Data breaches and HIPAA violations became common, almost daily, news in 2015, exposing sensitive client information with devastating results. Understanding HIPAA compliance will be critical in 2016, especially since the Office for Civil Rights (OCR) will begin a new round of HIPAA audits.
In spite of record spending on firewalls, anti-virus software, malware detectors and the widget of the day, healthcare organizations keep getting hacked because the focus is in the wrong place. Here are three trends taking presence in 2016 that can help any organization fight the good fight against cyberattacks.
Buying Technology Alone is a Security Strategy That Does Not Work
Healthcare is under constant pressure to safeguard assets, however too many firms focus on security for HIPAA compliancy and then call it a day. Compliance is a legal necessity, but organizations expose themselves to cyberattack when use technology as a crutch. Many organizations will need to look at their operations as a critical network and seek ways to defend it.
A majority of breaches are from data that has been stolen, via record removal, virtually and physically. We see the trend in 2016 shifting from technology to people if healthcare organizations are going to defeat hackers.
Focus on the Human Element
Examine the largest data breaches of 2015. Technology did not protect the vast majority of these companies. In each case, data was breached due to hackers successfully exploiting humans.
The proliferation of mobile devices in healthcare like smartphones and tablets have also made the human element even more vulnerable because this area of security is often overlooked and is, in fact, the weakest link.
Technology is only as good as the people who use it and is merely a tool in the fight against cybercrime. Technology alone cannot fully protect an organization’s data, networks, or interests. This is a trend in 2016 and beyond that must be recognized if organization hope to safeguard patient records.
Health IT’s most pressing issues may be so prevalent that they can’t be contained to a single post, as is obvious here, the third installment in the series detailing some of the biggest IT issues. There are differing opinions as to what the most important issues are, but there are many clear and overwhelming problems for the sector. Data, security, interoperability and compliance are some of the more obvious, according to the following experts, but those are not all, as you likely know and we’ll continue to see.
Here, we continue to offer the perspective of some of healthcare’s insiders who offer their opinions on health IT’s greatest problems and where we should be spending a good deal, if not most, of our focus. If you’d like to read the first installment in the series, go here: Health IT’s Most Pressing Issues and Health IT’s Most Pressing Issues (Part 2). Also, feel free to let us know if you agree with the following, or add what you think are some of the sector’s biggest boondoggles.
The healthcare industry has undoubtedly become a bigger target for security threats and data breaches in recent years and in my opinion that can be attributed in large part to the industry’s movement to virtualization and the cloud. By adopting these agile, effective and cost-effective modern technological trends, it also widens the network’s attack surface area, and in turn, raises the potential risk for security threats.
We actually conducted some research recently that addresses evolving security challenges, including those impacting the healthcare industry, with the introduction of cloud infrastructures. The issue is highlighted by the fact that the growing popularity of cloud adoption has been identified as one of the key reasons IT and security professionals (57 percent) find securing their networks more difficult today than two years ago.
Paul Brient, CEO, PatientKeeper, Inc. No industry on Earth has computerized its operations with a goal to reduce productivity and efficiency. That would be absurd. Yet we see countless articles and complaints by physicians about the fact that computerization of their workflows has made them less productive, less efficient and potentially less effective. An EHR is supposed to “automate and streamline the clinician’s workflow.” But does it really? Unfortunately, no. At least not yet. Impediments to using hospital EHRs demand attention because physicians are by far the most expensive and limited resource in the healthcare system. Hopefully, the next few years will bring about the innovation and new approaches necessary to make EHRs truly work for physicians. Otherwise, the $36 billion and the countless hours hospitals across the country have spent implementing electronic systems will have been squandered.
Email security is one of healthcare’s top IT issues, thanks, in part, to budget constraints. Many healthcare organizations have already allocated the majority of IT dollars to improving systems that manage electronic patient records in order to meet HIPAA compliance. As such, data security may fall to the wayside, leaving sensitive customer information vulnerable to sophisticated cyber-attacks that combine social engineering and spear-phishing to penetrate organizations’ networks and steal critical data. Most of the major data breaches that have occurred over the past year have been initiated by this type of email-based threat. The only defense against this level of attack is a layered approach to security, which has evolved beyond traditional email security solutions that may have been adequate a few years ago, but are no longer a match for highly-targeted spear-phishing attacks.
Dr. Rae Hayward, HCISPP, director of education and training at (ISC)²
Dr. Rae Hayward
According to the 2015 (ISC)² Global Information Security Workforce Study, global healthcare industry professionals identified the following top security threats as the most concerning: malware (77 percent), application vulnerabilities (74 percent), configuration mistakes/oversights (70 percent), mobile devices (69 percent) and faulty network/system configuration (65 percent). Also, customer privacy violations, damage to the organization’s reputation and breach of laws and regulations were ranked equally as top priorities for healthcare IT security professionals.
So what do these professionals believe will help to resolve these issues? Healthcare respondents believe that network monitoring and intelligence (76 percent), along with improved intrusion detection and prevention technologies (73 percent) are security technologies that will provide significant improvements to the security posture of their organizations. Other research shows that having a business continuity management plan involved in remediation efforts will help to reduce the costs associated with a breach. Having a formal incident response plan in place prior to any incident decreases the average cost of the data breach. A strong security posture decreases not only incidents, but also the loss of data when a breach occurs.
Guest post by Amit Cohen, co-founder and CEO, FortyCloud.
Remote access is changing the practice of medicine – from data collected remotely from newly developed telemedicine devices, to surgery conducted by a surgeon in an offsite location. A smartphone application, currently in development, is set to monitor a user’s voice to detect mood changes for individuals with bipolar disorder. Devices and applications such as these not only improve the quality of care available to patients across the globe, their use also results in exponential growth in the sources and volumes of data. These cutting-edge technologies present new challenges for IT professionals who are responsible for ensuring high availability (always-accessible data), scalability and flexibility for their healthcare organizations.
To enable scalable, high performance from at lower costs, even from remote locations, healthcare and pharmaceutical IT have adopted the cloud. Since cloud data centers can be diversified across the globe, cloud computing provides quick access to globally diverse users.
The cloud also offers the scalability to handle the massive influx of new data generated by new health care applications expected from the implementation of the U.S. Patient Protection and Affordable Care Act (PPACA). The U.S. Department of Health and Human Services (HHS) Stage 3 Proposed Rule, is also likely to result in additional volumes of digital data. This Rule seeks to align the EHR Incentive Programs with other CMS quality reporting programs that use certified EHR technology to promote improved patient outcomes and health.
Therefore, it is not surprising that healthcare cloud computing is forecasted to grow to $9.48 billion by 2020, according a recent study; an impressive increase from the current, 2015 market value of $3.73 billion.
Guest post by Jay Schulman, managing principal, Cigital.
Throughout the past two years, if you’re like me, you’ve had your credit card number stolen a number of times. I’m up to six. In one case, someone purchased a $500 TV with my stolen card information. Yet, I sit here today having lost nothing. Every bank and institution has made me whole. The money that was taken was quickly replaced. While I can complain about the inconvenience, I haven’t lost anything.
The financial industry has the luxury of replacing what was taken. The healthcare industry does not.
Once your medical record is stolen, there is no way for the institution to take that information back. If an electronic medical record (EMR) or MRI system is breached, the information and images are out in the open. While the credit card companies can trace fraud back to a common source, it’s very hard for healthcare companies to figure out who has been breached. That’s why the security of healthcare information is so important.
While many healthcare organizations are HIPAA compliant, that only reflects on their ability to properly control personal health information. It doesn’t necessarily assert that you are secure.
As a healthcare organization, you need to take a holistic approach to secure your environment. This includes:
Understanding your portfolio – what applications and systems are in your environment? Understanding the applications, their development languages, what data they store and access, and other pertinent data points are key to understanding your portfolio. Understanding what needs to be secured is a critical and often missed first step.
Assessing the risk of the portfolio and making priorities. It’s easy to say “anything with personal health information (PHI) needs to be secured.” But, do you understand where PHI is stored or what areas of the network or systems can access systems with PHI? The retail breaches of the past two years have taught us that attackers aren’t always going directly to the critical systems but instead to weak links in the environment. Those weak links can give an attacker access to your data.
Performing a threat model to properly understand those weaknesses. A threat model looks at an environment, who the actors are that can breach your system, and what actions they could perform (steal data or cause a denial of service for example). Given the results of the threat model, you can develop a new ranking of the portfolio.
Determining the best ways to improve the security of the environment. If the organization writing the software is highly outsourced or primarily buys commercial software, assessing their risk is important. Otherwise, how can you be sure that they know how to write secure software? With medical devices, being able to assess the risk and impact of the device to your environment before you put it on your network is essential. Two years ago, many hospitals would assume the device was secure. Today many are starting assume they are not.
HIMSS organizers, in preparation of its annual conference and trade show and as a way to rally attendees around several trending topics for the coming show, asked the healthcare community how it feels about several key issues. I’ve reached out to readers of this site so they can respond to what they see as the future of healthcare innovation, data security, patient engagement and big data.
Their responses follow.
Do you agree with the following thoughts? If not, why; what’s missing?
Sean Benson, vice president of innovation, clinical solutions, Wolters Kluwer Health Future innovations in health IT, big data in particular, will focus on the aggregation and transformation of patient data into actionable knowledge that can improve patient and financial outcomes. The ever-growing volume of patient data contained within disparate clinical systems continues to expand. This siloed data often forces physicians to act on fragmented and incomplete information, making it difficult to apply the latest evidence. Comprehensive solutions will normalize, codify and aggregate patient data in a cloud system and run it against clinical scenarios to create evidence-based advice that is then delivered directly to the point of care via a variety of mobile devices. This will empower physicians with patient-specific knowledge based on the latest medical evidence delivered to the point of care in a timely, appropriate manner, ultimately resulting in higher quality treatment and more complete care.
Susan Reese, MBA, RN, CPHIMS, chief nurse executive, Kronos Incorporated
Gamification — the trend of creating computer-based employee games and contests for the purpose of aligning employee productivity with the organization’s goals — is currently a popular topic with business leaders and IT. For proof, consider that Gartner recently projected that by 2015, 50 percent of all organizations will be using gamification of some kind, and that by 2016, businesses will spend a total of $2.6 billion on this technology.
With numbers like these, it is clear that that gaming is serious business and that it is here to stay. But at this point, you may be asking yourself, “Could gamification work in my healthcare environment? What potential benefits could it have?””
Today, many healthcare organizations are looking to the future and considering gamification as a way to increase employee engagement, collaboration, and productivity as well as to align their behavior with larger business goals – but they don’t know how to do it quite yet. Also, gamification can be a delicate decision, complete with advantages and risks. After all, employees’ day-to-day work responsibilities and careers are not games and can’t be trivialized. Healthcare organizations must be careful to avoid sending the wrong message to their workforce, or the whole program could backfire, or even lead to more negative consequences.
Mike Lanciloti, vice president of product management and marketing, Spectralink
In today’s digital age, healthcare IT needs to come a long way to get up to speed in innovation and connectivity. However, as we begin to see mobile play a larger role in the industry, healthcare is moving the needle on innovation as well.
The mobile revolution has picked up in healthcare for both health IT professionals and in patient care. Primary as healthcare providers find ways to utilize smartphones, mobile devices and Wi-Fi networks to improve the communication and efficiency of their workforce.
Through mobile devices, clinicians have the ability to access what they need, when they need it. Mobile devices ensure nurses and mobile staff are equipped with the right technology to promote timely, efficient and reliable communication. This not only allows healthcare professionals to perform their jobs more effectively but also helps deliver a higher quality of patient care.
The growing mobile trend does present several questions for the industry. Hospital managers are quickly learning that an influx of smartphones into the hospital setting can become a larger problem than anticipated. Not only do personal devices lack the security required for enterprise-owned devices, they pose other risks, calling into question issues surrounding encryption, authorized access and mobile security. Personal phones aren’t designed to be equipped with the same encryption capabilities as enterprise-owned mobile devices.
Virtru allows user to choose when to keep their digital content private and secure even after it’s shared online. Manage and revoke access to emails, photos, files and other content at any time, right from within your favorite programs like Gmail, Outlook, and Mac Mail on your desktop or smartphone. The TDF is an open standard for securing content of all kinds. Virtru gives everyone the power of the TDF by integrating it with the tools you use every day, like Gmail and Outlook.
Virtru Pro makes it dead simple for physician practices and other organizations to easily, conveniently, and cost-effectively send PHI messages and files over email while complying with HIPAA. While hospital medical record systems often include a secure messaging component that supports safe communications, many organizations prefer to use regular email or do not want to incur the cost and complexity of heavyweight systems. This is especially true for small to mid-sized practices that have fewer financial or IT resources available to them. Virtru Pro is easy to set up and easy to use for doctors, administrative staff, and patients.
Virtru Pro is a cost-effective, easy-to-use, HIPAA-compliant email service for the healthcare industry. Offering the easiest, most secure way for healthcare organizations to comply with the Protected Health Information (PHI) requirements of HIPAA, Virtru Pro ensures these communications are secure, protected and integrated into the tools and processes used daily by physicians, administrators and patients:
Provider-to-provider communications including consult results, CT scans, diagnostic images, prescriptions and scheduling information;
Provider-to-patient communications including test results, prescription information, procedure preparation, and scheduling information; and
Patient-to-patient communications, such as the connection of patients who share a condition and can support each other as physicians offer group care.
With Virtru Pro, an entire organization can now easily send and receive secure, PHI-compliant encrypted emails, revoke sent messages, restrict forwarding and set expiry for emails and files to auto delete. Confidential information sent to colleagues and patients remains private, audit ready, and protected. Virtru Pro eliminates the risk of patient data being inadvertently forwarded to an unintended party and provides added controls so that physicians can determine how their patients’ health information is viewed and shared.
Virtru Pro works with all major email systems and is especially well suited to organizations using cloud-based email providers such as Google Apps for Work, Gmail and Microsoft Office 365.
Virtru was founded to bring true digital privacy to everyone – making end-to-end email encryption dead simple to use and integrated into the products people use every day.
CTO and co-founder, Will Ackerly, spent eight years at the NSA in various positions of senior management where as a cloud security architect he developed the standard for secure data transfer used today by various government agencies – The Trusted Data Format (TDF). He left the NSA to bring this technology to the consumer market, where he saw a real need for people to have control over the privacy and protection of their personal information online. As a senior technology adviser for the Bush White House, before and after the events of 911 followed by six years in the private equity business, co-founder and CEO John Ackerly also saw a real need to provide individuals with the power to protect their digital communications. Combining the technical knowledge and know-how brought by Will with the-on-the-ground experience of John has resulted in a perfect storm that is Virtru.
By Stephen Cobb, senior researcher, ESET North America.
The benefits of making health records available electronically would seem to be obvious. For a start, faster access to more accurate patient information – which is one of the promises of EHRs (electronic health records) and HIEs (health information exchanges) – could save lives. The author of a recent report on the many thousands of lethal “patient adverse events” that occur in America every year, Dr. John T. James, pointed to “more accurate and streamlined medical recordkeeping” as a top priority in the effort to reduce these deadly medical errors. Yet headlines about healthcare facilities exposing confidential patient data to potential abuse have been all over the media this year. So, will security issues and privacy concerns stymie EHR adoption or slow down HIE rollouts?
Today, more than half of all Americans probably have at least some part of their medical record stored on computer. In January, the CDC reported that roughly four out of five office-based physicians are now using some type of EHR system, up from one in five in 2001. A few months later, in a Harris poll sponsored by ESET, only 17 percent of adult Americans said that, to their knowledge, their health records were not in electronic format.
During that same survey of 1,734 American adults, we asked “are you concerned about the security and privacy of your electronic patient health records” and 40 percent said they were. Slightly more of them, 43 percent said they were not. However, if we take out the 17 percent whose records were not in electronic format, the “concerned or not?” question breaks down as 48 percent Yes, versus 50 percent No, a statistical tie.
Add to the list of known certainties: death, taxes, and the need to lower the cost of healthcare.
Neither HIPAA standards nor encryption were created with the purpose of lowering the cost of healthcare, but neither was penicillin originally purposed as an antibiotic. Both welcome side effects in the world of medicine.
Cloud Computing and Healthcare
Healthcare and medical companies are migrating to cloud computing in record numbers. The cloud offers flexibility and scalability to manage ever-growing databases of patient records. At the same time, it offers mobility to enable care providers to access patient information remotely and shareability to share data with colleagues, specialists, and labs. The cloud, perhaps most importantly, enables cost reduction on several levels.
It eliminates the need healthcare organization have to purchase, maintain, upgrade, and replace costly computing equipment and staff.
It saves costs of multiple providers running multiple tests by enabling them to share and track the results.
It saves time and money by enabling paperless transmission of prescriptions and insurance claims. It also increases the accuracy of reimbursement coding.
Now, HIPAA omnibus and the American Recovery and Reinvestment Act (ARRA) requirements stipulate everyone in the healthcare industry begin migrating patient records and other data to cloud computing. Essentially, by 2015, all medical professionals with access to patient records must utilize electronic medical and health records (EMR and EHR), or face penalties.