From March 2017 issue of Security Technology Executive.
The problem when it comes to patient healthcare data security is that no one dies when their personal information get stolen. The risk of data theft looks less serious than it is, and it is hard to apportion blame or responsibility. Worse still, this risk seems to come with the territory. It's easy for doctors and administrators to argue that it's necessary to risk the safety of patient data in the name of expedient treatment.
The problem when it comes to patient healthcare data security is that no one dies when their personal information get stolen.
If identity theft was tantamount to death or serious illness, healthcare organizations would put greater focus on the issue. Nurses and physicians would be trained on patient security at every level on the way up and get continuing education credit throughout their professional careers. There would be checks and double-checks on every “door” patient data could leak. From back office employee, outside vendor, to clinician, orientation would include security.
Even with increasing awareness of data security, however, healthcare organizations are slow to stem the tide. On average, six healthcare data breaches impacting 500 or more individuals are reported every week according to the Health and Human Services Office of Civil Rights, as required under section 13402(e)(4) of the HITECH Act. Although over $19 million in penalties have been levied for just the top six incidents alone, security does not even register as one of the top concerns of healthcare CEO and CFOs alike.
What's Keeping Information Security from Being a Top Concern?
The year 2017 is going to bring with it great uncertainty to the healthcare industry—but for CEOs and CFOs, the issues caused by information security are a molehill compared to the upcoming regulatory environment. According to Becker's Annual CEO+CFO Roundtable, top decision makers include volume leakage and smart expansion as their two primary concerns. From a recent survey by the American College of Healthcare Executives, financial challenges and healthcare reform are viewed as critical issues. Security is nowhere to be found.
Patient data security is often relegated to the IT department, but it's a problem that should be top-of-mind for every leader in the industry. In light of this, what's keeping information security on the back burner?
Three problems complicate the healthcare industries approach to security:
1. The decision to aggregate all healthcare data between providers adds weak links to the chain. A healthcare system is only as strong as the security of the weakest partner attached to its network. Anyone who followed the Target breach, where the retail giant was hacked through an associated HVAC repair company, understands why this is problematic.
2. Healthcare has historically lagged in IT security investment. Although these investments began to increase in 2016, the extra funds were modest, unevenly applied, and clearly failed to stem the tide of high-profile ransomware attacks.
3. Healthcare organizations usually hold a great deal of high-quality personally identifying information (PII). An attacker has a high chance of scoring victims' names, addresses, social security numbers, phone numbers, and so on. These attributes are harder to change than a credit card number, and more dangerous for a criminal to have.
Fixing Investment and Awareness in Information Security
For healthcare organizations, it is imperative that investments into information security match investments into other digital tools. It is useful and necessary for many organizations and business units to have access to the same pool of data. This lets them find new efficiencies and service line opportunities from mining this data. It is equally necessary that this pool of data be protected from unauthorized access.
Again, this is a problem that affects patient safety. Its importance needs to be reflected in every aspect of the hospital environment. Information security is not just an IT problem, and cannot be solved by throwing money at expensive tools. Rather, it is a dilemma that requires holistic solutions, involving policy, governance, training, and personnel. Ideally, a small organization would be able to manage its security just as well as a large one.
The solution to this puzzle looks like a standard of security that satisfies both the organization, and the patient. The alternative is to face a spiral in which attacks steadily increase in severity, regulators levy increasing fines, and patients continue to lose.
Healthcare Security is a Process, Not a Point Solution
In order to begin working towards functional information security, healthcare organizations first need to assess where they stand. Here, they'll actually find the first big problem with their security posture—most organizations don't assess their security often enough.
Doing an annual security review, as opposed to smaller monthly or quarterly reviews, produces problems. Far too many deficits accumulate during a year's interval to be fixed within a reasonable timeframe. This approach leaves hospitals vulnerable to hackers, and administrators scrambling to fix problems that have accrued during a twelve month period. Oftentimes, admins only have a limited window to take systems offline for maintenance, and hasty repair jobs are a recipe for human error.
Compounding the dilemma, there is a massive shortage of information security workers to fill open job slots. To compensate for the shortfall, healthcare organizations need to schedule tasks intelligently. Instead of working through hundreds of pages of security assessment findings once annually with a short staff on a short timeline, healthcare organizations should divide tasks up over the year, integrating the controls and reviews in manageable doses on agendas of existing committee meetings, etc. Tasks, driven by policies and governance, can, therefore, be accomplished as part of a regularly scheduled annual plan and maintained without significant additional difficulties.
· Visibility is increased across the organization, and executives can see where the organization stands at any point in time from a compliance standpoint. This allows them to maintain an appropriate level of focus.
· Continual, scheduled review of a small number of security items will allow more focus to be placed on each individual control. Administrators can focus on data inputs and outputs that might be potentially vulnerable to attackers.
Additionally, healthcare administrators need to understand how both accidental and intentional data breaches occur. In 2016, healthcare organizations reported 306 data breaches. Several of these breaches follow a pattern. Administrators can study these patterns in order to mitigate potential breaches within their own organizations.
Just as an example, the top four HIPAA fines handed out this year totaled over $15M. Without exception, they were tied to data on laptops that were lost, stolen, or mishandled. A simple project of encrypting the drives on all devices containing patient data that leave the facility is a cost-effective answer. Technology such as Citrix XenDesktop or Horizon View, often already in place in many healthcare settings, would also mitigate this risk entirely.
As another example, many healthcare organizations are beginning to upgrade their operating systems and security tools. These upgrades tend to affect desktops and laptops—while ignoring networked medical devices that run older software. These platforms are still vulnerable to malware, and hackers are taking advantage of this fact. We could literally discuss tactics all day, but the value is in larger strategic decision around program development.
Fixing Information Security Means Sacrificing Speed for Safety
Hackers made up a third of reported breaches in 2016. Undisclosed access represented 45 percent. Theft was 20 percent. Each incident in these categories resulted from a failure of best practice within a healthcare organization. Each incident, in turn, results in hundreds of patients who must live under threat of identity theft for at least six months, as estimated by the FTC.
Physician and clinical staff training around security needs to change to fit this new climate of risk. There is a common opinion that the speed and convenience of communicating personal health information (PHI) in an unsecured manner outweighs the security risk. Need for speed is often cited as the reason to break the law and bypass security controls, all in the name of patient safety.
Continued fines may eventually modify this behavior, but as previously stated, security is often an also-ran in a sea of priorities for healthcare administration and providers alike. Even the weight of HIPAA goes by the wayside when "patient safety" is invoked. If an administrator needs to get documents prepped for a helicopter transfer to another organization with a patient's health on the line, who's going to take the time to make sure those documents are encrypted or secured properly in transit?
Provider organizations, for their part, have to build out tools or invest in an overall security governance program that allows clinical staff to communicate in a fast and efficient manner. The answer to the problem above, for example, might involve investing in a program that automatically encrypts all email sent outside of the organization or provides a simple secure file transfer mechanism like ShareFile. When policies are applied without human intervention, it becomes more difficult to discard them in the name of speed.
One way to think about this is to consider patient security as analogous to the process of discharging a patient. Hospitals don't simply let patients leave their premises—rather, there's a complex document chain that allows organizations to confirm proper steps have been taken to meet reimbursement requirements upon discharge, manage the transition of care back to a primary care physician if necessary, along with some level of guidance and monitoring patient health post-visit. Do we need a Security Continuity of Care document? Will patients begin asking about security protections and mitigation measures of their providers when selecting a new doctor?
Healthcare organizations must help caregivers learn and understand that protecting a patient’s digital identity is just another part of patient care in the world we live in today.
For their part, hospitals and healthcare practices need to be proactive in providing caregivers with tools allowing for the open flow of communication for patient care that meets mandated security requirements.
Patient safety and patient security can coexist without either taking a back seat. To get there, security has to become interwoven into everyday processes, just one more line on an existing meeting agenda. When security is treated as an additional layer of cost and overhead stacked on what is already a complex operation, it is easy to consider it optional.
Asking healthcare providers and partners to make all data from all sources readily available for the patient can have unfortunate data security outcomes. On the other hand, this practice allows practitioners to make more informed and accurate healthcare decisions. How do we reconcile the risks with the benefits?
The prescription is a comprehensive program identifying gaps from large to small, critical to anecdotal, which incorporates daily bite-sized oversight and transparency. This approach is far more manageable to large and small organizations alike than swallowing massive annual assessments and thick remediation findings that overwhelm what is already a tight staffing model.
Hoping that you are too small or anonymous to be a target is not today’s reality but the good news is, in large part, the cure has been discovered, the patient just needs be willing to follow the plan of care.