests, would often conflict or simply could not be met.
Suvas saw that his own technology experience with scheduling supercomputers could provide the foundation for creating an elegant, easy to use solution to solve the inherent complexities in medical staff scheduling. Both supercomputing and medical staff scheduling share fundamental requirements, including the need to distribute tasks equally and efficiently in the presence of complex and often changing rules with varying priorities. Within a few months, Suvas developed a prototype scheduling system to tackle his friend’s challenging problem and Lightning Bolt was born.
The company’s growth has largely been through word-of-mouth between physician executives and hospital operations leaders who have discovered the software and become loyal customers. Lightning Bolt also attends several industry events each year, including HIMSS, MGMA and RSNA.
The vast majority of physician scheduling is still done manually today at America’s 5,700 hospitals. There are emerging players in the space of automated scheduling but nowhere near as established as Lightning Bolt. The company is part of a growing sector of hospital operations technology, including companies such as Silversheet, Modio Health, HealthLoop and AnalyticsMD.
How does your company differentiate itself from the competition
Lightning Bolt is the only platform that considers significant and complex relationships to auto-generate the best possible schedules for large medical organizations. Also, they are the only scheduling system that provides transparency across a healthcare workforce. Since manual scheduling using spreadsheets or paper is the largest competitor, Lightning Bolt’s biggest differentiators tend to be time and efficiency. In one case study, iNDIGO Health Partners generated a $38M ROI over 5 years by switching from manual to automated scheduling with Lightning Bolt.
More and more healthcare practitioners are turning to social media to disseminate health related information and communicate with customers and others in their field. However, healthcare practitioners should pay close attention to the information that they share out there to ensure that they comply with HIPAA Security Rule. Here are a few guidelines to assist you in implementing a social media strategy that complies with HIPAA standards.
What is HIPAA? First, let’s begin with a basic understanding of the law. The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a federal law mandating the non-disclosure of private and personal patient information by healthcare professionals and their business associates. The exception to this rule is that the patient’s information can be shared internally within the confines of the hospital between doctors and healthcare professionals, or between the hospital and the insurance company for payment purposes. Unless the patient voids the non-disclosure, their information has no place outside of the databases of both the hospital and the insurance company.
Guidelines for remaining HIPAA compliant An accidental error in the information that has been shared on social media can mean that HIPAA compliance has been inadvertently violated. While the mistake may not be on your part, it could mean a host of problems for you, your business, and your reputation. Staying cautious about the information that is disseminated through your organization’s Facebook, Twitter, or other social media pages is significantly important to your career. Seek patient consent before you post anything – Before you write about a case, seek your patient’s consent. Confidentiality is a fundamental aspect of the relationship you share with those who have sought your professional assistance. Acquiring prior consent should never be overruled, regardless of whether your client’s identity has been omitted from the information you shared online.
Inform before you engage – Some patients are less private about their medical conditions, and would like to communicate with you through social media. You should attempt to take the conversation into the privacy of your workplace. If your patient persists on an online dialogue, inform them of the risks associated with revealing personal information online, then acquire the patient’s consent before communicating through social media.