Security

5 takeaways from the WannaCry ransomware attacks

Will information technology ever realize an imagined future where security is strong enough, reliable enough, secure enough to block any and all attacks?

It’s a dubious proposition made more uncertain by the recent WannaCry ransomware incident that started a couple of weeks ago and continued around the globe for several days. The virus was seemingly halted on Friday, May 12, when a security researcher found weaknesses in the code, but additional versions without those weaknesses have been sent out since.

Whoever is sending out WannaCry will continue, or someone else, someplace else, will send something similar or more virulent. The war is never over.

Which means hospitals, IT vendors, security firms and other HIPAA business associates must constantly work to develop better tools. In pursuit of that goal, what can we learn from the WannaCry attack thus far that can help with security moving forward?

  1. System updates are essential. WannaCry targeted Windows operating systems and succeeded where those operating systems lacked security updates. Hospitals in Britain’s National Health System suffered considerable damage because so many are still using Windows XP, a 16-year-old operating system. Contrast that with U.S. hospitals, which were minimally impacted. Indeed, a major concern for hospitals around the world is the use of old operating systems in a variety of settings that are no longer upgraded or supported. Microsoft rushed a Windows XP security update out after WannaCry was unleashed, but it’s not something the company wants to do or would probably be willing to do with any regularity.

    It probably goes without saying, but the use of unlicensed and unlicense-able software leaves hospitals completely vulnerable to malware attacks. In the U.S., this is not a significant problem. However, in China and countries similarly resistant to strong policing of intellectual property licensing and use, computers may as well put out a virus welcome mat. Reportedly, WannaCry impacted around 29,000 institutions in China. 

  2. Devices are vulnerable. Specifically, WannaCry successfully attacked Bayer Medrad radiology devices in at least a couple of examples, the first known hacks of medical devices. The concern about medical devices is acute simply because they often control something directly related to the patient condition. A hack of the EHR system is problematic and disruptive. A hack of a medical device is potentially life-threatening. 

  3. Even inept hackers are successful enough to be very disruptive. Possibly derived from hacking tools originally created by the National Security Agency, WannaCry had certain post-NSA vulnerabilities that researchers and security experts could identify relatively quickly. Using terms like “amateur hour” and “easy fix” to describe WannaCry, security professionals said the virus was not a particularly challenging nemesis. But even imperfect malware spread rapidly to more than 150 countries, infected hundreds of thousands of workstations and cost as much as $4 billion. Imagine what kind of damage a more successful hack could do. 

  4. The most expensive part of ransomware is not the ransoms. It’s not unreasonable to see many hackers as anarchists with active minds, time on their hands and a perverse motivation to kick at the pillars of modern society. Most of the ransoms demanded in the WannaCry case were in the $300 to $600 range, and most organizations chose not to pay them. As of Friday, May 12, one consultancy estimated only $100,000 in total had been sent to hackers. No one was going to get independently wealthy off this hack. Still, WannaCry bled an estimated $4 billion dollars from the system. Again, imagine a much more successful effort than WannaCry and you can see how motivated hackers might be determined to bring certain essential industries—healthcare, for example—to a grinding halt without getting dollars in return.

  5. Subscription services are a viable alternative. A primary reason WannaCry succeeded at all is because there is so much old software out there running various computing devices. Subscription software is one way to get old software out of the market. With the subscription option, to use WannaCry as a specific example, Microsoft can quickly and easily provide security updates to all applications and operating systems. The company did, in fact, provide updates in March to patch the security hole WannaCry exploited, which made the damage in the United States much less extensive. Clearly, however, those updates did not extend to the millions of Windows instances in use globally. While technology companies have been promoting subscription software options for years, buyers have been slow to sign on. Perhaps instances like this will convince many that subscription is both the more affordable and safer option. 

Right now, failsafe responses to malware and hackers are multi-pronged, and subscription software can be a significant component in that defense. Each hospital must develop a comprehensive and stringent security program as a necessary foundation for overall protection.  

The security battles will continue into the foreseeable future and each will give us an opportunity to make the defenses more responsive and sophisticated. The hospitals that can learn security lessons without having to pay ransoms or endure systems shutdowns will be those that react rapidly and prepare for the various threats.

Speaking of which, have you installed those Windows security updates recently? 

Richard Sullivan is chief operations officer for Medsphere Systems Corporation, the solution provider for the OpenVista electronic health record.

Category: Security

Time to update your security precautions? Take these five basic steps.

If you’re a small healthcare IT operation, a simple spreadsheet might do the trick. If you’re larger, a not-so-simple spreadsheet might be in order.

Regardless of how you do it, hospitals, clinics and other healthcare organizations must identify and monitor every single instance of computer network access. They’re called endpoints, says Larry Ponemon, founder of the security consulting firm the Ponemon Institute, and for you they exist as vulnerabilities.

Your job is to eliminate them through a series of basic security-promoting tasks.

While your IT security staff may have conducted such work in the past related to HIPAA, “in the past” is never recent enough for a robust security program in the hyper-changing technology world, especially if the work was incomplete or conducted over a year ago. In too many hospitals, security protections have been a one-shot effort conducted years ago with little follow-up. Your hospital may need to undertake the following actions from a blank slate perspective in order to combat today’s sophisticated threats.

Identify every device on the network.

We’re not talking about just desktops and laptops, here. Think more broadly and identify everything that has a network connection—desktops, laptops, tablets, mobile phones, IoT devices, etc.  You may have also permitted network access for clinicians and staff using their own devices, so take the time to identify those users as well.

Update your software.

After figuring out how many networked devices you have, make sure the security applications on each, which includes operating systems, are up to date.

“One of the main reasons hospitals have become ground zero for ransomware attacks is that almost every modern medical device is now a computer,” writes Phillip Hallam-Baker, vice president and principal scientist for cybersecurity firm Comodo, in Health Data Management. “It is not uncommon to find a multi-million dollar device such as an MRI machine running Windows XP Embedded, an operating system version that was last updated when it was retired in 2011.”

Hallam-Baker adds that defeating malware, particularly ransomware, requires a three-pronged approach:

  • Scan inbound email for infected attachments and links to malware sites that automatically download to your computer.
  • Block access to malware sites.
  • Run anti-virus software on every computer in use.

Spread the security gospel.

Now, it’s time for the social engineering. According to respondents in a Ponemon Institute study on networks and cybercrime, 81 percent feel the greatest threat to security is negligent and careless employees who don’t follow established policies and practices. This issue has been complicated in recent years by threats from insecure mobile devices. Train every employee in proper security practices, and reinforce them frequently.

Secure the patient portal.

At some point, turn your attention to the patient portal you installed to meet Meaningful Use. Keith Fricke, the principal consultant at tw-Security, wants you to know that it could create vulnerabilities. Imagine, for example, hostile code that lives on a popular website and downloads to a patient’s home computer. Later visits by that patient to an insecure hospital patient portal might provide a hacker with access to numerous patient records and the opportunity to pass along a virus, hitting your organization with a double whammy.

Cover your business associate bases.

In recent years, according to Ponemon, business associates (BAs) have endured even more data security incidents than healthcare providers.  A major reason is that HIPAA-required BA agreements, once signed, tend to sit on the shelves of all parties. Your partners, including IT vendors, may feel much less urgency about patient data security than you do. Make sure their lack of urgency does not impact your security by taking these steps:

  • Evaluate your entire list of vendors and similar partners to determine which have access to protected health information (PHI). Perhaps some BA agreements were never signed, which puts your organization at great risk.
  • Review all of your BA agreement files. Those dated prior to 2013 are obsolete, which adds to your hospital’s security vulnerability. The 2013 Omnibus HIPAA regulations are much stricter with business associates than the original HIPAA security rules, so it is critical to your security program that all BA partners sign an updated agreement.
  • Insist on compliance with the newer rules as a condition of your continued relationship. Double check your BA’s level of security and ask to see its most recent security risk assessment, one of its many obligations under HIPAA.

Taking these actions will greatly improve your organization’s security position and give you much, if not all, the information you need to perform your own HIPAA-required security risk assessment.

A final note on the costs of data security

Many organizations are ill-prepared for the growing onslaught of security incidents, not because they don’t care, but because of inadequate funding and security expertise. High expenditures for recent initiatives such as Meaningful Use and ICD-10 implementation have not helped. Moving forward, senior management must view data security as a cost of doing business, just as it is with financial services and retail. You will have to spend money on security regularly to make it work. As technologies change and security risks increase, a sustainable security program must include regular updates and different and/or additional spending.

In 2017, the security race between hackers and healthcare is going stronger than ever, but it’s not too late to secure your organization’s network if you move quickly and deliberately. 

D'Arcy Gue is Director of Industry Relations for Medsphere Systems Corporation. 

Category: Security

Take these six steps to alleviate patient anxiety about data security

Not every patient admitted to your hospital will know that healthcare promises to be the most frequent target of hacking efforts in 2017.

But many will. They may be among the 21 percent of patients who withhold information from their doctor for fear of data breaches.

They might also be familiar with hacking and data breaches more generally, so they will put two and two together and figure out that they have much to lose—both personal and financial information—in a successful hack or ransom scenario.

You have a lot to lose, too, starting with patient dollars and trust, both of which are essential to what you do. Surveys suggest most patients will find a new provider should their information be hacked.

If they do inquire, allay patient fears by pointing to these specific strategies and values your hospital uses to safeguard patient data and prevent malicious access.

  1. Transparency: Some of your older patients are not and will never be comfortable with technology. Many of the younger patients will be very comfortable and knowledgeable about it. For both groups, the strategy is to be transparent, which is actually a much broader subject in healthcare than the scope of this blog post. For our purposes here, explain what patient data is maintained, why it is collected in the first place and what you do with it. If you share de-identified patient data, make sure patients know this. Explain the benefits of data accumulation and evaluation and how it could impact their lives or the lives of someone they love. 

  2. Dialogue: Continuing the transparency, consider asking patients if they are familiar with the transition to EHRs and how they feel about it. Ask if they have an idea about whether security is better or worse in an electronic system versus paper. Explain the weaknesses of paper and how it may impact patients. Talk to your patients about the commitment your organization has made to keeping patient data safe. Ultimately, your obvious goal is to inspire confidence in the patient and demonstrate your expertise with the technology. 

After demonstrating transparency with the patient and establishing open communication about the importance of protecting patient data, explain the measures your hospital has taken to prevent breaches and ransomware incidents.

  1. Security Technology: It will be wise and necessary to assess your patient’s understanding of healthcare technology before offering an explanation of what you’ve put in place. Making every effort to keep the explanation as simple as necessary, talk about what you’ve done to make sure unauthorized access does not happen. This can be as straightforward as talking about the use of strong passwords to access the system, giving different personnel varying levels of access and hiring a chief security officer (CSO), if you have one. 

  2. Training and Policy: Something your patients hopefully do not know is that clinicians and other hospital staff are the greatest security vulnerability. Without focusing on that fact, share with patients the security training your hospital has engaged in and policies that define much of your interaction with the EHR system. When you can speak authoritatively to the issues that crop up in a normal day related to security of patient data, your patients will feel more at ease.

  3. System Backup and Recovery: It might be appropriate and reassuring to tell patients that your hospital has a plan for system downtime, as is the case now with almost all hospitals. Perhaps you can also mention the organizational strategies associated with system backup and recovery, how often backups are created and, at a high level, how you test the backup system to ensure proper performance. 

  4. Familiarity and Comfort: Often, as patients become more familiar with the aspects of healthcare IT available to them—the patient portal—they also become more comfortable with the system overall. So, by introducing patients to the portal and getting them registered, you are moving toward two goals: lessening their technology anxiety and giving them a little more responsibility for their own care. Over more than a decade, Kaiser Permanente has tracked, documented and refined their use of a patient portal, which may give your hospital some ideas of what a portal can do and how to engage patients in using it.

So, that’s a lot of information to present to patients when many interactions with physicians only last 10 or 15 minutes. Is it too much for a doctor to present? Yes, it probably is, and it might also be inappropriate for the doctor to be focusing on EHR security instead of addressing clinical concerns. The hospitals that find other ways to communicate with patients about healthcare IT will find themselves ahead of the game and will be initiating a transparent dialogue with patients.

What tactic might further this goal?

  • Give them reading material. A really technologically advanced hospital might give patients tablets on which to read materials about IT security, but that’s expensive and creates concerns about theft. Instead give patients documentation on the hospital’s security policies and procedures during the check-in process. Make the same information available on the patient portal.
  • Train the staff. After or in lieu of reading, patients are going to have questions. Make sure the administrative staff are familiar with the healthcare IT policies and can explain them to concerned patients. Still, that’s probably not enough. To assist patients who need it, you will probably also need to designate and provide special training for certain strong communicators among your administrative and clinical staff.

So, in the end, it comes back to sufficient training and subsequent open communication, just as it so often seems to with healthcare IT. Ultimately, hospital staff are both the strongest asset and greatest liability with regard to both security and patient care. Sufficient and periodic training should give your people the knowledge and experience necessary to maintain a secure patient data environment, and it will also enable them to demonstrate why patients should have confidence in your ability to do so.

D'Arcy Gue is Director of Industry Relations for Medsphere Systems Corporation. 

Category: Security

IoT Devices Top a Long List of 2017 Security Threats

It’s worth remembering that 2016 was dubbed the “year of data security” after 90 percent of healthcare providers suffered data breaches in the previous two years. In particular, the Anthem breach of late 2014/early 2015 got everyone’s attention for the sheer magnitude (around 80 million records) of the hack.

Looking back, we can say 2016 lived up to its name as the number of records accessed was significantly lower than the year prior. But IT security is a game of whack-a-mole, so if fewer patient records were lost, malevolent forces simply found other ways to make the lives of healthcare CIOs very difficult.

Ransomware, for example, became the dominant security issue of 2016 and made everyone aware that hackers can always just hold your files hostage if they can’t steal them.

So, does 2017 look like more of the same or will hackers conjure up something new? Sitting here in January, the expectation is that the same security issues will endure, but they will also be accompanied by more challenging and complex concerns.

The Internet of Things (IoT): The difficulty of IoT security is represented by the numbers: There are tens of thousands, if not hundreds of thousands, of IoT devices connected to healthcare networks and the security on all of them is not iron clad.

“Internet-of-Things devices lack some of the most basic cybersecurity protocols,” writes Jessica Davis in Healthcare IT News. “As a result, these devices can be weaponized en masse – and in as little as three minutes.”

The hacking potential of IoT devices was made clear last October when domain name services provider DYN was breached via webcams and digital recorders, knocking Twitter, PayPal, Spotify and other internet behemoths offline for hours.

In a recent survey of healthcare executives conducted by Healthcare IT News, 52 percent said security was the highest IT priority for this year, with 58 percent elevating IoT devices to the top of the list of security concerns.

Ransomware: Hackers require access, and unsecured IoT devices give them that access. Once inside, they can continue the breakout year that ransomware had in 2016. In 2017, however, there may simply be more players in the game because the internet is an ever-evolving amusement park of wonders and horrors.

“There is already a ransomware as a service [RaaS] model, which provides automatically generated ransomware executables for anyone who wants to get rich by infecting potential victims,” Ondrj Vlcek, CTO for security firm Avast, explained to ComputerWeekly.com. “The bottom line is that creating or buying your own ransomware has never been easier.” 

A panel of security experts speaking with Health Data Management said they expect extortion attacks to increase and become more sophisticated. The solution? According to David Finn, health information technology officer for Symantec, hospitals and health systems must have robust backup systems so they don’t have to pay for extorted patient data.

Data-integrity Attacks: You may have heard of the Stuxnet worm the U.S. government used in 2010 to infiltrate and sabotage Iran’s nuclear program by engineering minor changes in targeted devices. That’s an example of a data-integrity attack. The not-so-good-news is that the technology has filtered down to black-hat hackers who can access hospital and health system networks through … wait for it … IoT devices.

"IoT is a massive attack surface that allows people to touch systems that for previous decades haven't been available to be interacted with," Daniel Miessler, director of client advisory services for security firm IOActive, told CNBC. "This is increasing exponentially.”

Instead of taking data or holding data hostage, hackers can manipulate data in subtle and often unnoticed ways so, for instance, payments don’t go where they’re supposed to. That’s one example of the potential data-integrity attacks offer to hackers.

Cloud Infrastructure: There is no shortage of articles touting the benefits of moving to the cloud, even if insufficient attention is paid to the attendant security risks.

As CynergisTek CEO Mac McMillan told Health Data Management, the cloud is “the proverbial double-edged sword. It’s an absolute necessity for advancement, but security continues to lag further behind, which ultimately risks the advancement.”

Extensive due diligence on your cloud services provider is essential, as is a contract that establishes responsibility, reaction and culpability in the event of a breach.

Artificial Intelligence: It would be difficult to imagine that most hospitals and health systems will have the resources to maximize the value of artificial intelligence and machine learning. Unfortunately, that won’t keep hackers from using AI and machine learning as a tool on their side of the security battle.

“From a hacker’s point of view, AI will power malware, and use data from the target to send phishing emails that replicate human mannerisms and content,” said Capgemini UK cyber security chief Andy Powell. “… these AI-powered attacks will resonate with the target better than ever before, meaning they’ll be more likely to fall victim.”

People: As always, there is no more enduring risk to your facility and organizational security than the people who work there. Thorough preparation of your staff is the best defense against the most common forms of hacking and data theft.

But, as Kasey Panetta of Gartner describes in a recent paper on 2017 security trends, it is only one component in an “adaptive security architecture.”

“The evolution of the intelligent digital mesh and digital technology platforms and application architectures means that security has to become fluid and adaptive. Security in the IoT environment is particularly challenging. Security teams need to work with application, solution and enterprise architects to consider security early in the design of applications or IoT solutions. Multilayered security and use of user and entity behavior analytics will become a requirement for virtually every enterprise.”

Does this sound like more technical sophistication and cost than your small or medium size healthcare organization can handle? That’s bound to be a common complaint. While all hospitals could potentially fall victim to the security breaches described here, not all hospitals can properly defend against them.

This common vulnerability calls for extensive sharing of knowledge and affordable strategies that guard against loss or manipulation of data. An ongoing Health and Human Services initiative and grant program endeavors to gather and disseminate the most current information on cyber threats, but it may take a few years for that effort to yield actionable information.

It may also call for smaller facilities partnering with those that are larger and more resource rich. We’re seeing relationships between large and small organizations develop in other areas of healthcare IT such as EHR implementation. Getting to the point where healthcare is not such an attractive hacker target may require the same with regard to security.

D'Arcy Gue is Director of Industry Relations for Medsphere Systems Corporation. 

Category: Security

How can we measure health system success without including mental health care?

If community hospitals are a general barometer of health in the surrounding area, the emergency room is the canary in the coal mine. Viral outbreaks, increases in violence, loss of health insurance from local layoffs—all are social ills that make their presence known first in the ER.

Based on recent ER studies, the U.S. is on the cusp of a full-blown mental health crisis.

According to a recent survey of more than 1,700 emergency physicians by the American College of Emergency Physicians (ACEP), three-quarters of ER docs evaluate at least one individual per shift who requires hospitalization for mental illness. Slightly more than 20 percent say patients wait from 2 to 5 days for an inpatient bed. Only 16.9 percent of ERs have a psychiatrist to call in emergencies, and 11.9 percent have no one at all to call when mental illnesses erupt in the ER.

"More than half (52 percent) of emergency physicians say the mental health system in their communities has gotten worse in just the last year," said Rebecca Parker, MD, FACEP, president of the ACEP. "The emergency department has become the dumping ground for these vulnerable patients who have been abandoned by every other part of the health care system."

The most recent survey results dovetail with a separate study presented at ACEP16 that looked at ER use between 2002 and 2011. From that review, we know that psychiatric visits to emergency rooms jumped 55 percent—from 4.4 million to 6.8 million—during the period evaluated.

The experiences of emergency physicians confirm that America is in the midst of a mental health crisis that requires time and attention. While rebuilding mental health care, we also need to use that process to learn. The state of mental health care can be both a measure of overall healthcare system progress and a cautionary tale about the unintended consequences of using information technology.

Healthcare is functioning when the mentally ill get treatment.

Yes, healthcare is in the midst of a revolution encompassing digitization of data, new payment models, the use of wearable devices and a host of other changes. It often feels like the entire healthcare enterprise is subject to some kind of change.

And yet none of the current overhauls will keep the mentally ill from showing up in emergency rooms. The House has passed legislation intended to help improve the mental health care system and, in part, alleviate some of the stress on emergency services. Hopefully the Senate will do likewise.

What would system changes that benefit the mentally ill look like, beyond a drop in ER visits? Probably something like a patient-centered medical home.

The mentally ill would have a psychiatric professional who would be contacted in the event of an episode at the ER. A network of care givers, friends and family could provide some confidence that proper care would follow the ER visit. An integrated healthcare IT system would give ER docs the data they need when a man with bipolar disorder wanders in, and it would let the man’s physician know he perhaps forgot to take his meds and had an episode.

Current fractures in the mental health care system mean those who enter the ER with a mental illness are often admitted for lack of local mental health services and support.

When the mentally ill get the care they need, we will know that the intersecting but uncoordinated goals of parity, interoperability, coverage and coordination have finally been met.

Digitized mental health care is better mental health care.

It’s not just that EHRs and other forms of healthcare IT give ER docs more information at the point of care about mentally ill patients. Digital systems that incorporate complete patient records also back up behavioral health clinicians and empower them to provide better care.

A six-year study of mental health specifically by researchers at the University of Southern California’s Keck School of Medicine showed that electronic charting yielded noticeably better clinical documentation. The complete documentation of visits and procedure codes rose from 60 to 100 percent. The timely completion of records improved quality of care and proved an asset in clinical training.

More than just clinicals improve with healthcare IT. Billing and reporting, both essential for financial viability, are more straightforward tasks with electronic support.

“The way things are going, it’s almost going to be impossible to not have an EHR,” Jennifer D’Angelo, chair of the new HIMSS Long Term Care and Behavioral Health Task Force and vice president of information services for Christian Health Care Center in New Jersey, told Behavioral Healthcare. “From an interoperability standpoint, and from a reimbursement standpoint, it’s being required. All levels of care will need to have an EHR for care coordination among all providers.”

Caveat: System security and personal privacy are more crucial with mental health data.

If your patient records are compromised or inappropriately shared, your primary concern is not that people will know you had an appendectomy in 2006 and a mole removed in 2011. You’re most worried about all the other information that will make it easy for the thief will misuse your information or even assume your identity.

And then there’s the experience of Canadian Lois Kamenitz, whose patient record showed that she attempted suicide in 2006. When Kamenitz tried to enter the United States in 2010, U.S. Customs and Border Patrol pulled her aside and would not let her enter the country until she filled out lots of paperwork, paid an American doctor $250 to process it and signed a document saying her medical records would become the “permanent property of the United States.”

Her personal privacy violated in a most unexpected scenario, Kamenitz found out the hard way that personal health information could be used against her after Toronto police shared a database with the Department of Homeland Security. Her experience is not an anomaly. It's not just that a person’s health information could be improperly exploited if accessed by non-clinical reviewers. Non-behavioral health clinicians can also mistakenly complicate or skew physical evaluations, procedure orders and prescriptions. 

So, is the paradox of EHRs and behavioral health patient integrity—improve patient care, increase patient vulnerability—a challenge that requires special attention? Yes, it does. Of course healthcare’s standard is that ALL patient records must be secure, but the sensitive nature of mental illness can often necessitate special diligence beyond what works to secure patient data in acute care. Public perceptions of mental illness frequently include fears of violence or unexpected behavior; at the same time, mentally ill patients fear that public exposure may threaten their employment and community relationships.

Clearly, there are policy issues that have yet to be worked out. Canada changed a policy that will hopefully make what happened to Lois Kamenitz rare or maybe impossible. Let’s hope that the trial-and-error process of policy development works itself out quickly with as few casualties as possible.

While there is much work to be done in simply improving mental health care and the lives of those who suffer, we must put IT and data security measures in place to ensure that citizens are not punished once by their mental illness and then again by a society that fears them. 

Irv Lichtenwald is president and CEO of Medsphere Systems Corporation, the solution provider for the OpenVista electronic health record.

Your most valuable security assets are human, not technical

You know already that the biggest threat to healthcare IT security is the human element. But if human beings are the greatest vulnerability, that also makes them the strongest asset.

Here’s why.

According to the 2016 HIMSS Cybersecurity Survey, the two primary healthcare IT security concerns among provider organizations (hospitals and physician practices) are phishing attacks (most pressing concern for 77 percent of respondents) and viruses / malware (67 percent). Both events require a responsive actor on the organization side of the transaction for hackers to access patient data.

It may seem like this is a rather straightforward problem to resolve—just make sure clinicians and staff have the requisite knowledge and savvy to not get duped and all is good. In reality, especially among larger organizations with hundreds of potential points of entry, turning human beings into alert sentries is a constant human behavioral challenge.

So what strategies can even a large healthcare organization employ to ensure that the people who use IT systems are firmly engaged in system defense?

  1. Train, train and then train some more. A study by Wombat Security Technologies and the Aberdeen Group suggests that upgrading employee awareness can reduce security risk by anywhere from 45 to 70 percent. Among the highlights of the report are these bits of crucial and related information:

    • There is no such thing as a 100 percent secure IT system if it is used by people. It makes little sense to invest heavily in technology if you fail to effectively train system users.
    • An organization with $200 million in annual revenue can expect to lose $2.5 million per year from infections borne of employee behavior, with an 80 percent chance the loss could jump to $8 million annually. (Note that this is across organizations and not specific to healthcare.)

    Don’t assume that any bit of information about system security—maintaining strong passwords, keeping mobile devices secure, navigating the internet safely, etc.—is common knowledge to employees and staff. Someone may not know something that will cause your organization harm.

    Your goal in training is to inculcate a culture of security that becomes second nature to every user beyond just IT staff. Indeed, you are working to expand the awareness of the IT team outward to all staff and employees.

    According to the results of another recent survey conducted across industries by Experian Data Breach Resolution and the Ponemon Institute, there is room for much improvement when it comes to preparing employees.

    • Only 46 percent of companies require employee training on data security; only 60 percent require re-training after a data breach.
    • Half of survey participants think their current training programs actually reduce noncompliant behavior, and 43 percent said their organization provides only one broad training course that doesn’t include some of the finer points of system security.
  2. Beware the disgruntled employee. Internal staff members motivated to do harm are a particularly troubling challenge. Could there be a Snowden or Manning in your organization? It’s less likely where ideological issues are not a factor, but it’s also impossible to gauge exactly what might set people off. Prepare for the disgruntled just in case.

    • Make sure that all active privileged accounts are connected to a current team member.
    • Audit the system regularly and immediately after any kind of security breach. (Privileged accounts used in a breach that are not connected to a current member will lower the value of the audit significantly.)
    • Closely monitor and manage privileged accounts, and create alerts to enable rapid reaction when things go awry.
    • Make sure departing members of the team return laptops and other mobile technology immediately before departing the organization.
    • Ensure only the minimum necessary access to certain information for each member of the team.
    • Apply sanctions for violating known policy consistently, quickly and even-handedly.
    • Consider having managers and directors, especially those working with clinical staff, identify the people they have concerns about and share that information.
  3. Elevate the importance of strong security among organizational and leadership priorities. According to the Experian Data Breach Resolution and the Ponemon Institute study, only 35 percent of respondents said they think senior executives feel it is important for team members to understand the potential organizational risks from data breaches. That correlates with the 60 percent of companies that feel their employees are not sufficiently aware of potential security breaches.

    On a related note, only 33 percent said their organization rewards employees for being security proactive, and 32 percent said there is no penalty at their organization when an employee causes a breach. Perhaps executives should take a look at incentives as well.

Will you be able to eliminate data breaches by following these strategies diligently? It’s not likely. Make reduction and mitigation your goal, and if elimination happens, throw a huge party before getting back to work.

Healthcare data breaches are more expensive than those in any other industry, climbing to an average of $4 million in 2016, according to the Ponemon Institute. Can you afford to lose $4 million regularly, only occasionally or once in a blue moon? Let your answer to that question drive the energy with which you put your organization’s comprehensive security plan in place.

Category: Security

HIMSS Cybersecurity Survey: Medical identity theft remains number one concern

Most healthcare cybersecurity stories over the last year or so have focused on ransomware, the frightening new weapon in the hacker arsenal. But the results from the recent 2016 HIMSS Cybersecurity Survey suggest that medical identity theft remains both more lucrative than ransomware for hackers and the primary concern of healthcare IT leaders. According to the survey, 77 percent of respondents feel medical identity theft is the “most common reason” for virtual attacks on healthcare facilities.

What else can we learn from HIMSS’ survey of 150 provider organizations?

  • The lack of resources—both financial and human—is the underlying challenge in mitigating cybersecurity risk.  Nearly 60 percent of respondents said they don’t have adequate personnel, and 55 percent said they lack the funds to properly combat what has become a daily battle with hackers.
  • Employees are either an asset or a liability, depending on their level of preparedness. At 77 percent, phishing attacks are the number one cybersecurity concern of survey respondents, who also said email is the primary vulnerability.
  • Healthcare organizations are not using the full set of tools. When asked what cybersecurity tools they use, 64 percent of poll participants said data encryption in transit; 59 percent use encryption at rest, and 54 percent use intrusion detection systems. “Providers have implemented a modest amount of basic and advanced information security tools,” says the HIMSS report.
  • Ransomware has a lot of people scared. When looking to the future of cybersecurity, ransomware is the challenge most respondents fear at 69 percent. Never expected to disappear, phishing scams come in second at 61 percent.
  • The healthcare cybersecurity battle is a daily fact of life. Among poll respondents, 80 percent said they had experienced a “significant security incident” recently. HIMSS recognizes that cybersecurity is a sensitive topic for most if not all healthcare organizations and “… the pervasiveness of attacks presented here may actually be under-represented.”

Perhaps there are security measures mentioned in the report you could be taking but didn’t know about. Maybe you feel like an island in an ocean of hackers that for some reason have targeted you and seemingly no one else. The 2016 HIMSS Cybersecurity Survey report provides an industry overview, but it also enables you to compare your security readiness with others and understand the challenges all healthcare organizations face in the information age. 

D'Arcy Gue is Director of Industry Relations for Medsphere Systems Corporation. 

Category: Security

Ponemon Study: Healthcare aware of security threats, but not really ready for them

You may be suffering from IT security fatigue at this point, for which I offer a half-hearted apology.

Yes, only half-hearted, because the numbers say healthcare is aware of various security threats but still remains vulnerable, making it imperative that the subject stay top of mind until patient data is reliably protected.

For example, the Sixth Annual Benchmark Study on Privacy and Security of Healthcare Data, published earlier this month, offers interesting perspectives on both healthcare organizations and business associates.

For this ID Experts-sponsored study, The Ponemon Institute engaged 91 covered entities (health plans, healthcare clearinghouses, healthcare providers) and 84 business associates (BAs) like healthcare IT companies. Given that business associates often have access to patient data, it’s appropriate that this study and future research projects include partners not involved in actual provision of care.

A review of the Benchmark Study reveals some overarching themes and messages that may prove valuable to healthcare providers and business associates.

Data breaches are common and happening more frequently.

You know this already, right? Probably, but the frequency suggests that only the really big breaches make it into the healthcare IT press.

In the last two years, 89 percent of healthcare organizations and 61 percent of BAs experienced at least one breach that resulted in a loss of patient data. In that same time period, 45 percent of healthcare organizations had more than five breaches and 28 percent of BAs had more than two.

“The annual economic impact of a data breach has risen over the past six years, as has the frequency of data breaches,” the report reads. “Criminal attacks and internal threats are the leading cause of data breaches.”

Employees are both your strongest asset and greatest liability.

How do your employees at all levels feel about working there? How well trained are they in all aspects of their jobs? Are you aware of any particularly disgruntled employees?

Where once these were primarily questions for human resources, now they are highly relevant to the security of your operation.

When asked what type of security incident they most fear, a majority of both healthcare organizations (69 percent) and BAs (53 percent) identified employee negligence and carelessness.

These percentages remain roughly the same as last year, even while the most common cause of data breaches with healthcare organizations—fully 50 percent—is criminal attacks. Among BAs, an unintentional employee action (55 percent) is still the manner by which patient data is most often compromised.

What may provide some comfort for both healthcare organizations and BAs is that a malicious insider (13 and 6 percent, respectively) is not often the cause of lost patient information.

While concerns about employee carelessness might be more statistically relevant for BAs than healthcare organizations, in both entities the gap between negligence and malice represents an opportunity to make employees the first and most effective line of defense.

Indeed, for most BAs (58 percent), data breaches were discovered by employees. On the healthcare organization side, audits (74 percent) most often received credit for data breach recognition, with employee detection second at 47 percent.

Healthcare organizations and BAs recognize that employees are essential to better security. Both entities said better training, as well as more effective policies and procedures, were the most effective way to combat loss of patient data. 

Data security spending and organizational preparation are still not where they need to be.

All of healthcare IT is aware of cyberattacks and the potential danger of losing patient data, and yet IT budgets remain stuck. Among healthcare organizations, 62 percent say their budget for incident response has either decreased (10 percent) or stayed the same (52 percent).

There remains a gap, Ponemon says, between awareness and funding.

“Recent big healthcare data breaches have increased the healthcare industry’s awareness of the growing threats to patient data, resulting in more focus on their security practices and implementing the appropriate policies and procedures, however the research indicates that it is not enough to curtail or minimize data breaches. According to the findings, half of these organizations still don’t have the people or the budget to detect or manage data breaches.”

Perhaps most disconcerting is that while 60 percent of healthcare organizations and 54 percent of BAs assess their organizational vulnerabilities, the overwhelming majority do so on either an annual (41 and 35 percent, respectively) or ad hoc (43 and 35 percent) basis.

Data breach insurance is becoming a standard part of providing healthcare.

The information on data breach insurance from the Ponemon study is interesting and somewhat curious. In the study group, one-third of healthcare organizations and 29 percent of BAs are insured against data breaches and cyberattacks. Of that group, a majority of both healthcare organizations (57 percent) and BAs (52 percent) purchased up to $5 million in coverage.

What do these numbers say about healthcare and preparation for cyberattacks? For one thing, we know that healthcare organizations and BAs are both concerned about liability; the coverage most frequently provided (just north of 70 percent for both groups) by the selected data breach policies is legal defense.

Other than that, it’s hard to draw any definitive conclusions based on the figures alone. On an individual basis, some organizations may find it more affordable to insure than fully prepare. Others may pursue both strategies.

It does seem clear that most of healthcare is under no illusions about how well prepared the industry is for hackers and cyberattacks. When asked why healthcare has a bullseye on its back, healthcare organization respondents said quite clearly that the industry is not doing enough, offering these perspectives:

  • 51 percent: Healthcare organizations are not vigilant in ensuring their partners and other third parties protect patient information.
  • 44 percent: Healthcare organizations are not hiring enough skilled IT security practitioners.
  • 41 percent: Healthcare organizations are not investing in technologies to mitigate a data breach.

The rise in cyberattacks puts many healthcare organizations in a difficult spot. Millions have already been spent on IT systems and security, and in many ways and for many providers, it simply isn’t enough. Insurance is one way to guard against disaster, but more successful attacks will lead to higher premiums, making vigilance and adequate preparation the only realistic option.  

D'Arcy Gue is Director of Industry Relations for Medsphere Systems Corporation. 

Category: Security

Remember the Omnibus HIPAA Rule? Maybe it's time for a refresher.

Have the HIPAA security and privacy rules been around so long they fade into the background? Perhaps so, which could be problematic. You see, the 2013 Omnibus HIPAA Rule strictly defines the liability and obligations of all business associates, which vendors with access to PHI must understand. As must providers, many of whom are still using pre-2013 business associate agreements. Along with general liability and obligations for business associates, the Omnibus Rule also expands financial liability and enforcement, and introduces altogether new privacy and security provisions. If the 2013 Omnibus HIPAA Rule never showed up on your radar, or if it’s just time to brush up on HIPAA regulations, download and read our Guide to Omnibus HIPAA now.

With the dramatic uptick in security breaches over the last year, this is an opportune time to update your knowledge of security and privacy rules or perhaps familiarize yourself with them for the first time. D’Arcy Gue, vice president of industry relations for Medsphere’s Phoenix Health Systems division, was commissioned to write a full summary of the HIPAA Omnibus Rule by Thompson Publishing, giving you all the information you need in just seven pages.

Download the Guide to the Omnibus HIPAA Rule
 

Category: Security

You think your systems are secure. Should you still get cybercrime insurance?

Naturally, most of what you hear from healthcare IT companies about their products is going to be upbeat, designed to create a sense of potential and promise. I mean, I can easily extol the virtues of the company I lead and the products and services we sell.

But if I’m responsible and realistic, I also need to call attention to the challenges healthcare IT can create on the path to improved care. Without doubt, any information technology that creates, maintains, or transmits electronic patient data is a source of risk, as evidenced by the numerous security issues that are top of mind right now for just about everyone working in healthcare and healthcare IT.

Still relatively young, cyber liability insurance has nonetheless grown in recent years and is now available to organizations concerned with breaches, loss of data and ransom scenarios.

Have we gotten to the point where insurance against these types of situations is necessary, viable and affordable? It’s a question worth asking.

You’re probably familiar with the hospitals, health systems and insurance carriers that have suffered security breaches—names like Anthem, Hollywood Presbyterian,  UCLA Health System and MedStar Health. These are only a few of the healthcare industry players that have been hacked, and they are a tiny slice of the organizations and facilities that are targeted on a daily basis.

Not only are healthcare organizations targeted, it’s happening with ever increasing frequency.  According to Symantec’s April 2016 Internet Security Threat Report (ISTR), new malware variants jumped 36 percent from 317 million to 431 million from 2014 to 2015. Over the same time period, crypto-ransomware assaults rose from 737 to 991 per day.

New devices are creating more openings and threats. Mobile vulnerabilities rose more than 200 percent from 2013 to 2015. The Internet of Things (IoT) creates a game of whack-a-mole for hospitals trying to plug every potential access point.

Yes, the recent surge in cyberattacks on healthcare is alarming. Because hackers will try to maximize vulnerability until the window closes, expect them to continue and increase.

Of course, leadership at your healthcare organization is doing everything in their power to prevent cyberattacks and loss of patient data. You regularly back up data, and you have a ‘gold image’ of systems and configurations and a plan for dealing with attacks. You’re working with an established, reputable cybersecurity firm, and you’ve created test plans as part of a broader effort to educate and prepare all personnel. And every year you conduct a security review to make sure the preceding is in place.

If you have done all this, good for you. You’d probably have to anyway. Insurers, after all, pool risk to guard against unfortunate events despite all preparation, not in lieu of it. The numbers suggest the risk is significant.

In 2015, according to the NetDiligence Cyber Claims Study, the largest cyber insurance claim of the year—$15 million—came from healthcare, with the average claim falling between $30,000 and $230,000. Because retail and healthcare are the most vulnerable targets of cybercrime, insurance companies are now charging more to insure digital assets. In some early-2015 cases premiums tripled for healthcare organizations; Reuters reports that high deductibles are common and even large insurers won’t write policies for more than $100 million when clients are considered high risk.

If actuaries see healthcare as that vulnerable, it might be wise for us to see ourselves in similar terms. We know, after all, that the demonstrated vulnerability to hackers of healthcare organizations squares with the amount of money spent on security—currently a dismal 0 to 3 percent of total IT budget in most hospitals.

Well, you might say, my organization has not suffered a successful hack and lost patient data. Good for you. But can you afford it if you do? Again, the largest claim against cyber liability policies in 2015 was for $15 million by a healthcare organization, and hacks are becoming more effective and more frequent.

We’re not a very big hospital, you might think, so I doubt we’d be a target.

But the NetDiligence Cyber Claims Study shows that small and mid-sized organizations (revenues under $300 million) filed almost half (46 percent) of all claims in 2015, clearly demonstrating that large hospitals and healthcare organizations are not the only tempting targets.

The Symantec ISTR report also found that the highest number of 2015 network breaches, 39 percent, came from health services. And even while hackers are hitting healthcare harder than other industries, the actual number of identities exposed is relatively low, demonstrating the financial value of the data kept in patient profiles.

Indeed, according to NBC News, in the market for illicit goods and information, stolen credit cards are worth from $1 to $3 and social security numbers return about $15. Complete medical records, however, which provide access to prescriptions, treatments, surgery, even false tax returns, sell for around $60 each.

The February 2014 Cyber Insurance Roundtable Readout Report gleaned from a summit convened by the National Protection and Programs Directorate within Homeland Security probably sums up the situation well for most CIOs and chief security officers. It shows that healthcare organizations must weigh their preparedness for cyberattacks against the cost of cyber liability insurance and the potential costs of a breach.

Two years later, hacks are increasing. Premiums are increasing. But skyrocketing premium prices incentivize healthcare organizations to forgo insurance for stronger electronic locks and higher virtual walls. As cyber liability insurance grows, healthcare organizations would do well to engage with insurance providers in discussing the criteria by which a policy is affordable and provides protection.

Which brings us back to the reality of healthcare in the digital age. You are going to have to spend more on cyber security to either prevent data breaches and ransom attacks or clean up after them. And if cyber liability insurance sounds interesting, you’ll have to demonstrate effective and reliable security just to get an affordable premium. There’s just no way around better IT security. 

Irv Lichtenwald is president and CEO of Medsphere Systems Corporation, the solution provider for the OpenVista electronic health record.

Category: Security

You’re not investing enough in IT security, healthcare

Mathematically, the gap between $3.6 million and $17,000 is a chasm.

This is something you know well if you’re Hollywood Presbyterian Hospital, which paid the latter number to unlock patient data held hostage by malicious hackers using ransomware when the former number is what the hackers initially asked for.

While the dramatic reduction in ransom may have caused Hollywood Presbyterian to breathe a sigh of relief, there is no reason they or you should feel comforted. Consider this an initial shot across the bow of what promises to be a lengthy and spirited battle between wired healthcare and cybercriminals.

The fact is, most of healthcare simply doesn’t spend enough on data security. In a study conducted by HIMSS Analytics and Symantec that polled 115 IT and security professionals in hospitals with more than 100 beds, more than half (52 percent) said their organization dedicated between zero and 3 percent of the IT budget to security. Just 28 percent said they spent between 3 and 6 percent of IT budget on security.

“All of this makes healthcare organizations rich targets for cybercriminals,” reads the study summary. “Stolen patient data fetches up to 50 times more than a Social Security or credit card number, because a patient’s EHR contains data that can be used for medical or identity theft, or other fraud. As a result, criminal attacks on healthcare information systems have increased 125 percent in the past five years.”

Smaller IT budgets mean fewer resources for security personnel. Among respondents to the HIMSS Analytics/Symantec poll, 72 percent employed five or fewer people dedicated to security; 10 percent of respondents have 21 or more on the IT security staff. When adjusted to include employees with data security responsibility outside of IT, the average among respondents was 10 people.

So, how many data security pros is enough? How much of the IT budget should hospitals spend on security, adjusting for size? The report offers no specifics. Right now, faced with a growing security concern in hospitals, the answer seems to be “more.”

“The irony is that information technology and data in healthcare are clearly critical to the mission of providing care, yet data security is an afterthought,” said Mac McMillan, chair of the HIMSS Privacy & Security Policy Task Force and CEO of information security and privacy consulting firm CynergisTek. “We don’t have enough” data security specialists, McMillan added, “and we don’t have enough who are qualified to do their job.”

One interpretation of the HIMSS Analytics/Symantec report is that we’ll have a much better idea of how much and how many is enough once we know most healthcare facilities are following proper protocols and successful hacker intrusions level off or decline.

Organizational structure and reporting, for example, is one protocol that deserves attention. It turns out most chief information security officers (CISOs) report to a chief information officer (CIO), effectively making the person primarily responsible for security also in charge of monitoring their superior’s work. Among respondents, 54 percent said security reports to the board don’t happen regularly and 8 percent said they never happen.

The reality is that hospitals need to spend what it requires to avoid the Hollywood Presbyterian scenario. Sure, it was only $17,000 this time, but it will be more next time, and perhaps it will be a lot more than one organization can afford.

The initial investment in sound security will require more dollars, physical and technical protections, and people, but it doesn’t have to stay that way after a solid, sustainable security program is in place. Witness recent examples in Ottawa, Canada, and Henderson, Kentucky, in which hospitals were hit with ransomware attacks and were prepared to weather the assault.

Proper security. No assault. No ransom paid. No data lost. No patient data compromised.

In the real world, there are critical access hospitals that don’t have 21 doctors and nurses combined, let alone 21 employees focused on IT security. Fewer security personnel reliably correlates with vulnerable technical infrastructure and an inability to keep up with essential IT changes and upgrades.  

So what can hospitals that lack money and a current security plan do to avoid the same fate as Hollywood Presbyterian? For starters, line up the ducks. The organization of waterfowl, according to HIMSS Analytics and Symantec, requires establishing priorities and inculcating organizational practices.

  • Make the CISO and CIO parallel positions to maintain separate spheres.
  • Include security updates in regularly scheduled reports to the board.
  • Establish an ongoing, consistent risk-management program.
  • Prioritize and reach a consensus on data-security measures.
  • Make medical device security and the Internet of Things part of the security plan.

“Healthcare is a very open, caring and trusting business,” said McMillan. “They [hospitals] don’t understand that you cannot have privacy without good data security.”

Okay, maybe some in healthcare don’t fully grasp the dangers of the brave new IT world their hospital or clinic is moving into. However, I think that, after years of internalizing HIPAA, clinicians and other healthcare workers understand privacy and security just fine. It’s not like healthcare is the only industry to be successfully hacked, after all.

My question is not so much about understanding as it is about investing in safety. How are hospitals already close to the financial margin going to pay for additional security protections, including needed staff, to keep the bad guys out of the (data) bank vault?

We won’t arrive at the solution simply or quickly and it will require extensive collaboration similar to creative broad-based initiatives currently underway.

To date, the ONC-initiated Interoperability Pledge, for example, has garnered written commitments from healthcare organizations of all stripes across the nation. These include the five largest health systems and providers in 46 states, as well as companies that provide 90 percent of the EHRs used by hospitals nationwide. No, a pledge is not binding, but it is indicative of a serious appreciation of the need to ensure easy, secure access to health information for patients and the providers serving them. It may also pave the way for more substantive collaboration around future nationwide interoperability.

Perhaps the CHIME National Patient ID Challenge, which focuses on the challenge of accurately matching patients with records and offers $1 million for the best solution, can serve as a model. Like security breaches, inaccurate matching annually creates millions of dollars in additional costs and harms patient safety. A patchwork of identification solutions have yielded at most 80 percent matching accuracy, even in our most sophisticated hospitals. Aiming for 100 percent accuracy, the CHIME challenge has lit a fire under at least 80 entrants across seven countries ranging from startups to large corporations to clinicians and even including credit bureaus.

Both the CHIME and Interoperability Pledge initiatives strive to harness the collective wisdom of a diverse community and maximize limited resources, including people, in a way that produces broadly beneficial results.

At some point in the near future, this kind of cross-industry collaboration on effective security systems, standards and strategies could be shared affordably with smaller hospitals and other providers that face ongoing resource challenges. In that aspect of dealing with burgeoning security threats, there is probably a role to play for everyone from the federal government to private industry to healthcare providers right down to the smallest critical access hospital in rural New Mexico.  

That hackers are increasingly targeting healthcare clearly says something about the newfound maturity of the industry. That they are lured by the prospect of easy pickins says something as well. We can take a moment to dwell on the former, after which the latter demands all the energy we can spare.  

Irv Lichtenwald is president and CEO of Medsphere Systems Corporation, the solution provider for the OpenVista electronic health record.

Category: Security

As health IT matures, security approaches must mature with it

Not that long ago, healthcare worried mostly about the physical loss of personal health information (PHI) by way of a lost thumb drive, a stolen laptop, some misplaced paper files. These were the primary concerns in HIMSS initial security survey, published in 2008. It wasn’t until five years later, in 2013, that the largest healthcare security breaches came from cyberattacks instead of lost or stolen devices.  

So, is it encouraging to see how far the rapid pace of change has carried health IT in just a few years? Well, yes and no. Growth is good, but it always presents a new set of challenges.

To be sure, healthcare has joined the rest of the wired world as a frequent target of technically skilled ne’er-do-wells. In 2014, cyber breaches in the form of systems hacking, credit card skimming and phishing (obtaining sensitive personal data by pretending to be someone trustworthy) totaled 29 percent of all security breaches. In 2015, that number rose to 38 percent.

Expect the trend to continue.

And expect it to get more complicated based on what’s happening in other industries. You may, for example, remember an interesting experiment last summer in which hackers demonstrated the susceptibility of a car’s onboard computer system by taking control of a Jeep going 70 miles per hour on a freeway outside St. Louis.

“Immediately my accelerator stopped working,” writes Andy Greenberg in a Wired magazine article on the car sabotage. “As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl. This occurred just as I reached a long overpass, with no shoulder to offer an escape. The experiment had ceased to be fun.”

The hurtling SUV hijinks are just one example of the Internet of Things (IoT), the global network of tangible objects (a Jeep, for example) with embedded sensors, software and hackable Internet connections. Where cyber masterminds used to have to access a car’s diagnostic port to tap the computer, now they can do so wirelessly.

Of course, the commonality of sensors and software make most devices potentially hackable. So, what might hackers do if they can gain remote control of healthcare devices? The prospects are a bit chilling. Imagine where that Jeep might have gone with black-hat hackers at the keyboard.

“We may soon be looking at insertables—implants, pacemakers, insulin pumps—becoming targets of cyber-terrorists,” says Ponemon Institute Chairman and Founder Dr. Larry Ponemon in a Healthcare IT News article. “And this is not science fiction. It’s already been demonstrated.”

Nightmarish movie scenarios are unlikely, but hackers are already able to install ransomware on computers that holds data hostage until the owner pays a ransom to recapture control.

“It’s a bit like thieves sneaking into your home, and rather than carting away the TV, stuffing your jewelry and electronics into an impenetrable trunk,” explains Kaveh Waddell in The Atlantic. “Then they try to sell you the key.”

As Waddell reports, one hacker made $1 million in a single day off desperate computer users, and the FBI says some viruses are so good the easiest path is to just pay the ransom—usually in the $300 to $750 range.

“There is cause for concern,” according to a report by the Health Research Institute at PriceWaterhouseCoopers (PwC). “2015 saw the first-ever government warning that a medical device was vulnerable to hacking—an infusion pump officials warned could be modified to deliver a fatal dose of medication.”

Of course, hacks, ransomware, phishing scams and the like are not just happening in healthcare. Analysts estimate banking lost roughly $1 billion to cybercrime between late 2013 and early last year. Last summer, JP Morgan reported that hackers had accessed a database with information for 76 million households and 7 million small businesses.

As one might expect, these incidents are only a drop in the bucket. As a former executive with a financial portfolio management software firm, I know the assault on financial institutions is relentless, despite constant and detailed efforts to improve security. After all, as Willie Sutton reportedly said when asked why he robbed banks, “Because that’s where the money is.”

But what if hackers, en masse or gradually, were to figure out that hospitals were actually pretty lucrative and easier pickings? There’s not much reason to think that hasn’t happened already. Consider the Anthem breach last year and PwC analysis showing that 85 percent of large healthcare organizations experienced a breach in 2014 with 18 percent costing more than $1 million to fix.

Sutton’s logic applies to healthcare organizations, too. Hackers will go after the big ones because that’s where the money is, but there’s no reason to think it will end there. If a small hospital can be held hostage for $300 in ransom, why should we think they won’t be? After all, the urgency associated with unlocking an infusion pump will be greater than regaining access to vacation photos. More urgency equals more rapid payment, and more frequent hostage taking if security doesn’t improve.

While healthcare has not been a major hacking target for that long, the security recommendations and requirements that anticipated these scenarios have been around for a while in the form of regularly updated HIPAA regulations. These regulations require hospitals to establish a security framework – basic procedures like access control and user education. Unfortunately, they provide little in the way of specific strategies and tactics like regular penetration testing, clear reporting procedures, or how to perform periodic testing and training. Hospitals and health systems must make their own decisions to ensure that their overall environment is secure.

I have no doubt all healthcare enterprises believe they are doing their best to protect PHI and patient financial information. But there are still disconnects. Even the most security-aware technical staff is limited by budget restraints. Even the most focused administrator has a lot of moving parts to manage and fund. And HIPAA requirements leave some security preparation wiggle room based on the size and resources of the facility. 

Ultimately, the security decision calculus must be driven by risk—by what a hospital or health system is vulnerable to—not what it can marshal the resources to defend against. And understanding risk has little reward if you don’t invest the time and money to mitigate it.  In our connected world, we pay for security or we pay for lack of security. There can be little doubt that the former is more affordable—to say nothing of predictable—in the long run.  

Irv Lichtenwald is president and CEO of Medsphere Systems Corporation, the solution provider for the OpenVista electronic health record.

Category: Security

Can your hospital benefit from e-prescribing?

On the face of it, the use of computers to order prescriptions seems like a no-brainer. Who, after all, is capable of reading a physician’s handwriting?

But if we set aside clichés, there is still this question: Does e-prescribing provide distinct benefits over handwritten patient prescriptions? With acknowledgement of some drawbacks, it would seem the scales tip decidedly toward e-prescribing as a net positive.

E-prescribing Benefits

Electronic prescriptions help keep patients focused, according to a Health Management Technology (HMT) report on a 2012 Surescripts study that found a 10 percent uptick in “medication adherence” to prescriptions filed electronically.

“The Surescripts analysis is an important contribution to a growing body of literature on e-prescribing and on medication adherence,” Harvard Medical School’s William H. Shrank told HMT. “In a huge study, they have shown a clear link between e-prescribing and first-fill medication adherence.”

According to the World Health Organization, roughly 50 percent of patients globally don’t follow their prescription regimen, resulting in 125,000 preventable deaths and billions of dollars in unnecessary healthcare costs. Surescripts estimates that more rigorous commitment by patients to taking medications could create between $140 billion and $240 billion in savings and better outcomes.

Perhaps the most obvious benefit of e-prescribing is the one initially referenced—improved legibility. According to research conducted in two Sydney, Australia, hospitals and reported on by PLOS Medicine in 2012, this is one component in a broader patient safety benefit.

Using hospital wards with no e-prescribing as controls and separate e-prescribing wards as test subjects, the researchers identified “statistically significant” error rate reductions of 66.1 percent and 60.5 percent as a product of “a large reduction in unclear, illegal, and incomplete orders.” More importantly, the bulk of the improvement came from reductions in “serious errors” as opposed to what the study calls “clinical errors” of less significance and potential impact.

Additional analysis by Surescripts shows cost savings as a result of fewer adverse drug events and patient readmissions, as well as reductions in unnecessary staff hours, can range from roughly $100,000 annually for a small hospital to over $1 million for a very large inpatient facility.

A 2013 study published in U.S. Pharmacist concluded that e-prescribing’s benefits (lower overall costs, better access to prescription records, improved workflow, time saved on verifying handwritten orders, access to patient insurance information) outnumber costs: difficulty of fixing incorrect orders, problems with software design, prohibitive software purchase and start-up costs.

“It is anticipated that, with continued advances in technology, these problems will be resolved and e-prescribing will yield more benefits than risks for patients, providers, and pharmacists,” write the U.S. Pharmacist authors. “Utilization of technologically advanced e-prescribing software is projected to improve pharmacy workflow and efficiency while reducing prescribing errors, and to ultimately enhance patient safety.”

E-prescribing also gives hospitals and physicians a tool in America’s current surge of opiate addictions and deaths. So alarming has been this trend that the state of New York has mandated the use of e-prescribing by 2016. Already, New York reports a decrease of 75 percent in “doctor shopping,” the practice, usually by addicts, of going from doctor to doctor to obtain prescriptions for controlled substances.

Currently, only New York and Minnesota require electronic prescribing, even while the potential benefits to individual patients with addiction issues has been apparent to many physicians for some time.

"I had an example last fall of someone getting Ritalin from 16 doctors. I spent a half hour on the phone with him, that day, and I then called a psychiatrist from whom he'd brought the letter saying he had ADHD symptoms,” Texas physician Matt Weyenberg told Dana Blankenhorn of ZDNet Healthcare. "The doctor asked how I figured it out. I said with my Electronic Medical Record (EMR), and he said what's an EMR."

E-Prescribing Considerations

So, what should a healthcare organization consider in implementing an e-prescribing solution? For most hospitals, e-prescribing decisions will be made in the context of acquiring an electronic health record (EHR), which is a serious and extensive process. Part of that process includes engaging with a health information network provider that connects hospitals and pharmacies.

Hospital administrators and leading physicians should ask themselves questions about an e-prescribing solution AND a prospective network provider when looking at EHRs.

  • Will clinicians use the e-prescribing solution? Meaningful Use Stage 2 requires that 50 percent of all prescriptions be sent electronically. Unwieldy systems give clinicians reasons to not use them.
  • Is the information network secure? Ask questions about system and network security. The use of VPN and SSL network technologies to meet HIPAA requirements should be part of the discussion.
  • What do the pharmacies we work with use? Check with the external pharmacies you currently engage with to determine which information network they currently use.
  • Are there transaction fees on the network? As with any transaction, ask questions to find out where additional fees might be hiding.
  • How do we introduce e-prescribing to patients? Especially with older patients, e-prescribing may be a source of some insecurity because they don’t get an actual paper prescription. Take the time to explain how it works and perhaps, at least initially, give them something to take to the pharmacy with them.

Even while there is considerable consternation and debate about the efficacy of EHRs, the value of e-prescribing functionality has become more readily apparent to physicians, hospitals and health systems.

According to Persistence Market Research, the e-prescribing global market, valued at $250.3 million in 2013, is expected to grow 23.5 percent annually to 2019 and achieve an estimated value of $887.8 million.

“Thanks in large part to two federal initiatives – first the Medicare Improvements for Patients and Providers Act of 2008, or MIPPA, and later meaningful use – e-prescribing has made huge gains through the first quarter of 2014,” Mike Miliard of Healthcare IT News writes about an Office of the National Coordinator (ONC) report. “Using data from Surescripts, the nation's largest e-prescription network, the study shows a steep and steady climb for eRx – from 7 percent in 2008, when MIPPA was passed, to 24 percent in 2011, when meaningful kicked off, to 70 percent today.”

In all likelihood, your healthcare facility’s e-prescribing decision will be one component in a more extensive health information technology strategy. Talk with colleagues outside your immediate sphere to see what they’re using and how they feel about it, or spend some time with a consultant to learn more about all your options.

D'Arcy Gue is Vice President of Industry Relations for Phoenix Health Systems - a division of Medsphere Systems Corporation. 

Four Reasons for Optimism about the Ongoing Health Care Overhaul

None of us would have the jobs we currently occupy without some ability to focus on details. Running a company, developing IT systems, managing a hospital, seeing patients and evaluating their concerns—all require the ability to dig deep and identify root causes and effective solutions.

But maybe that focus on the trees blinds us to changes in the forest, to use a well-worn aphorism.

With that broader perspective in mind, I’d like to suggest four reasons for optimism as we continue to move through this wholesale experiment in tinkering with the health care system of a large and diverse nation.

Accountable Care is the way of the future.

The last week of August, CMS released numbers for the 333 Medicare shared savings program (MSSP) ACOs that both Healthcare IT News and Health Data Management characterized as disappointing.

Looking at the numbers, I understand why. In 2014, a modest 92 of 333 reduced spending enough to qualify for financial incentives; in total, those 92 reduced spending by $806 million and earned $341 million in reimbursement. (An additional 89 were able to cut costs, but not enough to qualify for payout.) The modest numbers give rise to concern because Track 2 of the program would create a scenario where ACOs might have to reimburse CMS if they cannot cut costs further.

So, why am I optimistic about ACOs when most have been unable to significantly reduce costs? Because the program is trending significantly in the right direction. Examples:

  • No MSSP ACO in Track 2 of the program had to pay CMS in 2014.
  • The savings numbers for last year (recall that 92 ACOs reduced spending by $806 million) are notably better than in 2013, when 538 ACOs created $315 million in shared savings.
  • Of the ACOs that have been in the program since 2012, 37 percent generated shared savings compared with 27 percent for those that entered in 2013 and 19 percent in 2014.
  • The ACOs that reported in both 2013 and 2014 improved in 27 of 33 measures of quality care.

The ACOs that have been doing it for longer are getting better at improving care and cutting costs. The odds of a replicable care model coming from the collective experience of these organizations seems pretty good. And if the fact many have not met CMS standards seems discouraging, keep in mind that CMS has the flexibility to adjust timeframes and measurements moving forward to recognize where the model is working and how it offers promise.

HIE participation is increasing.

According to the ONC, 96.9 percent of hospitals reported using a certified EHR system in 2014. We are almost at EHR saturation among hospitals, meaning the infrastructure is in place for wholesale data exchange. Evidence of this is the fact 76 percent—a number that has been rising since 2010—reported record exchange with external ambulatory care providers and other hospitals.

What remains are the technical, operational and financial issues that keep full interoperability from occurring. These technical issues can be eliminated with time and energy. The operational issues will probably have to be overcome with ingenuity, cajoling, negotiation and hopefully only a small amount of manipulation and public shaming.

Much has been made of the obstacles to interoperability, but I’m no longer of the opinion these are insurmountable so long as we operate with close to complete information, the key to an open and balanced marketplace. Information proliferation and the attending response caused one large EHR vendor to dramatically reduce file transfer fees. It has caused one former hospital CEO to allege antitrust violations by the same EHR vendor and a major client.

Sunshine is the best disinfectant. Vigilance is still necessary, but I think faith is warranted.

Open-ended premium pricing for EHRs is coming to an end.

According to recent analysis by IDC Health Insights, the Department of Defense’s selection of Leidos and Cerner will have “significant” impact on the EHR marketplace.

“IDC Health Insights expects that the impact of this award will be significant because it will end a period of open-ended and premium pricing for EHR that to date has been largely driven by government incentives but which in the future will be driven by calculations of business value and return on investment (ROI).”

While pricing analyses vary, IDC Health Insights believes the overall Leidos / Cerner bid was considerably less (this says nothing about what it ultimately will be) than that of IBM / Epic, making untenable the argument that taxpayers could recoup the investment in a higher priced EHR platform. Additionally, the IDC report says “Cerner will gain competitive traction at Epic's expense,” and the DoD selection demonstrates a focus on interoperability and open architecture.

Of course, IDC is only one firm. What might bring more pressure to bear on EHR pricing is providers and hospitals taking on more direct financial risk for patient outcomes. When readmissions become more costly, one-off Epic and Cerner implementation projects really are unsustainable.

Behavioral health is finally a priority. Really.

We can’t really modify and improve the health care system in America if we continue to pretend like mental illness is not an essential component in that overhaul. Legislation making its way through both houses of Congress seeks to raise the visibility of mental health in the overall care system.

Representative Tim Murphy (R-PA) is back in the House with his Helping Families in Mental Health Crisis Act, reintroduced this past June. Joining him in the Senate is Chris Murphy (D-CT), who recently introduced the Mental Health Reform Act of 2015.

While neither bill has been approved, both legislators are already coordinating on what a final bill sent to the entire Congress for approval might look like.

If a final bill is endorsed by Congress, at least some credit will go to a heightened focus on mental health in the media. In recent months, the Washington Post reported that in 44 of 50 states and the District of Columbia, the largest corrections facility (prison or jail) holds more mentally ill persons than the state’s largest psychiatric facility. Early this summer, The Atlantic published a lengthy expose of Cook County Jail as America’s largest mental health facility.

Morally, America is failing the mentally ill. Importantly, from a utilitarian perspective, we’re paying a high financial price for doing so. Anecdotal factors seem to indicate a greater awareness of those concerns. Keep your fingers crossed.

To be sure, there are valid statistics and perspectives with regard to each of these four areas that suggest a less rosy outcome. You’ll have no problem finding physicians and hospital administrators who think Meaningful Use and other health system fixes are an unmitigated disaster.

And I will certainly admit that there is tremendous room for improvement, but I believe that improvement will happen. I believe we have the intelligence, fortitude and ethical grounding necessary to make necessary adjustments.

Change is happening. It will not soon, if ever, be halted. So, I ask you, is there not some aspect of health care overhaul you can get behind and constructively support?

Irv Lichtenwald is president and CEO of Medsphere Systems Corporation, the solution provider for the OpenVista electronic health record.

Are jackalopes and information blocking similar?

Looking to dupe urbanite travelers, bartenders and bar owners in rural Western taverns sometimes fasten antelope horns to the head of a large jackrabbit. They then mount the whole thing, hang it over the bar and tell visitors looking for a craft brewed IPA to watch for vicious jackalopes when they’re out and about.

So, are we having a jackalope moment in health IT? Do we believe in something we can’t see?

The suggestion has been made that some vendors are actively engaged in “information blocking”—a basic refusal to exchange patient data with other systems. Either that or they’re charging boatloads of money to do so, which is framed as a form of information blocking in a way, but not exactly.

The anecdotes, claims and counterclaims about information blocking are flying.

A vice president from Athenahealth says some vendors are charging $1 million to build an interface, a half million to maintain it and $2 every time a doctor uses it to send data. An Epic vice president says they don’t ever engage in information blocking activities “if they exist at all.” (Honestly, with recent news about EHR costs at Partners, who wouldn’t look askance at Epic?)

Congress certainly believes information blocking exists. The 21st Century Cures act, recently approved via unanimous vote in the House Energy and Commerce Committee, makes “information blocking” a federal offense and would fine doctors, hospitals and health IT vendors $10,000 for each offense.

Karen DeSalvo, the national coordinator for health information technology, believes it exists. “We have received many complaints of information blocking,” she recently told the New York Times. “We are becoming increasingly concerned about these practices.”

And there’s enough anecdotal evidence to suggest the practice is actually happening, though the causes, frequency and motivations regarding information blocking remain unclear.

“In 2014, ONC received approximately 60 unsolicited reports of potential information blocking,” ONC stated in an April 2015 report to Congress. “In addition, ONC staff reviewed many additional anecdotes and accounts of potential information blocking found in various public records and testimony, industry analyses, trade and public news media, and other sources.”

And this sleuthing revealed that “Most complaints of information blocking are directed at health IT developers.”

“Many of these complaints allege that developers charge fees that make it cost-prohibitive for most customers to send, receive, or export electronic health information stored in EHRs, or to establish interfaces that enable such information to be exchanged with other providers, persons, or entities,” the ONC report to Congress continues. “Some EHR developers allegedly charge a substantial per-transaction fee each time a user sends, receives, or searches for (or ‘queries’) a patient’s electronic health information.”

This is also not a surprise. Businesses exist to externalize costs and increase revenue. The role of government is to act as a watchdog on industry, assuming it usually won’t manage itself. Yes, government can create excessive regulations that get in the way of innovation, but the argument here is for balance and restraint, not wholesale retreat.

And if there is one thing about health IT we can probably all agree on, it is that balance and restraint have not been achieved. We probably can’t even see it from where we’re standing.

“Every technology has an adoption journey,” wrote John Halamka on his personal blog. Among other titles, Halamka is CIO of the CareGroup Health System, CIO and Dean for Technology at Harvard Medical School and a practicing emergency physician. “The classic Gartner hype curve travels from a Technology Trigger to the Peak of Inflated Expectations followed by the Trough of Disillusionment. It often takes years before organizations reach the Slope of Enlightenment and finally achieve a Plateau of Productivity.”

As you may have guessed, health IT is in the Trough.

“It was a five-year project and we're just at the beginning of where we're supposed to be. We're on course. It's all OK,” Halamka said in an interview with HealthLeaders Media. “It's not information blocking. It's not HIT vendors being reluctant or hospitals holding their data hostage. If the definition of information blocking is that the vendors have all hired Chief Information Blocking Officers who spend their nights thinking about ways to restrict information flow, I've never seen it. Find me one example.”

In fact, ONC seems to have found quite a few. And they are not, to be clear, using the hiring of a “Chief Information Blocking Officer” as a working definition.

We know that the technology exists to interoperate and share patient records because other industries do this kind of thing in their sleep. We know that the incentives and / or regulations are not there yet to force real, active, collaborative interoperability.

So, it seems we have two choices: Congress can pass regulations to enforce certain industry behavior, which some members are working towards, or we can wait for the market to spawn an upstart that finds a way to succeed without blocking information and / or charging outrageous fees. Or both.

Halamka may be sanguine about the existence of information blocking, but on this we part ways. I’m not convinced that Nessy exists, that Bigfoot wanders the Pacific Northwest, or that rabbits sprout horns. I do believe, however, that corporations will test the limits of federal regulations, putting the onus on Washington, DC, to find balance.

Oh, and if you’re ever in a bar with a jackalope hanging on the wall, don’t order the Rocky Mountain oysters. 

Irv Lichtenwald is president and CEO of Medsphere Systems Corporation, the solution provider for the OpenVista electronic health record.

Category: Telemedicine, Security
Subscribe to Security