The numbers prove that the healthcare industry is ripe for cyber-attacks. Breaches in healthcare are up more than 300 percent since 2005. Last year breaches in the healthcare/medical category surpassed all others, accounting for 43.1 percent, according to the Identity Theft Resource Center — more than business, government, financial/credit card or education. In 2012, it was 34.9 percent of all breaches.
There are many reasons for this. Several key ones are:
- A lot of new technology and systems have been added to older systems in a short period of time, and infrastructure continues to evolve rapidly, which increases vulnerability.
- Healthcare is both a people-intensive and technology-intensive business with many patient touch points and, consequently, many potential breach points.
- Patient records are a target-rich environment containing extensive personal and financial data, opening the door to insurance fraud, identity and credit card theft and stolen prescriptions.
Think of cyber-threats as antibiotic resistance; just when you think you have stomped them out, they find a way to slough off your defenses and strike again. Here are some tips to help you wage a more productive battle.
Make HIPAA Risk Analysis Routine
The annual check-up is not enough. It is a point-in-time determination of compliance. Everything about your environment starts to change as soon as the analysis is complete. A new community clinic or ambulatory care unit opens. Office staff is hired or released. Diagnostic equipment is added to your network. These technical, business operations and workflow changes alter your security envelop and provide avenues of opportunity to patient data breaches.
Understand that your systems are under constant threat. Add vulnerability assessments, intrusion detection, penetration testing and firewall management to routine internal audits and maintenance schedules. Adhere to a review schedule that is quarterly at a minimum.
Enforce the Rules
It doesn’t matter how complete your security policies and procedures are if you do not rigorously enforce them. You may as well not have them at all. Beyond insisting upon strong passwords that are changed frequently, logging off desktops at night, locking screen savers and securing media such as thumb drives, instilling a security mindset throughout the workforce is critical. It’s also quite hard to accomplish and maintain.
Employees must be engaged frequently in security awareness training, internal methods training and simulations, and through daily reminders and visual stimuli. Security awareness and good practices must be integrated into the organization’s culture, reinforced by leadership and rewarded.
The best encryption solution is the one aligned with your organization’s business and security objectives for data inflight, in use and at rest. This includes understanding all internal and external data governance policies (including data privacy and residency) and HIPAA/HITECH compliance mandates. All data accessed by portable device must be encrypted; unencrypted smartphones, tablets and laptops that are lost or stolen account for as much as 30 percent of protected health information (PHI) breaches. People typically don’t like it, but their protests pale in comparison to the pain, damage and cost resulting from a significant breach.
However, data encryption alone does not guarantee data confidentiality. That happens when an authorized team controls the encryption process and the encryption keys. When security is a regulatory requirement, organizations should deploy and manage encryption themselves. But, a trusted cloud services provider (CSP) can be on the team as well; new products are coming to market that allow secure split-key responsibility.
Control Network End Points
Protect the network and the patient data accessed by laptops, smartphones or other mobile devices, not the devices themselves. More applications and data delivered to devices, as opposed to being resident on the devices themselves, afford a great deal of control and, consequently, security.
Deliver “the desktop” virtually to devices; cloud-delivered desktops can be a very effective delivery model. Make “fat clients” thin so that applications and data are centrally managed. Manage the information by setting policies, creating user groups or applying other protocols that limit what people can see. This segment of the security industry is evolving rapidly, as you would expect. It will pay dividends to stay abreast of new products and technologies in this space.
An employee in the Medicaid program at the South Carolina Department of Health and Human Services made off with private data on 230,000 Medicaid beneficiaries – names, phone numbers, addresses, birth dates, Medicaid ID numbers and Social Security numbers of those with Medicaid IDs. An uncommon occurrence by a rogue employee? Not according to a recent HIMSS Security Survey. Eighty percent of respondents (283 IT and security professionals) said that workforce members snooping on information of others such as a spouse, co-worker, neighbor or friend was a major threat to data security.
Healthcare organizations continue to strengthen the technologies in place to secure data. Only people who absolutely need data access should have it; privileges must be reviewed frequently. Employ both user-based and role-based access controls to data. Collect and analyze data from audits logs, firewalls, applications and servers. And, again, enforce the rules.
The healthcare industry’s reticence about cloud security is not without merit. No solution is perfect and every solution requires continual re-evaluation and improvement. However, the time has passed to dismiss the cloud option out of hand.
Healthcare organizations considering moving any aspect of their IT operations to the cloud should work with a CSP that is HIPAA compliant. That will ease the burden of meeting stringent HIPAA requirements, help ensure that appropriate mechanisms are in place for keeping data safe and provide peace of mind.
CSPs now must meet many of the same HIPAA requirements as their healthcare customers. They are also required to sign “business associate agreements” (BAAs), which spell out how they will report and respond to a data breach, including those caused by their subcontractors. That is, they have more skin in the game. Both the cloud customer and CSP are responsible for keeping patient data secure. Both suffer the consequences if that data is compromised.
Healthcare organizations should also insist that their service level agreements (SLAs) with CSPs specify agreed upon security objectives and outline processes for ensuring compliance. It’s not a cure-all, but it can help facilitate more effective data loss prevention.