Some people jokingly say they’re “addicted” to their smartphones or to browsing online. They use their devices to visit social media platforms and websites and send texts throughout the day. But the vulnerability created by these activities for employers is no joke, and the risks extend to every industry, including healthcare, since most data breaches are caused by human error.
In doctor’s offices and other clinical operations, the risk is especially acute for providers who use cloud-based systems that require constant connection to the internet. The always-connected nature of these solutions exposes offices to ransomware and malware designed specifically for Windows, which can exploit the internet connection to steal sensitive patient information.
While many high-profile hacking and ransomware incidents have occurred over the past several years, security experts project that 2017 will be even worse as cybercriminals exploit new vulnerabilities introduced by the Internet of Things (IoT) and hackers increasingly turn to Distributed Delay of Services (DDoS) attacks. These are techniques for data theft that are only used to compromise remote data centers with shared servers, commonly called ‘the cloud’.
Practice leaders can respond with training, instructing staff on how to avoid “phishing” scams, fake web sites, fake links, and other temptations and traps, but stopping hackers will take a concerted and comprehensive effort. Encryption, platform and common sense security measures can all play a key role in protecting patient data.
Encryption’s Role in Data Protection
Encryption — the use of an algorithm to make data indecipherable to criminals without an encryption ‘key’ — is an essential component of data security. To comply with HIPAA standards, practices should use software and/or hardware that utilizes Advanced Encryption Standard (AES), the only standard that can be called encryption according to the National Institute of Standards and Technology (NIST).
HIPAA requires that providers use secure, encrypted email. HIPAA also states that providers have a duty to encrypt electronic patient health information (ePHI) that is ‘at rest’ (i.e., on a server, terminal, backup device, etc.) and ‘in motion’(i.e., traveling through an office network or to and from remote connections, etc.) and that their database be further protected with a unique, encrypted password.
Unfortunately, most practice software does not have built-in AES encryption and some do not even have a unique password. Practices with software that does not have built-in encryption who use Windows will have to purchase outside expertise to implements and monitor security and make to help them be HIPAA compliant with regard to encryption.
Platform and Security’s Role in Keeping Data Safe
Practices that use Windows software without built-in encryption must pay for IT security services to deploy encryption on every device that houses ePHI. Mac users can handle the safety of data at rest by turning on FileVault in preferences. This is a glaring example of the difference platforms make in keeping data safe and the cost to the doctor.
Virtual private networks (VPNs) are an option for practices to compensate for practice management and EHR software that does not encrypt data in motion, but VPNs increase costs and complexity and can degrade network responsiveness. But even with a VPN, practices must make sure their software provides a unique, encrypted database password; otherwise, they’re well advised to get software that does.
Hacking is on the rise, and ransomware is a huge problem for practices that operate on Windows. In March 2016 alone, 56,000 Windows users reported attacks. Practices that use native Mac software have not been affected by ransomware. Macs are also less expensive to operate in the long run: IBM gave employees the option to use PCs or Macs and found that each PC required twice as much support and cost IBM $535 more than a Mac during a four-year period.
Cloud software and hosting server farms aren’t the solution: Malware, including ransomware, can infect every device that connects to an infected computer, including offsite cloud servers and backup devices. The FBI says the only sure way to recover is to restore data from an uninfected backup that is not connected, followed by reformatting devices.
Note about “the cloud”: You have heard from cloud vendors that “everyone is going to the cloud.” What you may not have heard is that 40 percent of organizations that migrated their data and applications to the cloud are now bringing all or some of them back because of security and cost concerns. Also a recent survey of dentists indicated that of the top dental software perhaps no more than 3 percent of dentists are using cloud software, although it has been available to them for eight years.
The handling and sharing of medical records is a critical and sensitive issue, and one that affects millions of providers, patients and payers every day. According to the Center for Disease Control and Prevention, Americans alone make more than a billion visits to doctors’ offices, clinics and hospitals annually, so one can only imagine how often medical records exchange hands between patients, physicians, specialists, healthcare organizations and their staff.
Test results, images, medical and billing history and other related information continue to be mailed, faxed and—more commonly—emailed between interested parties. Email is the most popular of these options because it combines the wide accessibility of snail mail with the immediacy of fax transmission. But email as a means of sharing sensitive healthcare data lacks in three critical areas: security, regulatory compliance and working with large files.
Security, privacy and protection
Gaps in email security should have doctors and patients sweating bullets any time they attach medical information to an email and hover their cursor over the “send” button.
The overarching problem lies in the encryption, or lack thereof. Like CDs and popular online sharing services, medical records transmitted via email are generally unencrypted. This is the case not only in transit, but also when they sit on the servers of the email providers. Thus, sensitive medical information lies vulnerable at all times.
Exchanging records by email means exposing patients’ personal information and their entire medical histories to a nefarious underworld of hackers seeking to exploit such information. It may include the most personal and private information, from social security numbers to diagnoses for chronic illnesses. Should information get in the wrong hands, there’s no predicting the extent and impact of the consequences.
As more healthcare providers modernize their IT with cloud solutions and mobile devices, the opportunity for breaches increases dramatically. Hardly a week goes by without a major hospital or practice announcing a data breach. Breach reporting is costly, time-consuming and harmful to the reputation of otherwise legitimate practices. But is it really unsecured data, hackers or doctors sharing information that is causing breaches?
A quick analysis of the public data released by the Department of Health and Human Resources (HHS) reveals that from the first reported breaches in 2009 through early 2013, there were 572 breaches involving 500 or more patients (the threshold for reporting). Of these breaches, only about 10 percent came from hacking/IT incidents or improper disposal, while over half—51 percent—were a result of theft.
When you combine these details with the location of the breach, the picture becomes even more clear: 44 percent of the breaches are from laptops, 13.5 percent are from a computer, 13.1 percent are from portable devices and 10.5 percent are from network servers. That means a whopping 81 percent of breaches are from computing devices, and 57 percent are from mobile devices alone.
The security priority is apparent. Mobile devices cause the majority of PHI breaches and must be secured. While they aren’t foolproof and breaches can still occur, there are a variety of methods to control access to data on laptops, tablets, and smart phones on today’s market, as well as ways to wipe the device and track it.
Add to the list of known certainties: death, taxes, and the need to lower the cost of healthcare.
Neither HIPAA standards nor encryption were created with the purpose of lowering the cost of healthcare, but neither was penicillin originally purposed as an antibiotic. Both welcome side effects in the world of medicine.
Cloud Computing and Healthcare
Healthcare and medical companies are migrating to cloud computing in record numbers. The cloud offers flexibility and scalability to manage ever-growing databases of patient records. At the same time, it offers mobility to enable care providers to access patient information remotely and shareability to share data with colleagues, specialists, and labs. The cloud, perhaps most importantly, enables cost reduction on several levels.
It eliminates the need healthcare organization have to purchase, maintain, upgrade, and replace costly computing equipment and staff.
It saves costs of multiple providers running multiple tests by enabling them to share and track the results.
It saves time and money by enabling paperless transmission of prescriptions and insurance claims. It also increases the accuracy of reimbursement coding.
Now, HIPAA omnibus and the American Recovery and Reinvestment Act (ARRA) requirements stipulate everyone in the healthcare industry begin migrating patient records and other data to cloud computing. Essentially, by 2015, all medical professionals with access to patient records must utilize electronic medical and health records (EMR and EHR), or face penalties.
Guest post by Darren Leroux, senior director of product marketing, WinMagic.
Gone are the days where all personal health information solely lived in giant filing cabinets behind a receptionist’s desk or in the administrative office of a hospital. Today, patient data resides everywhere – desktops, laptops, smartphones, tablets and USB drives. Understandably so – given the rise of mobile computing and bring-your-own-device (BYOD) policies in healthcare, the once straightforward process of protecting patient’s personal health information has since evolved into a complex and overwhelming undertaking.
Just the Facts
According to a recent study, 81 percent of healthcare organizations are now allowing employees and medical staff to use their personal laptops and mobile devices to connect to provider networks or access company email. Interestingly enough, the same study found that of that 81 percent of healthcare institutions enabling a BYOD strategy, 54 percent did not believe that those devices were secure enough in the workplace; 65 percent of data breaches reported to the Ponemon Institute occurred on laptops and mobile devices over the last five years — it’s no wonder that more than half of those surveyed aren’t confident in the security of their devices
When we refer to personal health information at risk, we’re not just talking about historical health records – the potential for a data breach casts a much wider net, including patient billing information, clinical trial data and even employee information like payroll numbers. With so much sensitive, unprotected data up for grabs, we’re inclined to ask ourselves – how? How is this significant rise in healthcare data breaches even possible, and how do we stop this from continuing?
Below are the top three gaping security holes in remote healthcare data practices that are answering our question of how is this rise in breaches in possible: