By Chad Cragle, information security officer, FormAssembly.
Data collection is one of the most important processes in healthcare today. But outdated methods of data collection have made it increasingly difficult to both efficiently collect data and keep it secure. How companies collect patients’ health information is extremely important, as personal data can easily be exposed in the event of a breach.
As we saw earlier this year, the Quest Diagnostics breach caused about 11.9 million patients to have their data exposed. These kinds of breaches are especially delicate compared to other types of breaches, since you can usually replace credit cards or social security numbers, but you can’t retract what is released to the public. This kind of leaked information can have a negative effect on patients’ lives, perhaps in areas like job applications or relationships.
To prevent these data breaches from occurring, it is essential to have the proper precautions in place. Manual data entry presents its own challenges – it is tedious and allows room for error. Manual data entry will not cut it, as we have seen from recent data breaches.
We need a new method of collecting and storing data in a way that is simple, secure and compliant with regulations such as GDPR and HIPAA. This is where web forms enter the picture.
Web Forms are the Key to Securing Healthcare Data
Web forms are transforming the way that data is collected and stored. This data is collected through a method where it is encrypted in transit and at rest, enabling safeguards to ensure that this data cannot be seen by those who do not have access. At our company, for example, we use TLS 1.2 to make sure that the entire data collection process, from the web browser to the endpoint, is encrypted.
These forms benefit users, providing a simple, hands-off process to collect data: all they need to do is click the box, type in the information needed, and they are then able to mask the data and send it off. Though this process might seem daunting, I’ve found that companies and healthcare professionals can use a paid service to collect data. And by doing so, they are freeing up time and resources.
Doctors and other healthcare providers should focus on diagnosing and treating patients, not collecting their information. Utilizing web forms frees up medical professionals to do what they were trained to do, leaving the responsibility to the form builder to take care of all the security measurements and checks to make sure that this data is safe.
Companies and Healthcare Organizations Need to Take Data More Seriously
Regulations such as GDPR in the EU and HIPAA for healthcare professionals are drastically changing how companies and healthcare organizations are handling their customer or patient data. GDPR was a great example of transparency, forcing companies to tell consumers that their data is being collected and how it is being used, mainly in the form of “cookies” on websites. And in the future, I believe we’re going to see a more robust security framework arise, such as in states like California, where harsher regulations such as the CCPA are rolling out, and other states are beginning to follow suit.
Healthcare professionals are also looking into data mining to diagnose patients without even seeing them in person. Even now, companies like Cambridge Analytica collect hundreds of data points on a certain person, and they receive this information from the various websites they visit.
I can see a point where data mining in the healthcare industry will be huge, as healthcare professionals could potentially diagnose a condition that a patient has just from looking at their data- either from the websites they visit, comments they posted on social media, or even over the phone.
By Manish Mathuria, chief technology officer and co-founder, Infostretch.
The truism that “prevention is better than cure” is especially true in software, where a defect can have serious, sometimes life-threatening, consequences. Digital health presents a unique set of challenges and opportunities for those operating in this competitive and demanding market. The pressure to innovate and advance is immense, but so are concerns about safety, functionality, cost and privacy, to name a few.
When clinical insights combine with IT brilliance, the results can lead to fascinating health innovations. Radical new approaches, such as wearables and mobile devices which monitor, analyze and diagnose conditions, bring special meaning to the importance of error prevention versus recovery.
Lightning-fast technological innovation, fierce competition and stringent regulation combine to bring special challenges to a tester. The implications of software failure are severe. Another adage, “evolve or die,” springs to mind. The traditional testing function is what needs to evolve in this sector perhaps more than any other.
The quality assurance approach to testing must now make way for quality engineering, a new way of tackling quality control which focuses on improving the inherent design of the product throughout the software development life cycle. Why? Because traditional testing, performed at the end of the SDLC is out of its depth in the new era of digital transformation.
Some people jokingly say they’re “addicted” to their smartphones or to browsing online. They use their devices to visit social media platforms and websites and send texts throughout the day. But the vulnerability created by these activities for employers is no joke, and the risks extend to every industry, including healthcare, since most data breaches are caused by human error.
In doctor’s offices and other clinical operations, the risk is especially acute for providers who use cloud-based systems that require constant connection to the internet. The always-connected nature of these solutions exposes offices to ransomware and malware designed specifically for Windows, which can exploit the internet connection to steal sensitive patient information.
While many high-profile hacking and ransomware incidents have occurred over the past several years, security experts project that 2017 will be even worse as cybercriminals exploit new vulnerabilities introduced by the Internet of Things (IoT) and hackers increasingly turn to Distributed Delay of Services (DDoS) attacks. These are techniques for data theft that are only used to compromise remote data centers with shared servers, commonly called ‘the cloud’.
Practice leaders can respond with training, instructing staff on how to avoid “phishing” scams, fake web sites, fake links, and other temptations and traps, but stopping hackers will take a concerted and comprehensive effort. Encryption, platform and common sense security measures can all play a key role in protecting patient data.
Encryption’s Role in Data Protection
Encryption — the use of an algorithm to make data indecipherable to criminals without an encryption ‘key’ — is an essential component of data security. To comply with HIPAA standards, practices should use software and/or hardware that utilizes Advanced Encryption Standard (AES), the only standard that can be called encryption according to the National Institute of Standards and Technology (NIST).
HIPAA requires that providers use secure, encrypted email. HIPAA also states that providers have a duty to encrypt electronic patient health information (ePHI) that is ‘at rest’ (i.e., on a server, terminal, backup device, etc.) and ‘in motion’(i.e., traveling through an office network or to and from remote connections, etc.) and that their database be further protected with a unique, encrypted password.
Unfortunately, most practice software does not have built-in AES encryption and some do not even have a unique password. Practices with software that does not have built-in encryption who use Windows will have to purchase outside expertise to implements and monitor security and make to help them be HIPAA compliant with regard to encryption.
Platform and Security’s Role in Keeping Data Safe
Practices that use Windows software without built-in encryption must pay for IT security services to deploy encryption on every device that houses ePHI. Mac users can handle the safety of data at rest by turning on FileVault in preferences. This is a glaring example of the difference platforms make in keeping data safe and the cost to the doctor.
Virtual private networks (VPNs) are an option for practices to compensate for practice management and EHR software that does not encrypt data in motion, but VPNs increase costs and complexity and can degrade network responsiveness. But even with a VPN, practices must make sure their software provides a unique, encrypted database password; otherwise, they’re well advised to get software that does.
Hacking is on the rise, and ransomware is a huge problem for practices that operate on Windows. In March 2016 alone, 56,000 Windows users reported attacks. Practices that use native Mac software have not been affected by ransomware. Macs are also less expensive to operate in the long run: IBM gave employees the option to use PCs or Macs and found that each PC required twice as much support and cost IBM $535 more than a Mac during a four-year period.
Cloud software and hosting server farms aren’t the solution: Malware, including ransomware, can infect every device that connects to an infected computer, including offsite cloud servers and backup devices. The FBI says the only sure way to recover is to restore data from an uninfected backup that is not connected, followed by reformatting devices.
Note about “the cloud”: You have heard from cloud vendors that “everyone is going to the cloud.” What you may not have heard is that 40 percent of organizations that migrated their data and applications to the cloud are now bringing all or some of them back because of security and cost concerns. Also a recent survey of dentists indicated that of the top dental software perhaps no more than 3 percent of dentists are using cloud software, although it has been available to them for eight years.
Guest post by Santosh Varughese, president, Cognetyx.
The U.S. healthcare industry is under siege from cyber criminals who are determined to access patient and employee data. Information security think tank Ponemon Institute’s most recent report on healthcare cyber security, published in May 2016, revealed some sobering statistics:
In the past two years, 89 percent of healthcare organizations – and 60 percent of their business associates (or BAs) – experienced at least one data breach, with 79 percent experiencing two or more breaches. The most commonly compromised data are medical records, followed by billing and insurance records. These breaches have not declined since Ponemon began tracking them in 2010.
The average cost of a healthcare data breach is about $2.2 million.
Criminal attacks, from outside the organization or from malicious insiders, account for half of all healthcare data breaches, the other half being due to mistakes by employees or BAs.
The majority of respondents (69 percent of healthcare organizations and 63 percent of BAs) feel that the healthcare industry is at greater risk of breaches than other industries. Despite these concerns, the majority of respondents reported that their organizations had either decreased their cyber security budgets or kept them the same.
Another study conducted in April by IBM, found similar problems, as well as insufficient employee training on cybersecurity best practices and a lack of commitment to information security from executive management.
With only about 10 percent of healthcare organizations not having experienced a data breach, hackers are clearly winning the healthcare data security war. However, there are proactive steps that the healthcare industry can take to turn the tide in its favor.
Data Security Starts with a Culture of Security Awareness
Both the IBM and Ponemon studies highlight an issue that experts have been talking about for some time: despite increasing dangers to information security, many healthcare organizations simply do not take cybersecurity seriously. Digital technologies are relatively new to the healthcare industry, which was very slow to adopt electronic records and when it finally did so, it implemented them rapidly without providing employees adequate training on information security procedures.
Unfortunately many front-line employees feel their only job is to treat patients and that information security is “the IT department’s problem.” These employees fail to grasp the importance of data security, and are not educated on the dangers of patient data breaches, reflected in Ponemon’s findings that employee mistakes account for half of all healthcare data breaches.
The healthcare industry needs to adjust this attitude toward cybersecurity and implement a comprehensive and ongoing information security training program, and cultivate a culture of security awareness. Information security should be included in every organization’s core values, right beside patient care. Employees should be taught that data security is part of everyone’s job, and all supervisors – from the C-suite down to the front line – should model data security best practices.
Additionally, organizations should implement physical security procedures to secure network hardware and storage media (such as flash drives and portable hard drives) through measures like maintaining a visitor log and installing security cameras, limiting physical access to server rooms, and restricting the ability to remove devices from secure area. Continue Reading
Gartner has estimated that some 6.4 billion connected things will be in use by the end of 2016, with some 5.5 million new things getting connected every day. There’s been a clear boom in health and fitness wearables, with healthcare consumers investing in tracking devices – sometimes with their employer’s encouragement – and the MedTech industry has jumped on this in a big way.
Fascinating IoT applications are being developed today, often through unlikely partnerships. For example, medical devices company Medtronic is developing an application that transmits wearables data to the IBM Watson cognitive computing and predictive analytics platform. And Swiss pharma company Novartis is joining hands with Qualcomm to develop an internet-connected inhaler that can send information to a cloud-based big data analytics platform for healthcare providers to use in treating patients. These are exciting examples of how technology and analytics can support personalized medicine.
However, there are a couple of big issues that the IoT movement has to contend with when it comes to the Medical Internet of Things (IoT). These issues concern us as consumers, and they also concern our employers and our healthcare providers equally.
Data security: The medtech industry is widely seen as unprepared for the security risk and vulnerability to hacking that their devices can cause for the rest of the healthcare system. This has immediate repercussions for consumers who may be unaware of the exposure of their personal medical information to cybercriminals. In addition, as healthcare providers start using medical information from these interconnected devices in a cloud-based environment, their enterprise IT, specifically electronic health record (EHR) systems, could be seriously compromised and vulnerable to hackers. And this brings us to the other, emerging issue that is beginning to get some attention in the exchange of IoT data.
Privacy and legal concerns: While there are undisputable benefits for healthcare consumers as physicians gain access to medical information from a range of connected devices, there is a real threat to privacy as well. We start with the question of who owns the data. State law in the U.S varies when it comes to this question, and device makers and other software providers may lay claim to the data which can be used against consumers. At the same time, collecting personal data through devices imposes a set of legal requirements on enterprises, starting with proper disclosures about the collection and use of the information.
Today’s medical devices feature the most cutting-edge technology and sensors to improve patient health, from Fitbits that track heart rate during exercise to devices that can test and display blood glucose levels on a smartphone. Healthcare professionals have also welcomed the use of smart devices and tablets to enhance hospital or clinic visits, lower costs and reduce medical errors.
The demand for health informaticists grows substantially with every government push to adopt technology and ease the switch from paperwork to electronic health records (EHR) systems. To ensure the next generation of health informaticists are learning the skills needed to adapt as technology advances, many universities are offering a health informatics degree program that emphasizes hands-on learning in health IT, data analysis and the healthcare system.
Here’s a look at what a formal education in health informatics looks like today, and what in-demand skills employers can expect from health informaticists down the road:
Health Care System Analysis and Assessment Outcomes
Improvements to the healthcare system begins with a thorough understanding of what the current system lacks. Today’s health informatics courses allow students to examine healthcare needs and analyze the supply and distribution of health professionals and facilities. These courses also explore current industry pain points, particularly care costs, how to assess care quality, and the financial models of care used in both private health insurance systems and government programs.
Health informatics students are also familiarized with methods for determining quality of care and the economic impacts of health care models. Courses examine the outcomes and value added from the view of patients and providers, with a focus on determining standards for setting organizational policy.
Health Care History and Implementation of EHR Systems
To understand the role that health informatics plays in improving the healthcare system, students also cover the history of the U.S. healthcare system. By exploring current trends in electronic health records – including social, ethical, economic and cultural impacts of choices – students will be prepared to identify what improvements can be made to EHR systems later in their careers as health informaticists.
Guest post by Pawan Sharma, director of operations for healthcare at Chetu.
Healthcare is quickly adapting to the digital environment by leveraging web-based technologies, electronic health records (EHR) and mobile devices to facilitate the movement of information. With innovative software technology comes great responsibility. One of the unfortunate downsides to increasing the use of technology for data sharing in the healthcare world is the risk of data falling into the wrong hands. Full measures need to be put in place to protect patient’s Protected Health Information (PHI). The Health Insurance Portability and Accountability Act (HIPAA) mandates that all PHIs be secured. Any breach, if not handled appropriately under established procedures, can lead to grave consequences including heavy penalties, jail time, or both. Needless to say that proper mechanisms need to be implemented to secure data while it is stored, transmitted and consumed.
Understanding Regulatory Standards
Knowledge is power. It is paramount that software providers look for back-end development partners that have Healthcare IT experience. This includes extensive knowledge and proficiencies with federal regulations like American Recovery and Reinvestment Act (ARRA), meaningful use stage 1 and 2, Accountable Care Act, etc. Also, regulatory health information exchange (HIE) standards such as Health Level 7 (HL7), Health Information Exchange Open Source (HIEOS), Fast Healthcare Interoperability Resources (FHIR), Consolidated-Clinical Document Architecture (C-CDA), Continuity of Care (CCD/CCR) as well as clinical and financial work flows.
Encryption
With information traveling over a network it may be subject to interference. Hence, it is important that data be encrypted in transit. Vendors must include encryption technology to prevent disclosure of patient health information while data is communicated between the application and the server. Web traffic must be transmitted through a secure connection using only strong security protocols such as Secure Sockets Layer (SSL) or Transport Layer Security (TLS). SSL/TLS certificates are light weight data files that are purchased and installed directly onto the server. Once implemented, a user will be able to connect to the web-based application server via a secure tether with an internet browser.
Code Hardening
Organizations have been keen on securing networks and internal infrastructure from external threats. With this in mind, malicious entities are looking to breach data at the application level. Healthcare software proprietors must protect their application from security threats by employing hardening tactics, which shields bugs and vulnerabilities in the coding. This technique primarily includes code obfuscation. Code obfuscation is the act of intentionally creating obscure source code to make it difficult for entities to decipher. Properly employing this tactic hinders a threats ability to reverse engineer and tamper with an application to facilitate a breach.
There is no doubt about it, healthcare as an industry is absolutely reliant on its systems environment and electronic information to the point that efficiency, safety and productivity are affected any time it suffers any disruption. Yet it seems we are destined to incur disruptions more often than not because of our own actions or in-actions.
This article takes a somewhat tongue in cheek look at some of the naïve or bad behaviors, misconceptions, short-sighted decisions and mistakes we make that contribute to making our own data security situation more difficult.
Misplaced Trust
The list of examples here is virtually endless, from having too much confidence in vendors to underestimating employees to naïve beliefs about the internet, social media and applications. Hundreds of hospitals blindly relied on a vendor to process their billings without once questioning the company’s security practices. They were surprised when their revenue cycle was interrupted when that company suffered a Ransomeware attack. Other healthcare entities have found themselves embroiled in breach investigations when subcontractors they never knew existed lost their data, some overseas.
Expressing surprise may be a realistic response, but it’s hardly an acceptable excuse for lack of due diligence. Few organizations watch the folks who represent the highest risk to their systems and information – those with elevated privileges. Examples abound of administrators who became saboteurs. What is amazing is the almost immediate reaction when these kinds of things happen. How could we not be auditing these folks? It should be pretty simple to answer this question when they are usually the ones responsible for auditing. And then there is the internet and social media. The first myth organizations fall victim to is, “we’re too small to attract anyone’s attention” or “no one is looking at us.”
Most attacks from the internet are indiscriminate automated probing of systems looking for anyone vulnerable. You’re right they are not looking for you specifically, but if you are connected they may find you. Last but not least, the naïve belief that there is actual privacy on social media and applications when they tell you there is. Weekly we hear about another app compromised or information leaked from a site thought to be secure. There is no such thing as foolproof security and apps, even ones named “secret” should be approached with caution.
Underestimating Risk
Organizations make bad decisions all the time based on misplaced or erroneous perceptions of risk, or just plain disregard for the risk. Bad decisions though, regardless of the reason, are still bad decisions. How about underestimating the risk from USB ports?
Organizations routinely underplay the fact that these ports unprotected can be the source of information loss or importation of malware. We encrypt mail, laptops, maybe even provide encrypted USB drives, but fail to manage the ports themselves. In complex environments it’s also easy to be overwhelmed with what seem like routine chores, like documenting all changes. Someone says it’s a routine change, it only affects one system, or the vendor is just applying a regular update… implying that it doesn’t have to go through change control and thus, does not get documented. There is also underestimating the risk when we acquire another entity. This risk comes in two forms. The first is the acquisition without the assessment, or rushing the acquisition so assessment is not possible, and assuming the risk blindly. Continue Reading