Healthcare security is a high priority
Many of the same issues and concerns confronting mainstream businesses regarding risk and security plague the healthcare industry. Immediate priorities and pressures within healthcare are different, however, primarily due to HIPAA/HITECH compliance requirements. Another difference – patients and practitioners benefit most through collaboration and the continual exchange of a great deal of personal information. Lots of people touch the care process; that’s how delivery of services and payments work.
In its “Health Care Cyberthreat Report” released Feb. 21, the SANS Institute reported that 94 percent of all healthcare organizations have been victims of data breaches by their own admission. Even more alarming is that organizations that have been breached but haven’t disclosed the incidents, or haven’t discovered it yet, aren’t included in the tally.
The move toward an entirely automated healthcare system featuring electronic and personal health records (EHRs and PHRs), clinical data warehousing and increased transparency means more data is at risk. It is past time for IT healthcare professional to review of privacy and security policies and procedures. Here are five areas worthy of attention.
1. HIPAA, a Powerful Motivator
Where there are rules that are vigorously enforced, carrying big financial consequences for failure, you have someone’s attention. There is no getting around the power of HIPAA/HITECH. The Office for Civil Rights (OCR), the division of the U.S. Department of Health and Human Services that regulates and enforces HIPAA, is a proactive enforcer of the 77-point HIPAA audit. Penalties for violations start large and get larger, with a maximum of $1.5 million per violation. Common culprits of violations are unencrypted data, employee negligence, data stored on devices and non-vetted business associates .
Leaders at healthcare providers must familiarize themselves with the OCR’s audit protocol and perform a self-assessment now. However, compliant today is not necessarily compliant tomorrow. Remain current by regularly scheduling self-assessments. Also remain current on the specifics of the law and OCR’s auditing posture as its activities are reported through industry news channels.
Historically, many healthcare organizations understandably have focused almost exclusively on compliance. It has the attention of senior staff and management, which are protective of not only the organization’s finances, but its public reputation as well. While necessary, ensuring compliance to the exclusion of other matters is a major risk itself.
2. Mistaking Compliance for Security and Risk Management
A compliant organization is not necessarily a secure one (the reverse is true, as well). The rate of data breaches with a root cause of either a malicious insider or hacker has doubled from 20 percent of all incidents to 40 percent since the Ponemon Institute first started doing the study four years ago. There are some pattern changes, but that’s probably the biggest change of all.
The healthcare realm has a great deal of IT complexity and many legacy applications that were never coded or tested against security best practices. Add to that all the new systems and software on top of that and you’re likely to have an environment rife with vulnerabilities. As the risks to critical applications from external threats increase, controlling access, monitoring logs for unusual activity, identifying the likeliest risks and prioritizing patches and fixes take on added importance.
However, many institutions comply with HIPAA’s requirement for a privacy officer and a security officer by doubling up on the CIO’s responsibilities. Others attempt to fill positions from within. The required security and risk (S&R) skills are more likely to be found outside of the institution and the healthcare industry. It’s like the difference between using an x-ray machine when you really need an MRI.
3. Healthcare Facility versus Healthcare Ecosystem
The integrated healthcare ecosystem connects many players with different pieces to the electronic healthcare puzzle. Coincidently, the potential attack surface for hackers grows exponentially with the number of data handlers. In the mix are payers, hospitals, pharmacy, insurance companies, healthcare information exchanges and other third parties, such as consultants or cloud-service providers … and at least some of their employees.
While they all have responsibility to abide by HIPAA in order to handle PHI, the accountable party is still you. More attention must be to paid third-parties and the potential risk your organization takes on by exchanging patient data with them. Is the return on risk from a business or clinical perspective within acceptable parameters? Don’t take your partner’s security declarations, readiness or commitment for granted. It is for this reason that Peak 10 maintains a HIPAA-compliant infrastructure and cloud-services offering, which is independently audited each year.
4. Mobile Medicine
A survey conducted of attendees at HIMSS14 found that 45 percent of individuals believe the greatest barrier to mobile health adoption is the risk of a data breach, followed by meeting regulatory and compliance requirements for the privacy and security of patient data. While there are certainly concerns to be addressed, the necessity of mobile devices for delivering care in an ever-expanding healthcare eco-system is undeniable.
This is an urgent area for S&R professionals to address. While nearly nine out of 10 healthcare organizations permit use of BYOD devices, more than half of those doubt personally owned devices are secure. Most do not mandate anti-virus software on devices or scanning of devices prior to connecting to their networks. Yet, one of the greatest sources of data breaches is lost or stolen devices, primarily laptops.
Some organizations are coming around to the realization that it may be more effective to protect the data, which can be centralized, and not the devices, which are ubiquitous. One avenue for doing this is via virtual desktops or cloud-delivered desktops. The applications and data are securely accessed from a host virtual server, but never resident on the devices themselves. The device gets lost or stolen yet no PHI is in jeopardy.
5. Speaking the Business of Healthcare
While this may be better classified as a challenge as opposed to a risk, it is fundamental to establishing the most impactful security program possible at the lowest possible cost.
As practically every industry is discovering, the role of information technology is undergoing transformational surgery. The question on the minds of executive staff is how can we apply IT to make us successful and not simply help keep our doors open. Social media, mobility, cloud computing and big data have dramatically swung the balance from operations to enablement. Not only is this a cultural and behavioral change for many CIOs. It is for S&R professionals, as well, who are ardently conservatives in heart, soul and spirit.
CEOs do not typically speak the language of IT or BYOD protection and have no intention of learning. The CIO and CSIO must understand and become conversant in the business of the hospital and the business challenges it faces. Explaining the strategies, performance and requirements of IT, security and risk management in business terms will go a long way to protect data and information in a manner most appropriate, as well as the jobs of the individuals responsible for it.
A recent report from Forrester Research (Industry Spotlight: US Healthcare Risk Professionals Security Budgets, Priorities, And Challenges, by Stephanie Balaouras and Skip Snow, February 19, 2014) advises S&R pros to avoid reporting on operational metrics (e.g., laptops patched, emails scanned). They don’t speak to the organization’s objectives or healthcare outcomes. Instead, the report suggests seven categories of executive level metrics: 1) strategic alignment to corporate goals; 2) functional alignment to performance objectives; 3) support for regulatory compliance; 4) dedication to efficiency and effectiveness; 5) commitment to process excellence; 6) enthusiasm for service and support; and 7) drive for innovation.