Data security is one of the biggest concerns of hospital IT (HIT) managers and CIOs responsible for healthcare providers. The mandatory migration to Electronic Health Records (EHRs) does make it easier to update and share patient records, which has led to an improvement in the quality of care. However, EHRs also present new security challenges as hospitals, pharmacies, doctors’ offices, and insurance companies all strive to make EHRs secure but also shareable. The high-profile data breaches we have seen in recent years continue to uncover the flaws in healthcare data security, and provide lessons for changes in the future.
Passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009 encouraged medical practices to adopt EHRs using financial incentives, and in 2015 the government started imposing penalties for failure to adopt EHRs. In 2009, only 21.8 percent of office-based physicians and 12.2 of non-federal acute care hospitals used EHRs. By 2013, more than 78 percent of doctors’ offices and 76 percent of hospitals were using some form EHR system. As a result, more than three quarters of healthcare providers now have added concerns about securing electronic patient records. Data security is also required to comply with the Health Insurance Portability and Accountability Act (HIPAA).
The Healthcare Data Breach EpidemicThe headlines are full of stories about big box retailers who have had customer data compromised and credit card information stolen. However, that data isn’t nearly as valuable as patient record information. On the black market, stolen credit cards are worth about 50 cents each. That’s because they age quickly and credit card companies deactivate them as fast as possible. Stolen health records, on the other hand, sell for about $50 each because they include data such as social security information that can be used for identity theft, medical information that can be used to fake prescriptions, and enough detail to commit Medicare fraud.
The Office of Civil Rights reports that in 2015 there were 253 healthcare hacks with a combined loss of 112 million records. Security breaches at the top six healthcare companies affected 1 million individuals, and four of the six institutions were affiliated with Blue Shield/Blue Cross. The statistics also show that 38 percent of healthcare security issues were categorized as “unauthorized access or disclosure,” but 90 percent of the top 10 breaches were reported as a “hacking/IT incident.” And 29 percent of all breaches were categorized as “theft.”
Healthcare’s Biggest Security ConcernsEvery data breach provides an added lesson in cyber protection. From the nature of the breaches we have witnessed over the past few years, we have learned quite a bit:
1. CybercriminalsHackers are the biggest and most pervasive security problem the HIT managers face. However, cybercriminals aren’t likely to initiate disruptive hacks such as a distributed denial of service (DDOS) attack. They are after real information stored on servers and being used by nurses, doctors, and pharmacists. That means they will be using more sophisticated tools to infect workstations or capture data traffic. Even stolen laptops and hard drives are yielding sensitive patient data.
2. The Human ElementOne of the most common sources of data breaches are users. Nurses keeping passwords posted to their workstations or share PIN numbers with colleagues, creating the most common security issues. Sometimes it’s a disgruntled employee but more often than not it’s carelessness on the part of users that exposes sensitive information to data thieves.
3. Hidden Break-InsOne of the greatest problems with a security breach is they are often hard to spot. It usually takes months to detect a cyberattack. In a recent survey, financial IT specialists said the average time it takes to detect a data breach is 197 days. Often a data breach isn’t uncovered until a third party notices a problem, or a patient complains about a fraudulent bill or identity theft.
4. HIPAA ComplianceMore hospitals and clinics are working to lock down security as part of HIPAA compliance. This requires balancing the need for security with the means to share secure EHRs between medical professionals and with patients.
A Cohesive Security StrategyJust as healthcare security issues are complex, so are the security solutions. You need a cohesive and integrated security strategy to protect EHRs and healthcare data that includes multiple components:
SecuritySince healthcare facilities are being targeted for cybercrime they need more rigorous security technology. Protective firewalls, anti-malware systems, data encryption, and other technologies need to be part of the security arsenal.
Remote MonitoringIn addition to on premise security technology, engage an outside firm to monitor and manage the enterprise remotely. Often security issues that aren’t seen within the system can be spotted and corrected by managed services.
Security ProtocolsTo combat human error, strict security protocols need to be developed and in place. For example, there should be protocols for locking down and tracking computer hardware, especially portable hardware such as laptops and tablets. More caregivers are using mobile technology to directly update EHRs, so they need to be protected using passcodes, encryption, and remote control software with memory wiping capability. Protocols also should be in place for updating passcodes, securely disposing of paper files, and other areas where carelessness can be costly.
Cloud ComputingMore medical facilities are adopting cloud computing to facilitate security as well as consolidate enterprise management. Using cloud data storage makes it easier to manage data and secure data access using encryption and two-factor authentication. Putting the data in the cloud also consolidates data management, and it makes backup and disaster recovery easier since cloud data storage is elastic. You even have the necessary storage capacity to archive old files and logs for regulatory compliance.
Independent IT experts can help you develop security procedures and protocols, and a create strategy that covers all aspects of data security and compliance. Too often, HIT managers are too close to the hospital procedures or the inner workings of a medical practice to recognize the weaknesses. An outside expert in managed services and IT infrastructure who understands security can help you design a comprehensive and secure enterprise that can adapt to evolving health care and patient needs.
What are some lessons you’ve seen the industry learn over the past few years with the recent data breaches? Have things changed within your organization as a result?