Guest post by Carl Wright, general manager, TrapX Security.
In August 2015, my colleague Moshe Ben Simon contributed an Electronic Health Reporter story about how hospitals can protect against data breach using deception technologies. Since then, TrapX Labs, the research and development group within TrapX Security, has seen substantial evidence that cyber attackers have continued their attacks on healthcare targets. The number of attacks, quantity of data stolen and the sophisticated human attackers that TrapX Labs continues to track are increasing quarterly. Out of the top seven data breaches of 2015, three of them (Excellus BlueCross BlueShield, Premera Blue Cross and Anthem) lost more than 100 million records combined.
On Jan. 4, 2016, the Identify Theft Resource Center (ITRC) reported that 66.7 percent of all records breached came from the healthcare industry. Healthcare continues to be targeted because of the high value of the data and the vulnerabilities healthcare institutions are susceptible to, such as the medical device hijack (MEDJACK). More information on MEDJACK can be found here.
The convergence of this healthcare cyberwar with incomplete HIPAA compliance creates a double jeopardy situation for healthcare professionals. Not only must healthcare institutions deal with the damage inflicted by a cyber attacker and then manage the data breach penalties, but they also face investigation and additional penalties from HHS. Hospitals, accountable care organization (ACO) networks, large physician practices, health insurance companies, diagnostic laboratories, radiology/skilled nursing facilities, surgical centers and others are high value targets for attackers and all face these risks.
Training is Essential
New strategies to prevent healthcare data breaches have evolved in many areas. Regular training for both clinicians and non-clinicians can have a positive impact on reducing successful attacks.
Clinicians and non-clinicians need to recognize that their “connected” healthcare environment needs to be tightly controlled. IBM’s “2014 Cyber Security Intelligence Index” noted that 95 percent of all security incidents seem to involve human error. Even a MEDJACK usually starts with an email or website based attack. Assuming a healthcare organization’s network perimeter and internal defenses are properly configured and updated, the next step a healthcare organization should take to substantially reduce its risk is implement a rigorous employee training program.
The first component of training comes during orientation. New employees typically receive passwords and authentication information from information technology (IT), the help desk and supervisors in their area, and it’s imperative they manage them in a safe manner (no yellow sticky notes, please).
Maintaining the security of a practice’s EHR data is probably one of the biggest reasons physicians decide to implement one in the first place. With all of the reported benefits of electronic health records or their paper counterparts, the information kept guarded in your electronic system clearly is more secure, in most cases, than paper.
In addition to being able to securely protect your clinic’s data and patient information, there’s a clear advantage the EHR offers over paper records in that you are able to monitor, track and audit everyone who has ever accessed certain data and viewed specific records within your system.
This feature is especially valuable when you need to track employees who you think may be trying to gain access to information they should not have access to, as was the case recently when a Florida Hospital Celebration Health employee illegally accessed the personal data of multiple patients. According to American Medical News, fortunately for the hospital, through its EHR it employed a tool known at role based access control, or RBAC.
With RBAC in place, an organization is able to allow system users access to only the information employees need to perform their jobs. Obviously, role based access control systems can be used in any business setting where leadership determines certain information must be protected, as is the case in healthcare and hospital setting where HIPAA is concerned.
What seems to pique my curiosity the most, though, is just how much data snooping occurs in healthcare settings. I’ve often wondered how much of my personal information, like my social security number, birthday and home address are exposed to people who really have no business seeing it, and if it’s seen by an inappropriate person, is anything done about it.
As we know, patients worry that their personal health information might not be kept private and secure if stored electronically, and we’re especially concerned about who will have access to our records. There’s nothing truly valuable in the health record other than that which can be used for financial fraud, like social security numbers and my home address
So, to most fully protect the data included in the record, practices should take whatever precautions needed to protect the data captured in the electronic health record.
The process of protecting my data really begins during the selection and implementation of your EHR, and, according to the New York Department of Health and Mental Hygiene, you should chose a system that has the following security features:
Role-based access control
As stated above, this allows you to define access privileges of each staff person and ensures that only authorized providers can see patients’ health information. Administrative staff should be restricted to basic information such as address, date of birth and other demographic information.
Practice leadership should be the only people who are responsible for establishing the access privileges of staff members.
Audit trails
Audit trails track activities within the EHRs. Documented events in an audit trail include a staff member logging in or out of the system, opening, modifying, creating or deleting a record, scheduling a patient, signing a chart, querying the system or printing personal ealth information.
Audit trails also document the date and time of an event, where the event occurred and who performed the event. Again, only authorized administrators should have access to read these records. No one, not even the office administrator, should be able to modify or delete audit trails.
Password protection
EHRs must require a password to access the system. EHRs should be able to support additional passwords or identifiers for each user. The practice administrator should be able to define the rules for password complexity and expiration, like the practice may require all users to have passwords with five letters and at least one number, and that staff members change their password every three months.
The system must automatically log out a staff member if they forget to log out or leave the screen inactive for a period of time. The system must also require the user to enter his password to get back into the system. If someone repeatedly tries to enter the wrong password, the system should lock the user out. This keeps people from guessing other users’ passwords.
Data encryption
EHRs should encrypt patient data, which helps to protect data if hardware is stolen or messages are intercepted.
Consent
EHRs should have the ability to print, store and display patient consent forms.
All in all, pretty standard information, especially if the EHR you operate performs to industry standards. If you feel the need to contract with an outside vendor for such services, they do exist, are relatively inexpensive and are experts in managing audits and ensuring your data is safe.
Ensure these steps, though, and create and audit schedule so your information and mine remain safe.