Is your health data more safe or vulnerable in the cloud?

The illusion of control is tempting, even intoxicating. It’s also a common characteristic that almost all humans manifest to one degree or another as we work to satisfy competence motives, the need for security, survival instincts.

Because proximity often feels like control, it might also get in the way of secure healthcare IT.

“Files stored in reliable cloud services are some of the most secure files you can have, provided you have good passwords,” says software engineer John Miller, PhD. “Google, Microsoft, and Amazon all provide reliable cloud services for consumer file storage.”

What, in particular, makes cloud storage superior, according to Miller?

  • Redundancy: The chances of losing the same data saved in at least a couple of different places are low.
  • Security: Keep passwords and access to local machines safe and you’re in good shape. Data centers are not easily hackable and very difficult to physically penetrate.
  • Safe Sharing: You can give trusted individuals read access to data without having to deal with security risks like thumb drives and file copies.

Still, it’s a mistake to think that Amazon or Google can be entrusted with all security precautions. Your healthcare IT vendor is an active player in making sure your particular system is secure. When shopping vendors or considering a move to the cloud, have a conversation that includes these specific concerns:

Risk: How much risk will you be comfortable with? While you could choose to lock your system up tight, there is a tension between system security and ease of access. Find a balance between the two. In striking that balance, ask for assessment process documentation that includes establishing a risk threshold and effectively managing potential security issues related to third-party vendors.

Cloud Security Tools: It’s not wise to rely exclusively on cloud vendor security, but it is also unwise to reject any inherent security they provide. Document succinctly what is part of the cloud service and what your healthcare IT vendor layers on. Two-factor or multi-factor authentication, now widely used, may be one example of a security protocol built into the cloud vendor package.

Responsibility: It will be vital that you ask relevant and pointed questions about responsibility across all three spheres: the cloud vendor, the healthcare IT vendor and your organization. Evaluate documentation that describes what security measures come from each and how they complement one another. It’s critical that you understand whether there are any holes in the security mesh you’re looking to create.

One of the more challenging aspects of moving to the cloud for many healthcare organizations is an uncertainty about what questions to ask. Too often, hospitals and other healthcare organizations may be tempted to just say, “That’s your area of expertise. Make it work.”

It will benefit you in the long run to probe and make your healthcare IT vendor defend and quantify their security approach.

And what, at a minimum, should that approach include?

  1. A Design Philosophy: It may go without saying that your healthcare IT vendor has had to work HIPAA and HITECH considerations into their design approach, but you will still want to see documentation detailing exactly how. Protecting patient data, for example, will require that your data be isolated via network layout from other customer instances. Live and back-up systems should be geographically separate in case of catastrophe. And network access controls should be layered at multiple levels so easy access is impossible. Again, find the right amount of tension between access and security.
  2. Access Control: The security of your system will be preserved because everyone in your organization adheres to access protocols. Communication between the clinical site and the cloud location should be transported via an IPsec virtual private network (VPN). End users will transparently use the VPN to access system applications in the cloud. Multi-factor authentication for user access and constant system monitoring are both big steps toward a system that’s hard to breach.
  3. Encryption: Make sure that your patient data is encrypted both in transit and at rest, i.e., when it’s sent across the VPN and when it is stored in the cloud. All operational, backup and log data should be encrypted using, at a minimum, the FIPS 140-2 compliant AES-256 standard. Ask about the encryption standard and for documentation of the protocol for moving to newer, more rigorous standards.
  4. Disaster Recovery/Business Continuity: One of the strongest and most obvious arguments for moving to the cloud is the availability of disaster recovery and high availability backups. While unlikely, a disaster could destroy both the live and backup systems if both are in the same place, so ask if they are geographically distinct. You will want primary-to-secondary data replication to be constant, and hourly system snapshots should also be provided in the event of extreme situations. Also, make sure the disaster recovery site is ready to take over organizational operations at the drop of a hat if necessary.

Ultimately, while cloud security makes your organization no more vulnerable to breaches than you are with an onsite data center, there are better and less good ways to approach the cloud. A hybrid model, for example, of some local servers and some cloud hosting actually creates more vulnerabilities than a strictly public cloud approach. Your goal is to have fewer, not more, access points that could be breached.

“To be fair, much of the common perception of cloud security—or insecurity as the case may be—is just myth. Pervasive myth, but myth nonetheless,” says Tony Bradley at Forbes.

And it’s a myth many organizations now benefit from having banished. So, while you’re cleaning out the closet of long-held but possible incorrect beliefs like the illusion of control, just toss cloud insecurity on the trash heap as well. When managed with the same level of care as local data centers, the cloud offers clear advantages.

Richard Sullivan, MSIS, is chief government officer for Medsphere Systems Corporation

Category: Security

Hurricanes highlight healthcare IT improvement, expose gaps

Yes, Katrina was already losing appeal as a girl’s name by 2005, when it had fallen to 247th most popular in the United States. But the so-named hurricane that swamped New Orleans in August of that year pushed it off a ledge. By May of 2007 Katrina had fallen more than 100 spots to number 382, its lowest level since the 1950s.

Less trivial is the impact of Katrina on hospitals and healthcare, which has regularly measured itself against the ghost of a seemingly manageable Category 3 storm that morphed into a disaster of historic proportions and nearly destroyed one of America’s more storied cities.

Since Katrina there’s been Rita and Wilma, also in 2005, and Superstorm Sandy on the eastern seaboard in 2012, but nothing else. The recent arrivals of Harvey in Texas and Irma in Florida are healthcare IT’s first real opportunities to test existing infrastructure against mother nature.

So, what are the early reports on the shift to electronic records, remote / cloud hosting and disaster recovery sites after the hurricanes? Things are better, but it’s still a work in progress. After all, many hospitals in New Orleans had EHRs, but it didn’t matter when the water kept rising.

“When Hurricane Katrina smashed into New Orleans in 2005 … tens of thousands of patients lost their entire medical histories—boxes of paper files disintegrated or washed out to sea by the rising waters,” writes Megan Molteni in Wired magazine. “Widespread data loss won’t be as much of a problem for Houston. Today, about 75 percent of providers keep records electronically. But patients still may have trouble accessing their records when it matters most: in the middle of crisis and recovery.”

That’s right. Interoperability remains the hill healthcare IT still has not taken, despite the proliferation of EHRs.

The fear of a Katrina redux inspired many hospitals to improve their physical infrastructure by installing “submarine doors, flood gates, and above-ground backup generators,” which kept 90 of 110 Houston-area hospitals from having to evacuate patients. Darrell Pile, CEO of an organization that coordinated patient evacuation and relocation related to Harvey, said he knew of no hospitals in Houston that lost access to patient records.

And yet, everything was still not totally copacetic in Texas.

“For lots of these patients, these are not their normal clinics,” explained Dan Jensen, manager of 11 clinics in the VillageMD Houston network. “We can try to pull data on some of them, but it’s very limited what we can get. A lot of times we have to start from scratch.”

But Jensen also illustrated the ways in which healthcare IT enables flexibility and rapid response during emergencies. Able to reach only 10,000 of 160,000 patients before the storm, VillageMD Houston’s IT provider was able to engineer a patient portal fix overnight that extended portal communication to all patients, even those who had not signed up.

While Houston was drying out, Irma’s visit to Florida ended up being less destructive but more directly impactful because it shut down most of the state. In total, 36 Florida hospitals closed either in anticipation of the storm or because of its impact. Statewide, 54 hospitals were forced to use backup generators and some reported modest flooding but remained open.

And the Florida Hospital Association received no reports of EHR failure.

Arriving so close together, Harvey and Irma almost entered the national consciousness as one storm. Taken together, early returns suggest healthcare IT has progressed significantly since Katrina.

“Policymakers and health care providers can celebrate one quiet success in the wake of the Houston storm: the computers are still running,” writes Darius Tahir in Politico. “The preservation of patient health records represents a partial vindication for the HITECH Act … that was conceived, in part, as a way to ameliorate natural disasters like Hurricane Katrina by replacing waterlogged paper with modern technology.”

But it wasn’t just Katrina that spurred lawmakers to pass the HITECH Act. It was also the VA’s response to the hurricane.

“The VA — with its pioneering VistA EHR — was able to retain records and access them much more rapidly than its private-sector peers during Katrina,” says Tahir, “… the organization restored access to records from 40,000 New Orleans-area veterans within days; it would take years for the private sector to reassemble its records.”

Indeed, where former Surgeon General Regina Benjamin thought she couldn’t afford an EHR before Katrina, she knew she couldn’t run a hospital without one after.

And yet, despite the generally positive results and clear benefits of healthcare IT proliferation, obvious gaps remain. Patients often scatter to the four winds in a disaster and reattaching them to their records is both challenging and not yet reality.

Plans are, however, in the works to fill this gap. The PULSE project, initiated by the Department of Health and Human Services in 2014, is working to create a data-sharing network that’s switched on in emergencies and makes patient records available to first responders and clinicians when they enter patient name, birthdate and gender.

Initial PULSE tests in disaster-familiar California have gone so well that the California Emergency Medical Services Authority plans to keep the system in place and may switch it on during one of the Golden State’s regular events.

All the testing in the world can only provide so much real-world preparation. With climatologists suggesting that the relatively hurricane-free period between Katrina and Harvey is probably over, it’s encouraging to see the progress represented by both PULSE and the performance of Texas and Florida hospitals. Any optimism at this point, however, should be buffered by an urgency to get it even more right the next time the winds start to swirl in the Atlantic, regardless of what name we give them. 

Irv Lichtenwald is president and CEO of Medsphere Systems Corporation, the solution provider for the OpenVista electronic health record.

5 takeaways from the WannaCry ransomware attacks

Will information technology ever realize an imagined future where security is strong enough, reliable enough, secure enough to block any and all attacks?

It’s a dubious proposition made more uncertain by the recent WannaCry ransomware incident that started a couple of weeks ago and continued around the globe for several days. The virus was seemingly halted on Friday, May 12, when a security researcher found weaknesses in the code, but additional versions without those weaknesses have been sent out since.

Whoever is sending out WannaCry will continue, or someone else, someplace else, will send something similar or more virulent. The war is never over.

Which means hospitals, IT vendors, security firms and other HIPAA business associates must constantly work to develop better tools. In pursuit of that goal, what can we learn from the WannaCry attack thus far that can help with security moving forward?

  1. System updates are essential. WannaCry targeted Windows operating systems and succeeded where those operating systems lacked security updates. Hospitals in Britain’s National Health System suffered considerable damage because so many are still using Windows XP, a 16-year-old operating system. Contrast that with U.S. hospitals, which were minimally impacted. Indeed, a major concern for hospitals around the world is the use of old operating systems in a variety of settings that are no longer upgraded or supported. Microsoft rushed a Windows XP security update out after WannaCry was unleashed, but it’s not something the company wants to do or would probably be willing to do with any regularity.

    It probably goes without saying, but the use of unlicensed and unlicense-able software leaves hospitals completely vulnerable to malware attacks. In the U.S., this is not a significant problem. However, in China and countries similarly resistant to strong policing of intellectual property licensing and use, computers may as well put out a virus welcome mat. Reportedly, WannaCry impacted around 29,000 institutions in China. 

  2. Devices are vulnerable. Specifically, WannaCry successfully attacked Bayer Medrad radiology devices in at least a couple of examples, the first known hacks of medical devices. The concern about medical devices is acute simply because they often control something directly related to the patient condition. A hack of the EHR system is problematic and disruptive. A hack of a medical device is potentially life-threatening. 

  3. Even inept hackers are successful enough to be very disruptive. Possibly derived from hacking tools originally created by the National Security Agency, WannaCry had certain post-NSA vulnerabilities that researchers and security experts could identify relatively quickly. Using terms like “amateur hour” and “easy fix” to describe WannaCry, security professionals said the virus was not a particularly challenging nemesis. But even imperfect malware spread rapidly to more than 150 countries, infected hundreds of thousands of workstations and cost as much as $4 billion. Imagine what kind of damage a more successful hack could do. 

  4. The most expensive part of ransomware is not the ransoms. It’s not unreasonable to see many hackers as anarchists with active minds, time on their hands and a perverse motivation to kick at the pillars of modern society. Most of the ransoms demanded in the WannaCry case were in the $300 to $600 range, and most organizations chose not to pay them. As of Friday, May 12, one consultancy estimated only $100,000 in total had been sent to hackers. No one was going to get independently wealthy off this hack. Still, WannaCry bled an estimated $4 billion dollars from the system. Again, imagine a much more successful effort than WannaCry and you can see how motivated hackers might be determined to bring certain essential industries—healthcare, for example—to a grinding halt without getting dollars in return.

  5. Subscription services are a viable alternative. A primary reason WannaCry succeeded at all is because there is so much old software out there running various computing devices. Subscription software is one way to get old software out of the market. With the subscription option, to use WannaCry as a specific example, Microsoft can quickly and easily provide security updates to all applications and operating systems. The company did, in fact, provide updates in March to patch the security hole WannaCry exploited, which made the damage in the United States much less extensive. Clearly, however, those updates did not extend to the millions of Windows instances in use globally. While technology companies have been promoting subscription software options for years, buyers have been slow to sign on. Perhaps instances like this will convince many that subscription is both the more affordable and safer option. 

Right now, failsafe responses to malware and hackers are multi-pronged, and subscription software can be a significant component in that defense. Each hospital must develop a comprehensive and stringent security program as a necessary foundation for overall protection.  

The security battles will continue into the foreseeable future and each will give us an opportunity to make the defenses more responsive and sophisticated. The hospitals that can learn security lessons without having to pay ransoms or endure systems shutdowns will be those that react rapidly and prepare for the various threats.

Speaking of which, have you installed those Windows security updates recently? 

Richard Sullivan is chief operations officer for Medsphere Systems Corporation, the solution provider for the OpenVista electronic health record.

Category: Security

Time to update your security precautions? Take these five basic steps.

If you’re a small healthcare IT operation, a simple spreadsheet might do the trick. If you’re larger, a not-so-simple spreadsheet might be in order.

Regardless of how you do it, hospitals, clinics and other healthcare organizations must identify and monitor every single instance of computer network access. They’re called endpoints, says Larry Ponemon, founder of the security consulting firm the Ponemon Institute, and for you they exist as vulnerabilities.

Your job is to eliminate them through a series of basic security-promoting tasks.

While your IT security staff may have conducted such work in the past related to HIPAA, “in the past” is never recent enough for a robust security program in the hyper-changing technology world, especially if the work was incomplete or conducted over a year ago. In too many hospitals, security protections have been a one-shot effort conducted years ago with little follow-up. Your hospital may need to undertake the following actions from a blank slate perspective in order to combat today’s sophisticated threats.

Identify every device on the network.

We’re not talking about just desktops and laptops, here. Think more broadly and identify everything that has a network connection—desktops, laptops, tablets, mobile phones, IoT devices, etc.  You may have also permitted network access for clinicians and staff using their own devices, so take the time to identify those users as well.

Update your software.

After figuring out how many networked devices you have, make sure the security applications on each, which includes operating systems, are up to date.

“One of the main reasons hospitals have become ground zero for ransomware attacks is that almost every modern medical device is now a computer,” writes Phillip Hallam-Baker, vice president and principal scientist for cybersecurity firm Comodo, in Health Data Management. “It is not uncommon to find a multi-million dollar device such as an MRI machine running Windows XP Embedded, an operating system version that was last updated when it was retired in 2011.”

Hallam-Baker adds that defeating malware, particularly ransomware, requires a three-pronged approach:

  • Scan inbound email for infected attachments and links to malware sites that automatically download to your computer.
  • Block access to malware sites.
  • Run anti-virus software on every computer in use.

Spread the security gospel.

Now, it’s time for the social engineering. According to respondents in a Ponemon Institute study on networks and cybercrime, 81 percent feel the greatest threat to security is negligent and careless employees who don’t follow established policies and practices. This issue has been complicated in recent years by threats from insecure mobile devices. Train every employee in proper security practices, and reinforce them frequently.

Secure the patient portal.

At some point, turn your attention to the patient portal you installed to meet Meaningful Use. Keith Fricke, the principal consultant at tw-Security, wants you to know that it could create vulnerabilities. Imagine, for example, hostile code that lives on a popular website and downloads to a patient’s home computer. Later visits by that patient to an insecure hospital patient portal might provide a hacker with access to numerous patient records and the opportunity to pass along a virus, hitting your organization with a double whammy.

Cover your business associate bases.

In recent years, according to Ponemon, business associates (BAs) have endured even more data security incidents than healthcare providers.  A major reason is that HIPAA-required BA agreements, once signed, tend to sit on the shelves of all parties. Your partners, including IT vendors, may feel much less urgency about patient data security than you do. Make sure their lack of urgency does not impact your security by taking these steps:

  • Evaluate your entire list of vendors and similar partners to determine which have access to protected health information (PHI). Perhaps some BA agreements were never signed, which puts your organization at great risk.
  • Review all of your BA agreement files. Those dated prior to 2013 are obsolete, which adds to your hospital’s security vulnerability. The 2013 Omnibus HIPAA regulations are much stricter with business associates than the original HIPAA security rules, so it is critical to your security program that all BA partners sign an updated agreement.
  • Insist on compliance with the newer rules as a condition of your continued relationship. Double check your BA’s level of security and ask to see its most recent security risk assessment, one of its many obligations under HIPAA.

Taking these actions will greatly improve your organization’s security position and give you much, if not all, the information you need to perform your own HIPAA-required security risk assessment.

A final note on the costs of data security

Many organizations are ill-prepared for the growing onslaught of security incidents, not because they don’t care, but because of inadequate funding and security expertise. High expenditures for recent initiatives such as Meaningful Use and ICD-10 implementation have not helped. Moving forward, senior management must view data security as a cost of doing business, just as it is with financial services and retail. You will have to spend money on security regularly to make it work. As technologies change and security risks increase, a sustainable security program must include regular updates and different and/or additional spending.

In 2017, the security race between hackers and healthcare is going stronger than ever, but it’s not too late to secure your organization’s network if you move quickly and deliberately. 

D'Arcy Gue is Director of Industry Relations for Medsphere Systems Corporation. 

Category: Security

Take these six steps to alleviate patient anxiety about data security

Not every patient admitted to your hospital will know that healthcare promises to be the most frequent target of hacking efforts in 2017.

But many will. They may be among the 21 percent of patients who withhold information from their doctor for fear of data breaches.

They might also be familiar with hacking and data breaches more generally, so they will put two and two together and figure out that they have much to lose—both personal and financial information—in a successful hack or ransom scenario.

You have a lot to lose, too, starting with patient dollars and trust, both of which are essential to what you do. Surveys suggest most patients will find a new provider should their information be hacked.

If they do inquire, allay patient fears by pointing to these specific strategies and values your hospital uses to safeguard patient data and prevent malicious access.

  1. Transparency: Some of your older patients are not and will never be comfortable with technology. Many of the younger patients will be very comfortable and knowledgeable about it. For both groups, the strategy is to be transparent, which is actually a much broader subject in healthcare than the scope of this blog post. For our purposes here, explain what patient data is maintained, why it is collected in the first place and what you do with it. If you share de-identified patient data, make sure patients know this. Explain the benefits of data accumulation and evaluation and how it could impact their lives or the lives of someone they love. 

  2. Dialogue: Continuing the transparency, consider asking patients if they are familiar with the transition to EHRs and how they feel about it. Ask if they have an idea about whether security is better or worse in an electronic system versus paper. Explain the weaknesses of paper and how it may impact patients. Talk to your patients about the commitment your organization has made to keeping patient data safe. Ultimately, your obvious goal is to inspire confidence in the patient and demonstrate your expertise with the technology. 

After demonstrating transparency with the patient and establishing open communication about the importance of protecting patient data, explain the measures your hospital has taken to prevent breaches and ransomware incidents.

  1. Security Technology: It will be wise and necessary to assess your patient’s understanding of healthcare technology before offering an explanation of what you’ve put in place. Making every effort to keep the explanation as simple as necessary, talk about what you’ve done to make sure unauthorized access does not happen. This can be as straightforward as talking about the use of strong passwords to access the system, giving different personnel varying levels of access and hiring a chief security officer (CSO), if you have one. 

  2. Training and Policy: Something your patients hopefully do not know is that clinicians and other hospital staff are the greatest security vulnerability. Without focusing on that fact, share with patients the security training your hospital has engaged in and policies that define much of your interaction with the EHR system. When you can speak authoritatively to the issues that crop up in a normal day related to security of patient data, your patients will feel more at ease.

  3. System Backup and Recovery: It might be appropriate and reassuring to tell patients that your hospital has a plan for system downtime, as is the case now with almost all hospitals. Perhaps you can also mention the organizational strategies associated with system backup and recovery, how often backups are created and, at a high level, how you test the backup system to ensure proper performance. 

  4. Familiarity and Comfort: Often, as patients become more familiar with the aspects of healthcare IT available to them—the patient portal—they also become more comfortable with the system overall. So, by introducing patients to the portal and getting them registered, you are moving toward two goals: lessening their technology anxiety and giving them a little more responsibility for their own care. Over more than a decade, Kaiser Permanente has tracked, documented and refined their use of a patient portal, which may give your hospital some ideas of what a portal can do and how to engage patients in using it.

So, that’s a lot of information to present to patients when many interactions with physicians only last 10 or 15 minutes. Is it too much for a doctor to present? Yes, it probably is, and it might also be inappropriate for the doctor to be focusing on EHR security instead of addressing clinical concerns. The hospitals that find other ways to communicate with patients about healthcare IT will find themselves ahead of the game and will be initiating a transparent dialogue with patients.

What tactic might further this goal?

  • Give them reading material. A really technologically advanced hospital might give patients tablets on which to read materials about IT security, but that’s expensive and creates concerns about theft. Instead give patients documentation on the hospital’s security policies and procedures during the check-in process. Make the same information available on the patient portal.
  • Train the staff. After or in lieu of reading, patients are going to have questions. Make sure the administrative staff are familiar with the healthcare IT policies and can explain them to concerned patients. Still, that’s probably not enough. To assist patients who need it, you will probably also need to designate and provide special training for certain strong communicators among your administrative and clinical staff.

So, in the end, it comes back to sufficient training and subsequent open communication, just as it so often seems to with healthcare IT. Ultimately, hospital staff are both the strongest asset and greatest liability with regard to both security and patient care. Sufficient and periodic training should give your people the knowledge and experience necessary to maintain a secure patient data environment, and it will also enable them to demonstrate why patients should have confidence in your ability to do so.

D'Arcy Gue is Director of Industry Relations for Medsphere Systems Corporation. 

Category: Security

IoT Devices Top a Long List of 2017 Security Threats

It’s worth remembering that 2016 was dubbed the “year of data security” after 90 percent of healthcare providers suffered data breaches in the previous two years. In particular, the Anthem breach of late 2014/early 2015 got everyone’s attention for the sheer magnitude (around 80 million records) of the hack.

Looking back, we can say 2016 lived up to its name as the number of records accessed was significantly lower than the year prior. But IT security is a game of whack-a-mole, so if fewer patient records were lost, malevolent forces simply found other ways to make the lives of healthcare CIOs very difficult.

Ransomware, for example, became the dominant security issue of 2016 and made everyone aware that hackers can always just hold your files hostage if they can’t steal them.

So, does 2017 look like more of the same or will hackers conjure up something new? Sitting here in January, the expectation is that the same security issues will endure, but they will also be accompanied by more challenging and complex concerns.

The Internet of Things (IoT): The difficulty of IoT security is represented by the numbers: There are tens of thousands, if not hundreds of thousands, of IoT devices connected to healthcare networks and the security on all of them is not iron clad.

“Internet-of-Things devices lack some of the most basic cybersecurity protocols,” writes Jessica Davis in Healthcare IT News. “As a result, these devices can be weaponized en masse – and in as little as three minutes.”

The hacking potential of IoT devices was made clear last October when domain name services provider DYN was breached via webcams and digital recorders, knocking Twitter, PayPal, Spotify and other internet behemoths offline for hours.

In a recent survey of healthcare executives conducted by Healthcare IT News, 52 percent said security was the highest IT priority for this year, with 58 percent elevating IoT devices to the top of the list of security concerns.

Ransomware: Hackers require access, and unsecured IoT devices give them that access. Once inside, they can continue the breakout year that ransomware had in 2016. In 2017, however, there may simply be more players in the game because the internet is an ever-evolving amusement park of wonders and horrors.

“There is already a ransomware as a service [RaaS] model, which provides automatically generated ransomware executables for anyone who wants to get rich by infecting potential victims,” Ondrj Vlcek, CTO for security firm Avast, explained to “The bottom line is that creating or buying your own ransomware has never been easier.” 

A panel of security experts speaking with Health Data Management said they expect extortion attacks to increase and become more sophisticated. The solution? According to David Finn, health information technology officer for Symantec, hospitals and health systems must have robust backup systems so they don’t have to pay for extorted patient data.

Data-integrity Attacks: You may have heard of the Stuxnet worm the U.S. government used in 2010 to infiltrate and sabotage Iran’s nuclear program by engineering minor changes in targeted devices. That’s an example of a data-integrity attack. The not-so-good-news is that the technology has filtered down to black-hat hackers who can access hospital and health system networks through … wait for it … IoT devices.

"IoT is a massive attack surface that allows people to touch systems that for previous decades haven't been available to be interacted with," Daniel Miessler, director of client advisory services for security firm IOActive, told CNBC. "This is increasing exponentially.”

Instead of taking data or holding data hostage, hackers can manipulate data in subtle and often unnoticed ways so, for instance, payments don’t go where they’re supposed to. That’s one example of the potential data-integrity attacks offer to hackers.

Cloud Infrastructure: There is no shortage of articles touting the benefits of moving to the cloud, even if insufficient attention is paid to the attendant security risks.

As CynergisTek CEO Mac McMillan told Health Data Management, the cloud is “the proverbial double-edged sword. It’s an absolute necessity for advancement, but security continues to lag further behind, which ultimately risks the advancement.”

Extensive due diligence on your cloud services provider is essential, as is a contract that establishes responsibility, reaction and culpability in the event of a breach.

Artificial Intelligence: It would be difficult to imagine that most hospitals and health systems will have the resources to maximize the value of artificial intelligence and machine learning. Unfortunately, that won’t keep hackers from using AI and machine learning as a tool on their side of the security battle.

“From a hacker’s point of view, AI will power malware, and use data from the target to send phishing emails that replicate human mannerisms and content,” said Capgemini UK cyber security chief Andy Powell. “… these AI-powered attacks will resonate with the target better than ever before, meaning they’ll be more likely to fall victim.”

People: As always, there is no more enduring risk to your facility and organizational security than the people who work there. Thorough preparation of your staff is the best defense against the most common forms of hacking and data theft.

But, as Kasey Panetta of Gartner describes in a recent paper on 2017 security trends, it is only one component in an “adaptive security architecture.”

“The evolution of the intelligent digital mesh and digital technology platforms and application architectures means that security has to become fluid and adaptive. Security in the IoT environment is particularly challenging. Security teams need to work with application, solution and enterprise architects to consider security early in the design of applications or IoT solutions. Multilayered security and use of user and entity behavior analytics will become a requirement for virtually every enterprise.”

Does this sound like more technical sophistication and cost than your small or medium size healthcare organization can handle? That’s bound to be a common complaint. While all hospitals could potentially fall victim to the security breaches described here, not all hospitals can properly defend against them.

This common vulnerability calls for extensive sharing of knowledge and affordable strategies that guard against loss or manipulation of data. An ongoing Health and Human Services initiative and grant program endeavors to gather and disseminate the most current information on cyber threats, but it may take a few years for that effort to yield actionable information.

It may also call for smaller facilities partnering with those that are larger and more resource rich. We’re seeing relationships between large and small organizations develop in other areas of healthcare IT such as EHR implementation. Getting to the point where healthcare is not such an attractive hacker target may require the same with regard to security.

D'Arcy Gue is Director of Industry Relations for Medsphere Systems Corporation. 

Category: Security

How can we measure health system success without including mental health care?

If community hospitals are a general barometer of health in the surrounding area, the emergency room is the canary in the coal mine. Viral outbreaks, increases in violence, loss of health insurance from local layoffs—all are social ills that make their presence known first in the ER.

Based on recent ER studies, the U.S. is on the cusp of a full-blown mental health crisis.

According to a recent survey of more than 1,700 emergency physicians by the American College of Emergency Physicians (ACEP), three-quarters of ER docs evaluate at least one individual per shift who requires hospitalization for mental illness. Slightly more than 20 percent say patients wait from 2 to 5 days for an inpatient bed. Only 16.9 percent of ERs have a psychiatrist to call in emergencies, and 11.9 percent have no one at all to call when mental illnesses erupt in the ER.

"More than half (52 percent) of emergency physicians say the mental health system in their communities has gotten worse in just the last year," said Rebecca Parker, MD, FACEP, president of the ACEP. "The emergency department has become the dumping ground for these vulnerable patients who have been abandoned by every other part of the health care system."

The most recent survey results dovetail with a separate study presented at ACEP16 that looked at ER use between 2002 and 2011. From that review, we know that psychiatric visits to emergency rooms jumped 55 percent—from 4.4 million to 6.8 million—during the period evaluated.

The experiences of emergency physicians confirm that America is in the midst of a mental health crisis that requires time and attention. While rebuilding mental health care, we also need to use that process to learn. The state of mental health care can be both a measure of overall healthcare system progress and a cautionary tale about the unintended consequences of using information technology.

Healthcare is functioning when the mentally ill get treatment.

Yes, healthcare is in the midst of a revolution encompassing digitization of data, new payment models, the use of wearable devices and a host of other changes. It often feels like the entire healthcare enterprise is subject to some kind of change.

And yet none of the current overhauls will keep the mentally ill from showing up in emergency rooms. The House has passed legislation intended to help improve the mental health care system and, in part, alleviate some of the stress on emergency services. Hopefully the Senate will do likewise.

What would system changes that benefit the mentally ill look like, beyond a drop in ER visits? Probably something like a patient-centered medical home.

The mentally ill would have a psychiatric professional who would be contacted in the event of an episode at the ER. A network of care givers, friends and family could provide some confidence that proper care would follow the ER visit. An integrated healthcare IT system would give ER docs the data they need when a man with bipolar disorder wanders in, and it would let the man’s physician know he perhaps forgot to take his meds and had an episode.

Current fractures in the mental health care system mean those who enter the ER with a mental illness are often admitted for lack of local mental health services and support.

When the mentally ill get the care they need, we will know that the intersecting but uncoordinated goals of parity, interoperability, coverage and coordination have finally been met.

Digitized mental health care is better mental health care.

It’s not just that EHRs and other forms of healthcare IT give ER docs more information at the point of care about mentally ill patients. Digital systems that incorporate complete patient records also back up behavioral health clinicians and empower them to provide better care.

A six-year study of mental health specifically by researchers at the University of Southern California’s Keck School of Medicine showed that electronic charting yielded noticeably better clinical documentation. The complete documentation of visits and procedure codes rose from 60 to 100 percent. The timely completion of records improved quality of care and proved an asset in clinical training.

More than just clinicals improve with healthcare IT. Billing and reporting, both essential for financial viability, are more straightforward tasks with electronic support.

“The way things are going, it’s almost going to be impossible to not have an EHR,” Jennifer D’Angelo, chair of the new HIMSS Long Term Care and Behavioral Health Task Force and vice president of information services for Christian Health Care Center in New Jersey, told Behavioral Healthcare. “From an interoperability standpoint, and from a reimbursement standpoint, it’s being required. All levels of care will need to have an EHR for care coordination among all providers.”

Caveat: System security and personal privacy are more crucial with mental health data.

If your patient records are compromised or inappropriately shared, your primary concern is not that people will know you had an appendectomy in 2006 and a mole removed in 2011. You’re most worried about all the other information that will make it easy for the thief will misuse your information or even assume your identity.

And then there’s the experience of Canadian Lois Kamenitz, whose patient record showed that she attempted suicide in 2006. When Kamenitz tried to enter the United States in 2010, U.S. Customs and Border Patrol pulled her aside and would not let her enter the country until she filled out lots of paperwork, paid an American doctor $250 to process it and signed a document saying her medical records would become the “permanent property of the United States.”

Her personal privacy violated in a most unexpected scenario, Kamenitz found out the hard way that personal health information could be used against her after Toronto police shared a database with the Department of Homeland Security. Her experience is not an anomaly. It's not just that a person’s health information could be improperly exploited if accessed by non-clinical reviewers. Non-behavioral health clinicians can also mistakenly complicate or skew physical evaluations, procedure orders and prescriptions. 

So, is the paradox of EHRs and behavioral health patient integrity—improve patient care, increase patient vulnerability—a challenge that requires special attention? Yes, it does. Of course healthcare’s standard is that ALL patient records must be secure, but the sensitive nature of mental illness can often necessitate special diligence beyond what works to secure patient data in acute care. Public perceptions of mental illness frequently include fears of violence or unexpected behavior; at the same time, mentally ill patients fear that public exposure may threaten their employment and community relationships.

Clearly, there are policy issues that have yet to be worked out. Canada changed a policy that will hopefully make what happened to Lois Kamenitz rare or maybe impossible. Let’s hope that the trial-and-error process of policy development works itself out quickly with as few casualties as possible.

While there is much work to be done in simply improving mental health care and the lives of those who suffer, we must put IT and data security measures in place to ensure that citizens are not punished once by their mental illness and then again by a society that fears them. 

Irv Lichtenwald is president and CEO of Medsphere Systems Corporation, the solution provider for the OpenVista electronic health record.

Your most valuable security assets are human, not technical

You know already that the biggest threat to healthcare IT security is the human element. But if human beings are the greatest vulnerability, that also makes them the strongest asset.

Here’s why.

According to the 2016 HIMSS Cybersecurity Survey, the two primary healthcare IT security concerns among provider organizations (hospitals and physician practices) are phishing attacks (most pressing concern for 77 percent of respondents) and viruses / malware (67 percent). Both events require a responsive actor on the organization side of the transaction for hackers to access patient data.

It may seem like this is a rather straightforward problem to resolve—just make sure clinicians and staff have the requisite knowledge and savvy to not get duped and all is good. In reality, especially among larger organizations with hundreds of potential points of entry, turning human beings into alert sentries is a constant human behavioral challenge.

So what strategies can even a large healthcare organization employ to ensure that the people who use IT systems are firmly engaged in system defense?

  1. Train, train and then train some more. A study by Wombat Security Technologies and the Aberdeen Group suggests that upgrading employee awareness can reduce security risk by anywhere from 45 to 70 percent. Among the highlights of the report are these bits of crucial and related information:

    • There is no such thing as a 100 percent secure IT system if it is used by people. It makes little sense to invest heavily in technology if you fail to effectively train system users.
    • An organization with $200 million in annual revenue can expect to lose $2.5 million per year from infections borne of employee behavior, with an 80 percent chance the loss could jump to $8 million annually. (Note that this is across organizations and not specific to healthcare.)

    Don’t assume that any bit of information about system security—maintaining strong passwords, keeping mobile devices secure, navigating the internet safely, etc.—is common knowledge to employees and staff. Someone may not know something that will cause your organization harm.

    Your goal in training is to inculcate a culture of security that becomes second nature to every user beyond just IT staff. Indeed, you are working to expand the awareness of the IT team outward to all staff and employees.

    According to the results of another recent survey conducted across industries by Experian Data Breach Resolution and the Ponemon Institute, there is room for much improvement when it comes to preparing employees.

    • Only 46 percent of companies require employee training on data security; only 60 percent require re-training after a data breach.
    • Half of survey participants think their current training programs actually reduce noncompliant behavior, and 43 percent said their organization provides only one broad training course that doesn’t include some of the finer points of system security.
  2. Beware the disgruntled employee. Internal staff members motivated to do harm are a particularly troubling challenge. Could there be a Snowden or Manning in your organization? It’s less likely where ideological issues are not a factor, but it’s also impossible to gauge exactly what might set people off. Prepare for the disgruntled just in case.

    • Make sure that all active privileged accounts are connected to a current team member.
    • Audit the system regularly and immediately after any kind of security breach. (Privileged accounts used in a breach that are not connected to a current member will lower the value of the audit significantly.)
    • Closely monitor and manage privileged accounts, and create alerts to enable rapid reaction when things go awry.
    • Make sure departing members of the team return laptops and other mobile technology immediately before departing the organization.
    • Ensure only the minimum necessary access to certain information for each member of the team.
    • Apply sanctions for violating known policy consistently, quickly and even-handedly.
    • Consider having managers and directors, especially those working with clinical staff, identify the people they have concerns about and share that information.
  3. Elevate the importance of strong security among organizational and leadership priorities. According to the Experian Data Breach Resolution and the Ponemon Institute study, only 35 percent of respondents said they think senior executives feel it is important for team members to understand the potential organizational risks from data breaches. That correlates with the 60 percent of companies that feel their employees are not sufficiently aware of potential security breaches.

    On a related note, only 33 percent said their organization rewards employees for being security proactive, and 32 percent said there is no penalty at their organization when an employee causes a breach. Perhaps executives should take a look at incentives as well.

Will you be able to eliminate data breaches by following these strategies diligently? It’s not likely. Make reduction and mitigation your goal, and if elimination happens, throw a huge party before getting back to work.

Healthcare data breaches are more expensive than those in any other industry, climbing to an average of $4 million in 2016, according to the Ponemon Institute. Can you afford to lose $4 million regularly, only occasionally or once in a blue moon? Let your answer to that question drive the energy with which you put your organization’s comprehensive security plan in place.

Category: Security

HIMSS Cybersecurity Survey: Medical identity theft remains number one concern

Most healthcare cybersecurity stories over the last year or so have focused on ransomware, the frightening new weapon in the hacker arsenal. But the results from the recent 2016 HIMSS Cybersecurity Survey suggest that medical identity theft remains both more lucrative than ransomware for hackers and the primary concern of healthcare IT leaders. According to the survey, 77 percent of respondents feel medical identity theft is the “most common reason” for virtual attacks on healthcare facilities.

What else can we learn from HIMSS’ survey of 150 provider organizations?

  • The lack of resources—both financial and human—is the underlying challenge in mitigating cybersecurity risk.  Nearly 60 percent of respondents said they don’t have adequate personnel, and 55 percent said they lack the funds to properly combat what has become a daily battle with hackers.
  • Employees are either an asset or a liability, depending on their level of preparedness. At 77 percent, phishing attacks are the number one cybersecurity concern of survey respondents, who also said email is the primary vulnerability.
  • Healthcare organizations are not using the full set of tools. When asked what cybersecurity tools they use, 64 percent of poll participants said data encryption in transit; 59 percent use encryption at rest, and 54 percent use intrusion detection systems. “Providers have implemented a modest amount of basic and advanced information security tools,” says the HIMSS report.
  • Ransomware has a lot of people scared. When looking to the future of cybersecurity, ransomware is the challenge most respondents fear at 69 percent. Never expected to disappear, phishing scams come in second at 61 percent.
  • The healthcare cybersecurity battle is a daily fact of life. Among poll respondents, 80 percent said they had experienced a “significant security incident” recently. HIMSS recognizes that cybersecurity is a sensitive topic for most if not all healthcare organizations and “… the pervasiveness of attacks presented here may actually be under-represented.”

Perhaps there are security measures mentioned in the report you could be taking but didn’t know about. Maybe you feel like an island in an ocean of hackers that for some reason have targeted you and seemingly no one else. The 2016 HIMSS Cybersecurity Survey report provides an industry overview, but it also enables you to compare your security readiness with others and understand the challenges all healthcare organizations face in the information age. 

D'Arcy Gue is Director of Industry Relations for Medsphere Systems Corporation. 

Category: Security

Ponemon Study: Healthcare aware of security threats, but not really ready for them

You may be suffering from IT security fatigue at this point, for which I offer a half-hearted apology.

Yes, only half-hearted, because the numbers say healthcare is aware of various security threats but still remains vulnerable, making it imperative that the subject stay top of mind until patient data is reliably protected.

For example, the Sixth Annual Benchmark Study on Privacy and Security of Healthcare Data, published earlier this month, offers interesting perspectives on both healthcare organizations and business associates.

For this ID Experts-sponsored study, The Ponemon Institute engaged 91 covered entities (health plans, healthcare clearinghouses, healthcare providers) and 84 business associates (BAs) like healthcare IT companies. Given that business associates often have access to patient data, it’s appropriate that this study and future research projects include partners not involved in actual provision of care.

A review of the Benchmark Study reveals some overarching themes and messages that may prove valuable to healthcare providers and business associates.

Data breaches are common and happening more frequently.

You know this already, right? Probably, but the frequency suggests that only the really big breaches make it into the healthcare IT press.

In the last two years, 89 percent of healthcare organizations and 61 percent of BAs experienced at least one breach that resulted in a loss of patient data. In that same time period, 45 percent of healthcare organizations had more than five breaches and 28 percent of BAs had more than two.

“The annual economic impact of a data breach has risen over the past six years, as has the frequency of data breaches,” the report reads. “Criminal attacks and internal threats are the leading cause of data breaches.”

Employees are both your strongest asset and greatest liability.

How do your employees at all levels feel about working there? How well trained are they in all aspects of their jobs? Are you aware of any particularly disgruntled employees?

Where once these were primarily questions for human resources, now they are highly relevant to the security of your operation.

When asked what type of security incident they most fear, a majority of both healthcare organizations (69 percent) and BAs (53 percent) identified employee negligence and carelessness.

These percentages remain roughly the same as last year, even while the most common cause of data breaches with healthcare organizations—fully 50 percent—is criminal attacks. Among BAs, an unintentional employee action (55 percent) is still the manner by which patient data is most often compromised.

What may provide some comfort for both healthcare organizations and BAs is that a malicious insider (13 and 6 percent, respectively) is not often the cause of lost patient information.

While concerns about employee carelessness might be more statistically relevant for BAs than healthcare organizations, in both entities the gap between negligence and malice represents an opportunity to make employees the first and most effective line of defense.

Indeed, for most BAs (58 percent), data breaches were discovered by employees. On the healthcare organization side, audits (74 percent) most often received credit for data breach recognition, with employee detection second at 47 percent.

Healthcare organizations and BAs recognize that employees are essential to better security. Both entities said better training, as well as more effective policies and procedures, were the most effective way to combat loss of patient data. 

Data security spending and organizational preparation are still not where they need to be.

All of healthcare IT is aware of cyberattacks and the potential danger of losing patient data, and yet IT budgets remain stuck. Among healthcare organizations, 62 percent say their budget for incident response has either decreased (10 percent) or stayed the same (52 percent).

There remains a gap, Ponemon says, between awareness and funding.

“Recent big healthcare data breaches have increased the healthcare industry’s awareness of the growing threats to patient data, resulting in more focus on their security practices and implementing the appropriate policies and procedures, however the research indicates that it is not enough to curtail or minimize data breaches. According to the findings, half of these organizations still don’t have the people or the budget to detect or manage data breaches.”

Perhaps most disconcerting is that while 60 percent of healthcare organizations and 54 percent of BAs assess their organizational vulnerabilities, the overwhelming majority do so on either an annual (41 and 35 percent, respectively) or ad hoc (43 and 35 percent) basis.

Data breach insurance is becoming a standard part of providing healthcare.

The information on data breach insurance from the Ponemon study is interesting and somewhat curious. In the study group, one-third of healthcare organizations and 29 percent of BAs are insured against data breaches and cyberattacks. Of that group, a majority of both healthcare organizations (57 percent) and BAs (52 percent) purchased up to $5 million in coverage.

What do these numbers say about healthcare and preparation for cyberattacks? For one thing, we know that healthcare organizations and BAs are both concerned about liability; the coverage most frequently provided (just north of 70 percent for both groups) by the selected data breach policies is legal defense.

Other than that, it’s hard to draw any definitive conclusions based on the figures alone. On an individual basis, some organizations may find it more affordable to insure than fully prepare. Others may pursue both strategies.

It does seem clear that most of healthcare is under no illusions about how well prepared the industry is for hackers and cyberattacks. When asked why healthcare has a bullseye on its back, healthcare organization respondents said quite clearly that the industry is not doing enough, offering these perspectives:

  • 51 percent: Healthcare organizations are not vigilant in ensuring their partners and other third parties protect patient information.
  • 44 percent: Healthcare organizations are not hiring enough skilled IT security practitioners.
  • 41 percent: Healthcare organizations are not investing in technologies to mitigate a data breach.

The rise in cyberattacks puts many healthcare organizations in a difficult spot. Millions have already been spent on IT systems and security, and in many ways and for many providers, it simply isn’t enough. Insurance is one way to guard against disaster, but more successful attacks will lead to higher premiums, making vigilance and adequate preparation the only realistic option.  

D'Arcy Gue is Director of Industry Relations for Medsphere Systems Corporation. 

Category: Security

Remember the Omnibus HIPAA Rule? Maybe it's time for a refresher.

Have the HIPAA security and privacy rules been around so long they fade into the background? Perhaps so, which could be problematic. You see, the 2013 Omnibus HIPAA Rule strictly defines the liability and obligations of all business associates, which vendors with access to PHI must understand. As must providers, many of whom are still using pre-2013 business associate agreements. Along with general liability and obligations for business associates, the Omnibus Rule also expands financial liability and enforcement, and introduces altogether new privacy and security provisions. If the 2013 Omnibus HIPAA Rule never showed up on your radar, or if it’s just time to brush up on HIPAA regulations, download and read our Guide to Omnibus HIPAA now.

With the dramatic uptick in security breaches over the last year, this is an opportune time to update your knowledge of security and privacy rules or perhaps familiarize yourself with them for the first time. D’Arcy Gue, vice president of industry relations for Medsphere’s Phoenix Health Systems division, was commissioned to write a full summary of the HIPAA Omnibus Rule by Thompson Publishing, giving you all the information you need in just seven pages.

Download the Guide to the Omnibus HIPAA Rule

Category: Security

You think your systems are secure. Should you still get cybercrime insurance?

Naturally, most of what you hear from healthcare IT companies about their products is going to be upbeat, designed to create a sense of potential and promise. I mean, I can easily extol the virtues of the company I lead and the products and services we sell.

But if I’m responsible and realistic, I also need to call attention to the challenges healthcare IT can create on the path to improved care. Without doubt, any information technology that creates, maintains, or transmits electronic patient data is a source of risk, as evidenced by the numerous security issues that are top of mind right now for just about everyone working in healthcare and healthcare IT.

Still relatively young, cyber liability insurance has nonetheless grown in recent years and is now available to organizations concerned with breaches, loss of data and ransom scenarios.

Have we gotten to the point where insurance against these types of situations is necessary, viable and affordable? It’s a question worth asking.

You’re probably familiar with the hospitals, health systems and insurance carriers that have suffered security breaches—names like Anthem, Hollywood Presbyterian,  UCLA Health System and MedStar Health. These are only a few of the healthcare industry players that have been hacked, and they are a tiny slice of the organizations and facilities that are targeted on a daily basis.

Not only are healthcare organizations targeted, it’s happening with ever increasing frequency.  According to Symantec’s April 2016 Internet Security Threat Report (ISTR), new malware variants jumped 36 percent from 317 million to 431 million from 2014 to 2015. Over the same time period, crypto-ransomware assaults rose from 737 to 991 per day.

New devices are creating more openings and threats. Mobile vulnerabilities rose more than 200 percent from 2013 to 2015. The Internet of Things (IoT) creates a game of whack-a-mole for hospitals trying to plug every potential access point.

Yes, the recent surge in cyberattacks on healthcare is alarming. Because hackers will try to maximize vulnerability until the window closes, expect them to continue and increase.

Of course, leadership at your healthcare organization is doing everything in their power to prevent cyberattacks and loss of patient data. You regularly back up data, and you have a ‘gold image’ of systems and configurations and a plan for dealing with attacks. You’re working with an established, reputable cybersecurity firm, and you’ve created test plans as part of a broader effort to educate and prepare all personnel. And every year you conduct a security review to make sure the preceding is in place.

If you have done all this, good for you. You’d probably have to anyway. Insurers, after all, pool risk to guard against unfortunate events despite all preparation, not in lieu of it. The numbers suggest the risk is significant.

In 2015, according to the NetDiligence Cyber Claims Study, the largest cyber insurance claim of the year—$15 million—came from healthcare, with the average claim falling between $30,000 and $230,000. Because retail and healthcare are the most vulnerable targets of cybercrime, insurance companies are now charging more to insure digital assets. In some early-2015 cases premiums tripled for healthcare organizations; Reuters reports that high deductibles are common and even large insurers won’t write policies for more than $100 million when clients are considered high risk.

If actuaries see healthcare as that vulnerable, it might be wise for us to see ourselves in similar terms. We know, after all, that the demonstrated vulnerability to hackers of healthcare organizations squares with the amount of money spent on security—currently a dismal 0 to 3 percent of total IT budget in most hospitals.

Well, you might say, my organization has not suffered a successful hack and lost patient data. Good for you. But can you afford it if you do? Again, the largest claim against cyber liability policies in 2015 was for $15 million by a healthcare organization, and hacks are becoming more effective and more frequent.

We’re not a very big hospital, you might think, so I doubt we’d be a target.

But the NetDiligence Cyber Claims Study shows that small and mid-sized organizations (revenues under $300 million) filed almost half (46 percent) of all claims in 2015, clearly demonstrating that large hospitals and healthcare organizations are not the only tempting targets.

The Symantec ISTR report also found that the highest number of 2015 network breaches, 39 percent, came from health services. And even while hackers are hitting healthcare harder than other industries, the actual number of identities exposed is relatively low, demonstrating the financial value of the data kept in patient profiles.

Indeed, according to NBC News, in the market for illicit goods and information, stolen credit cards are worth from $1 to $3 and social security numbers return about $15. Complete medical records, however, which provide access to prescriptions, treatments, surgery, even false tax returns, sell for around $60 each.

The February 2014 Cyber Insurance Roundtable Readout Report gleaned from a summit convened by the National Protection and Programs Directorate within Homeland Security probably sums up the situation well for most CIOs and chief security officers. It shows that healthcare organizations must weigh their preparedness for cyberattacks against the cost of cyber liability insurance and the potential costs of a breach.

Two years later, hacks are increasing. Premiums are increasing. But skyrocketing premium prices incentivize healthcare organizations to forgo insurance for stronger electronic locks and higher virtual walls. As cyber liability insurance grows, healthcare organizations would do well to engage with insurance providers in discussing the criteria by which a policy is affordable and provides protection.

Which brings us back to the reality of healthcare in the digital age. You are going to have to spend more on cyber security to either prevent data breaches and ransom attacks or clean up after them. And if cyber liability insurance sounds interesting, you’ll have to demonstrate effective and reliable security just to get an affordable premium. There’s just no way around better IT security. 

Irv Lichtenwald is president and CEO of Medsphere Systems Corporation, the solution provider for the OpenVista electronic health record.

Category: Security

You’re not investing enough in IT security, healthcare

Mathematically, the gap between $3.6 million and $17,000 is a chasm.

This is something you know well if you’re Hollywood Presbyterian Hospital, which paid the latter number to unlock patient data held hostage by malicious hackers using ransomware when the former number is what the hackers initially asked for.

While the dramatic reduction in ransom may have caused Hollywood Presbyterian to breathe a sigh of relief, there is no reason they or you should feel comforted. Consider this an initial shot across the bow of what promises to be a lengthy and spirited battle between wired healthcare and cybercriminals.

The fact is, most of healthcare simply doesn’t spend enough on data security. In a study conducted by HIMSS Analytics and Symantec that polled 115 IT and security professionals in hospitals with more than 100 beds, more than half (52 percent) said their organization dedicated between zero and 3 percent of the IT budget to security. Just 28 percent said they spent between 3 and 6 percent of IT budget on security.

“All of this makes healthcare organizations rich targets for cybercriminals,” reads the study summary. “Stolen patient data fetches up to 50 times more than a Social Security or credit card number, because a patient’s EHR contains data that can be used for medical or identity theft, or other fraud. As a result, criminal attacks on healthcare information systems have increased 125 percent in the past five years.”

Smaller IT budgets mean fewer resources for security personnel. Among respondents to the HIMSS Analytics/Symantec poll, 72 percent employed five or fewer people dedicated to security; 10 percent of respondents have 21 or more on the IT security staff. When adjusted to include employees with data security responsibility outside of IT, the average among respondents was 10 people.

So, how many data security pros is enough? How much of the IT budget should hospitals spend on security, adjusting for size? The report offers no specifics. Right now, faced with a growing security concern in hospitals, the answer seems to be “more.”

“The irony is that information technology and data in healthcare are clearly critical to the mission of providing care, yet data security is an afterthought,” said Mac McMillan, chair of the HIMSS Privacy & Security Policy Task Force and CEO of information security and privacy consulting firm CynergisTek. “We don’t have enough” data security specialists, McMillan added, “and we don’t have enough who are qualified to do their job.”

One interpretation of the HIMSS Analytics/Symantec report is that we’ll have a much better idea of how much and how many is enough once we know most healthcare facilities are following proper protocols and successful hacker intrusions level off or decline.

Organizational structure and reporting, for example, is one protocol that deserves attention. It turns out most chief information security officers (CISOs) report to a chief information officer (CIO), effectively making the person primarily responsible for security also in charge of monitoring their superior’s work. Among respondents, 54 percent said security reports to the board don’t happen regularly and 8 percent said they never happen.

The reality is that hospitals need to spend what it requires to avoid the Hollywood Presbyterian scenario. Sure, it was only $17,000 this time, but it will be more next time, and perhaps it will be a lot more than one organization can afford.

The initial investment in sound security will require more dollars, physical and technical protections, and people, but it doesn’t have to stay that way after a solid, sustainable security program is in place. Witness recent examples in Ottawa, Canada, and Henderson, Kentucky, in which hospitals were hit with ransomware attacks and were prepared to weather the assault.

Proper security. No assault. No ransom paid. No data lost. No patient data compromised.

In the real world, there are critical access hospitals that don’t have 21 doctors and nurses combined, let alone 21 employees focused on IT security. Fewer security personnel reliably correlates with vulnerable technical infrastructure and an inability to keep up with essential IT changes and upgrades.  

So what can hospitals that lack money and a current security plan do to avoid the same fate as Hollywood Presbyterian? For starters, line up the ducks. The organization of waterfowl, according to HIMSS Analytics and Symantec, requires establishing priorities and inculcating organizational practices.

  • Make the CISO and CIO parallel positions to maintain separate spheres.
  • Include security updates in regularly scheduled reports to the board.
  • Establish an ongoing, consistent risk-management program.
  • Prioritize and reach a consensus on data-security measures.
  • Make medical device security and the Internet of Things part of the security plan.

“Healthcare is a very open, caring and trusting business,” said McMillan. “They [hospitals] don’t understand that you cannot have privacy without good data security.”

Okay, maybe some in healthcare don’t fully grasp the dangers of the brave new IT world their hospital or clinic is moving into. However, I think that, after years of internalizing HIPAA, clinicians and other healthcare workers understand privacy and security just fine. It’s not like healthcare is the only industry to be successfully hacked, after all.

My question is not so much about understanding as it is about investing in safety. How are hospitals already close to the financial margin going to pay for additional security protections, including needed staff, to keep the bad guys out of the (data) bank vault?

We won’t arrive at the solution simply or quickly and it will require extensive collaboration similar to creative broad-based initiatives currently underway.

To date, the ONC-initiated Interoperability Pledge, for example, has garnered written commitments from healthcare organizations of all stripes across the nation. These include the five largest health systems and providers in 46 states, as well as companies that provide 90 percent of the EHRs used by hospitals nationwide. No, a pledge is not binding, but it is indicative of a serious appreciation of the need to ensure easy, secure access to health information for patients and the providers serving them. It may also pave the way for more substantive collaboration around future nationwide interoperability.

Perhaps the CHIME National Patient ID Challenge, which focuses on the challenge of accurately matching patients with records and offers $1 million for the best solution, can serve as a model. Like security breaches, inaccurate matching annually creates millions of dollars in additional costs and harms patient safety. A patchwork of identification solutions have yielded at most 80 percent matching accuracy, even in our most sophisticated hospitals. Aiming for 100 percent accuracy, the CHIME challenge has lit a fire under at least 80 entrants across seven countries ranging from startups to large corporations to clinicians and even including credit bureaus.

Both the CHIME and Interoperability Pledge initiatives strive to harness the collective wisdom of a diverse community and maximize limited resources, including people, in a way that produces broadly beneficial results.

At some point in the near future, this kind of cross-industry collaboration on effective security systems, standards and strategies could be shared affordably with smaller hospitals and other providers that face ongoing resource challenges. In that aspect of dealing with burgeoning security threats, there is probably a role to play for everyone from the federal government to private industry to healthcare providers right down to the smallest critical access hospital in rural New Mexico.  

That hackers are increasingly targeting healthcare clearly says something about the newfound maturity of the industry. That they are lured by the prospect of easy pickins says something as well. We can take a moment to dwell on the former, after which the latter demands all the energy we can spare.  

Irv Lichtenwald is president and CEO of Medsphere Systems Corporation, the solution provider for the OpenVista electronic health record.

Category: Security

As health IT matures, security approaches must mature with it

Not that long ago, healthcare worried mostly about the physical loss of personal health information (PHI) by way of a lost thumb drive, a stolen laptop, some misplaced paper files. These were the primary concerns in HIMSS initial security survey, published in 2008. It wasn’t until five years later, in 2013, that the largest healthcare security breaches came from cyberattacks instead of lost or stolen devices.  

So, is it encouraging to see how far the rapid pace of change has carried health IT in just a few years? Well, yes and no. Growth is good, but it always presents a new set of challenges.

To be sure, healthcare has joined the rest of the wired world as a frequent target of technically skilled ne’er-do-wells. In 2014, cyber breaches in the form of systems hacking, credit card skimming and phishing (obtaining sensitive personal data by pretending to be someone trustworthy) totaled 29 percent of all security breaches. In 2015, that number rose to 38 percent.

Expect the trend to continue.

And expect it to get more complicated based on what’s happening in other industries. You may, for example, remember an interesting experiment last summer in which hackers demonstrated the susceptibility of a car’s onboard computer system by taking control of a Jeep going 70 miles per hour on a freeway outside St. Louis.

“Immediately my accelerator stopped working,” writes Andy Greenberg in a Wired magazine article on the car sabotage. “As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl. This occurred just as I reached a long overpass, with no shoulder to offer an escape. The experiment had ceased to be fun.”

The hurtling SUV hijinks are just one example of the Internet of Things (IoT), the global network of tangible objects (a Jeep, for example) with embedded sensors, software and hackable Internet connections. Where cyber masterminds used to have to access a car’s diagnostic port to tap the computer, now they can do so wirelessly.

Of course, the commonality of sensors and software make most devices potentially hackable. So, what might hackers do if they can gain remote control of healthcare devices? The prospects are a bit chilling. Imagine where that Jeep might have gone with black-hat hackers at the keyboard.

“We may soon be looking at insertables—implants, pacemakers, insulin pumps—becoming targets of cyber-terrorists,” says Ponemon Institute Chairman and Founder Dr. Larry Ponemon in a Healthcare IT News article. “And this is not science fiction. It’s already been demonstrated.”

Nightmarish movie scenarios are unlikely, but hackers are already able to install ransomware on computers that holds data hostage until the owner pays a ransom to recapture control.

“It’s a bit like thieves sneaking into your home, and rather than carting away the TV, stuffing your jewelry and electronics into an impenetrable trunk,” explains Kaveh Waddell in The Atlantic. “Then they try to sell you the key.”

As Waddell reports, one hacker made $1 million in a single day off desperate computer users, and the FBI says some viruses are so good the easiest path is to just pay the ransom—usually in the $300 to $750 range.

“There is cause for concern,” according to a report by the Health Research Institute at PriceWaterhouseCoopers (PwC). “2015 saw the first-ever government warning that a medical device was vulnerable to hacking—an infusion pump officials warned could be modified to deliver a fatal dose of medication.”

Of course, hacks, ransomware, phishing scams and the like are not just happening in healthcare. Analysts estimate banking lost roughly $1 billion to cybercrime between late 2013 and early last year. Last summer, JP Morgan reported that hackers had accessed a database with information for 76 million households and 7 million small businesses.

As one might expect, these incidents are only a drop in the bucket. As a former executive with a financial portfolio management software firm, I know the assault on financial institutions is relentless, despite constant and detailed efforts to improve security. After all, as Willie Sutton reportedly said when asked why he robbed banks, “Because that’s where the money is.”

But what if hackers, en masse or gradually, were to figure out that hospitals were actually pretty lucrative and easier pickings? There’s not much reason to think that hasn’t happened already. Consider the Anthem breach last year and PwC analysis showing that 85 percent of large healthcare organizations experienced a breach in 2014 with 18 percent costing more than $1 million to fix.

Sutton’s logic applies to healthcare organizations, too. Hackers will go after the big ones because that’s where the money is, but there’s no reason to think it will end there. If a small hospital can be held hostage for $300 in ransom, why should we think they won’t be? After all, the urgency associated with unlocking an infusion pump will be greater than regaining access to vacation photos. More urgency equals more rapid payment, and more frequent hostage taking if security doesn’t improve.

While healthcare has not been a major hacking target for that long, the security recommendations and requirements that anticipated these scenarios have been around for a while in the form of regularly updated HIPAA regulations. These regulations require hospitals to establish a security framework – basic procedures like access control and user education. Unfortunately, they provide little in the way of specific strategies and tactics like regular penetration testing, clear reporting procedures, or how to perform periodic testing and training. Hospitals and health systems must make their own decisions to ensure that their overall environment is secure.

I have no doubt all healthcare enterprises believe they are doing their best to protect PHI and patient financial information. But there are still disconnects. Even the most security-aware technical staff is limited by budget restraints. Even the most focused administrator has a lot of moving parts to manage and fund. And HIPAA requirements leave some security preparation wiggle room based on the size and resources of the facility. 

Ultimately, the security decision calculus must be driven by risk—by what a hospital or health system is vulnerable to—not what it can marshal the resources to defend against. And understanding risk has little reward if you don’t invest the time and money to mitigate it.  In our connected world, we pay for security or we pay for lack of security. There can be little doubt that the former is more affordable—to say nothing of predictable—in the long run.  

Irv Lichtenwald is president and CEO of Medsphere Systems Corporation, the solution provider for the OpenVista electronic health record.

Category: Security
Subscribe to Security