Security

Is your health data more safe or vulnerable in the cloud?

The illusion of control is tempting, even intoxicating. It’s also a common characteristic that almost all humans manifest to one degree or another as we work to satisfy competence motives, the need for security, survival instincts.

Because proximity often feels like control, it might also get in the way of secure healthcare IT.

“Files stored in reliable cloud services are some of the most secure files you can have, provided you have good passwords,” says software engineer John Miller, PhD. “Google, Microsoft, and Amazon all provide reliable cloud services for consumer file storage.”

What, in particular, makes cloud storage superior, according to Miller?

  • Redundancy: The chances of losing the same data saved in at least a couple of different places are low.
  • Security: Keep passwords and access to local machines safe and you’re in good shape. Data centers are not easily hackable and very difficult to physically penetrate.
  • Safe Sharing: You can give trusted individuals read access to data without having to deal with security risks like thumb drives and file copies.

Still, it’s a mistake to think that Amazon or Google can be entrusted with all security precautions. Your healthcare IT vendor is an active player in making sure your particular system is secure. When shopping vendors or considering a move to the cloud, have a conversation that includes these specific concerns:

Risk: How much risk will you be comfortable with? While you could choose to lock your system up tight, there is a tension between system security and ease of access. Find a balance between the two. In striking that balance, ask for assessment process documentation that includes establishing a risk threshold and effectively managing potential security issues related to third-party vendors.

Cloud Security Tools: It’s not wise to rely exclusively on cloud vendor security, but it is also unwise to reject any inherent security they provide. Document succinctly what is part of the cloud service and what your healthcare IT vendor layers on. Two-factor or multi-factor authentication, now widely used, may be one example of a security protocol built into the cloud vendor package.

Responsibility: It will be vital that you ask relevant and pointed questions about responsibility across all three spheres: the cloud vendor, the healthcare IT vendor and your organization. Evaluate documentation that describes what security measures come from each and how they complement one another. It’s critical that you understand whether there are any holes in the security mesh you’re looking to create.

One of the more challenging aspects of moving to the cloud for many healthcare organizations is an uncertainty about what questions to ask. Too often, hospitals and other healthcare organizations may be tempted to just say, “That’s your area of expertise. Make it work.”

It will benefit you in the long run to probe and make your healthcare IT vendor defend and quantify their security approach.

And what, at a minimum, should that approach include?

  1. A Design Philosophy: It may go without saying that your healthcare IT vendor has had to work HIPAA and HITECH considerations into their design approach, but you will still want to see documentation detailing exactly how. Protecting patient data, for example, will require that your data be isolated via network layout from other customer instances. Live and back-up systems should be geographically separate in case of catastrophe. And network access controls should be layered at multiple levels so easy access is impossible. Again, find the right amount of tension between access and security.
  2. Access Control: The security of your system will be preserved because everyone in your organization adheres to access protocols. Communication between the clinical site and the cloud location should be transported via an IPsec virtual private network (VPN). End users will transparently use the VPN to access system applications in the cloud. Multi-factor authentication for user access and constant system monitoring are both big steps toward a system that’s hard to breach.
  3. Encryption: Make sure that your patient data is encrypted both in transit and at rest, i.e., when it’s sent across the VPN and when it is stored in the cloud. All operational, backup and log data should be encrypted using, at a minimum, the FIPS 140-2 compliant AES-256 standard. Ask about the encryption standard and for documentation of the protocol for moving to newer, more rigorous standards.
  4. Disaster Recovery/Business Continuity: One of the strongest and most obvious arguments for moving to the cloud is the availability of disaster recovery and high availability backups. While unlikely, a disaster could destroy both the live and backup systems if both are in the same place, so ask if they are geographically distinct. You will want primary-to-secondary data replication to be constant, and hourly system snapshots should also be provided in the event of extreme situations. Also, make sure the disaster recovery site is ready to take over organizational operations at the drop of a hat if necessary.

Ultimately, while cloud security makes your organization no more vulnerable to breaches than you are with an onsite data center, there are better and less good ways to approach the cloud. A hybrid model, for example, of some local servers and some cloud hosting actually creates more vulnerabilities than a strictly public cloud approach. Your goal is to have fewer, not more, access points that could be breached.

“To be fair, much of the common perception of cloud security—or insecurity as the case may be—is just myth. Pervasive myth, but myth nonetheless,” says Tony Bradley at Forbes.

And it’s a myth many organizations now benefit from having banished. So, while you’re cleaning out the closet of long-held but possible incorrect beliefs like the illusion of control, just toss cloud insecurity on the trash heap as well. When managed with the same level of care as local data centers, the cloud offers clear advantages.

Richard Sullivan, MSIS, is chief government officer for Medsphere Systems Corporation

Category: Security

Hurricanes highlight healthcare IT improvement, expose gaps

Yes, Katrina was already losing appeal as a girl’s name by 2005, when it had fallen to 247th most popular in the United States. But the so-named hurricane that swamped New Orleans in August of that year pushed it off a ledge. By May of 2007 Katrina had fallen more than 100 spots to number 382, its lowest level since the 1950s.

Less trivial is the impact of Katrina on hospitals and healthcare, which has regularly measured itself against the ghost of a seemingly manageable Category 3 storm that morphed into a disaster of historic proportions and nearly destroyed one of America’s more storied cities.

Since Katrina there’s been Rita and Wilma, also in 2005, and Superstorm Sandy on the eastern seaboard in 2012, but nothing else. The recent arrivals of Harvey in Texas and Irma in Florida are healthcare IT’s first real opportunities to test existing infrastructure against mother nature.

So, what are the early reports on the shift to electronic records, remote / cloud hosting and disaster recovery sites after the hurricanes? Things are better, but it’s still a work in progress. After all, many hospitals in New Orleans had EHRs, but it didn’t matter when the water kept rising.

“When Hurricane Katrina smashed into New Orleans in 2005 … tens of thousands of patients lost their entire medical histories—boxes of paper files disintegrated or washed out to sea by the rising waters,” writes Megan Molteni in Wired magazine. “Widespread data loss won’t be as much of a problem for Houston. Today, about 75 percent of providers keep records electronically. But patients still may have trouble accessing their records when it matters most: in the middle of crisis and recovery.”

That’s right. Interoperability remains the hill healthcare IT still has not taken, despite the proliferation of EHRs.

The fear of a Katrina redux inspired many hospitals to improve their physical infrastructure by installing “submarine doors, flood gates, and above-ground backup generators,” which kept 90 of 110 Houston-area hospitals from having to evacuate patients. Darrell Pile, CEO of an organization that coordinated patient evacuation and relocation related to Harvey, said he knew of no hospitals in Houston that lost access to patient records.

And yet, everything was still not totally copacetic in Texas.

“For lots of these patients, these are not their normal clinics,” explained Dan Jensen, manager of 11 clinics in the VillageMD Houston network. “We can try to pull data on some of them, but it’s very limited what we can get. A lot of times we have to start from scratch.”

But Jensen also illustrated the ways in which healthcare IT enables flexibility and rapid response during emergencies. Able to reach only 10,000 of 160,000 patients before the storm, VillageMD Houston’s IT provider was able to engineer a patient portal fix overnight that extended portal communication to all patients, even those who had not signed up.

While Houston was drying out, Irma’s visit to Florida ended up being less destructive but more directly impactful because it shut down most of the state. In total, 36 Florida hospitals closed either in anticipation of the storm or because of its impact. Statewide, 54 hospitals were forced to use backup generators and some reported modest flooding but remained open.

And the Florida Hospital Association received no reports of EHR failure.

Arriving so close together, Harvey and Irma almost entered the national consciousness as one storm. Taken together, early returns suggest healthcare IT has progressed significantly since Katrina.

“Policymakers and health care providers can celebrate one quiet success in the wake of the Houston storm: the computers are still running,” writes Darius Tahir in Politico. “The preservation of patient health records represents a partial vindication for the HITECH Act … that was conceived, in part, as a way to ameliorate natural disasters like Hurricane Katrina by replacing waterlogged paper with modern technology.”

But it wasn’t just Katrina that spurred lawmakers to pass the HITECH Act. It was also the VA’s response to the hurricane.

“The VA — with its pioneering VistA EHR — was able to retain records and access them much more rapidly than its private-sector peers during Katrina,” says Tahir, “… the organization restored access to records from 40,000 New Orleans-area veterans within days; it would take years for the private sector to reassemble its records.”

Indeed, where former Surgeon General Regina Benjamin thought she couldn’t afford an EHR before Katrina, she knew she couldn’t run a hospital without one after.

And yet, despite the generally positive results and clear benefits of healthcare IT proliferation, obvious gaps remain. Patients often scatter to the four winds in a disaster and reattaching them to their records is both challenging and not yet reality.

Plans are, however, in the works to fill this gap. The PULSE project, initiated by the Department of Health and Human Services in 2014, is working to create a data-sharing network that’s switched on in emergencies and makes patient records available to first responders and clinicians when they enter patient name, birthdate and gender.

Initial PULSE tests in disaster-familiar California have gone so well that the California Emergency Medical Services Authority plans to keep the system in place and may switch it on during one of the Golden State’s regular events.

All the testing in the world can only provide so much real-world preparation. With climatologists suggesting that the relatively hurricane-free period between Katrina and Harvey is probably over, it’s encouraging to see the progress represented by both PULSE and the performance of Texas and Florida hospitals. Any optimism at this point, however, should be buffered by an urgency to get it even more right the next time the winds start to swirl in the Atlantic, regardless of what name we give them. 

Irv Lichtenwald is president and CEO of Medsphere Systems Corporation, the solution provider for the OpenVista electronic health record.

5 takeaways from the WannaCry ransomware attacks

Will information technology ever realize an imagined future where security is strong enough, reliable enough, secure enough to block any and all attacks?

It’s a dubious proposition made more uncertain by the recent WannaCry ransomware incident that started a couple of weeks ago and continued around the globe for several days. The virus was seemingly halted on Friday, May 12, when a security researcher found weaknesses in the code, but additional versions without those weaknesses have been sent out since.

Whoever is sending out WannaCry will continue, or someone else, someplace else, will send something similar or more virulent. The war is never over.

Which means hospitals, IT vendors, security firms and other HIPAA business associates must constantly work to develop better tools. In pursuit of that goal, what can we learn from the WannaCry attack thus far that can help with security moving forward?

  1. System updates are essential. WannaCry targeted Windows operating systems and succeeded where those operating systems lacked security updates. Hospitals in Britain’s National Health System suffered considerable damage because so many are still using Windows XP, a 16-year-old operating system. Contrast that with U.S. hospitals, which were minimally impacted. Indeed, a major concern for hospitals around the world is the use of old operating systems in a variety of settings that are no longer upgraded or supported. Microsoft rushed a Windows XP security update out after WannaCry was unleashed, but it’s not something the company wants to do or would probably be willing to do with any regularity.

    It probably goes without saying, but the use of unlicensed and unlicense-able software leaves hospitals completely vulnerable to malware attacks. In the U.S., this is not a significant problem. However, in China and countries similarly resistant to strong policing of intellectual property licensing and use, computers may as well put out a virus welcome mat. Reportedly, WannaCry impacted around 29,000 institutions in China. 

  2. Devices are vulnerable. Specifically, WannaCry successfully attacked Bayer Medrad radiology devices in at least a couple of examples, the first known hacks of medical devices. The concern about medical devices is acute simply because they often control something directly related to the patient condition. A hack of the EHR system is problematic and disruptive. A hack of a medical device is potentially life-threatening. 

  3. Even inept hackers are successful enough to be very disruptive. Possibly derived from hacking tools originally created by the National Security Agency, WannaCry had certain post-NSA vulnerabilities that researchers and security experts could identify relatively quickly. Using terms like “amateur hour” and “easy fix” to describe WannaCry, security professionals said the virus was not a particularly challenging nemesis. But even imperfect malware spread rapidly to more than 150 countries, infected hundreds of thousands of workstations and cost as much as $4 billion. Imagine what kind of damage a more successful hack could do. 

  4. The most expensive part of ransomware is not the ransoms. It’s not unreasonable to see many hackers as anarchists with active minds, time on their hands and a perverse motivation to kick at the pillars of modern society. Most of the ransoms demanded in the WannaCry case were in the $300 to $600 range, and most organizations chose not to pay them. As of Friday, May 12, one consultancy estimated only $100,000 in total had been sent to hackers. No one was going to get independently wealthy off this hack. Still, WannaCry bled an estimated $4 billion dollars from the system. Again, imagine a much more successful effort than WannaCry and you can see how motivated hackers might be determined to bring certain essential industries—healthcare, for example—to a grinding halt without getting dollars in return.

  5. Subscription services are a viable alternative. A primary reason WannaCry succeeded at all is because there is so much old software out there running various computing devices. Subscription software is one way to get old software out of the market. With the subscription option, to use WannaCry as a specific example, Microsoft can quickly and easily provide security updates to all applications and operating systems. The company did, in fact, provide updates in March to patch the security hole WannaCry exploited, which made the damage in the United States much less extensive. Clearly, however, those updates did not extend to the millions of Windows instances in use globally. While technology companies have been promoting subscription software options for years, buyers have been slow to sign on. Perhaps instances like this will convince many that subscription is both the more affordable and safer option. 

Right now, failsafe responses to malware and hackers are multi-pronged, and subscription software can be a significant component in that defense. Each hospital must develop a comprehensive and stringent security program as a necessary foundation for overall protection.  

The security battles will continue into the foreseeable future and each will give us an opportunity to make the defenses more responsive and sophisticated. The hospitals that can learn security lessons without having to pay ransoms or endure systems shutdowns will be those that react rapidly and prepare for the various threats.

Speaking of which, have you installed those Windows security updates recently? 

Richard Sullivan is chief operations officer for Medsphere Systems Corporation, the solution provider for the OpenVista electronic health record.

Category: Security

Time to update your security precautions? Take these five basic steps.

If you’re a small healthcare IT operation, a simple spreadsheet might do the trick. If you’re larger, a not-so-simple spreadsheet might be in order.

Regardless of how you do it, hospitals, clinics and other healthcare organizations must identify and monitor every single instance of computer network access. They’re called endpoints, says Larry Ponemon, founder of the security consulting firm the Ponemon Institute, and for you they exist as vulnerabilities.

Your job is to eliminate them through a series of basic security-promoting tasks.

While your IT security staff may have conducted such work in the past related to HIPAA, “in the past” is never recent enough for a robust security program in the hyper-changing technology world, especially if the work was incomplete or conducted over a year ago. In too many hospitals, security protections have been a one-shot effort conducted years ago with little follow-up. Your hospital may need to undertake the following actions from a blank slate perspective in order to combat today’s sophisticated threats.

Identify every device on the network.

We’re not talking about just desktops and laptops, here. Think more broadly and identify everything that has a network connection—desktops, laptops, tablets, mobile phones, IoT devices, etc.  You may have also permitted network access for clinicians and staff using their own devices, so take the time to identify those users as well.

Update your software.

After figuring out how many networked devices you have, make sure the security applications on each, which includes operating systems, are up to date.

“One of the main reasons hospitals have become ground zero for ransomware attacks is that almost every modern medical device is now a computer,” writes Phillip Hallam-Baker, vice president and principal scientist for cybersecurity firm Comodo, in Health Data Management. “It is not uncommon to find a multi-million dollar device such as an MRI machine running Windows XP Embedded, an operating system version that was last updated when it was retired in 2011.”

Hallam-Baker adds that defeating malware, particularly ransomware, requires a three-pronged approach:

  • Scan inbound email for infected attachments and links to malware sites that automatically download to your computer.
  • Block access to malware sites.
  • Run anti-virus software on every computer in use.

Spread the security gospel.

Now, it’s time for the social engineering. According to respondents in a Ponemon Institute study on networks and cybercrime, 81 percent feel the greatest threat to security is negligent and careless employees who don’t follow established policies and practices. This issue has been complicated in recent years by threats from insecure mobile devices. Train every employee in proper security practices, and reinforce them frequently.

Secure the patient portal.

At some point, turn your attention to the patient portal you installed to meet Meaningful Use. Keith Fricke, the principal consultant at tw-Security, wants you to know that it could create vulnerabilities. Imagine, for example, hostile code that lives on a popular website and downloads to a patient’s home computer. Later visits by that patient to an insecure hospital patient portal might provide a hacker with access to numerous patient records and the opportunity to pass along a virus, hitting your organization with a double whammy.

Cover your business associate bases.

In recent years, according to Ponemon, business associates (BAs) have endured even more data security incidents than healthcare providers.  A major reason is that HIPAA-required BA agreements, once signed, tend to sit on the shelves of all parties. Your partners, including IT vendors, may feel much less urgency about patient data security than you do. Make sure their lack of urgency does not impact your security by taking these steps:

  • Evaluate your entire list of vendors and similar partners to determine which have access to protected health information (PHI). Perhaps some BA agreements were never signed, which puts your organization at great risk.
  • Review all of your BA agreement files. Those dated prior to 2013 are obsolete, which adds to your hospital’s security vulnerability. The 2013 Omnibus HIPAA regulations are much stricter with business associates than the original HIPAA security rules, so it is critical to your security program that all BA partners sign an updated agreement.
  • Insist on compliance with the newer rules as a condition of your continued relationship. Double check your BA’s level of security and ask to see its most recent security risk assessment, one of its many obligations under HIPAA.

Taking these actions will greatly improve your organization’s security position and give you much, if not all, the information you need to perform your own HIPAA-required security risk assessment.

A final note on the costs of data security

Many organizations are ill-prepared for the growing onslaught of security incidents, not because they don’t care, but because of inadequate funding and security expertise. High expenditures for recent initiatives such as Meaningful Use and ICD-10 implementation have not helped. Moving forward, senior management must view data security as a cost of doing business, just as it is with financial services and retail. You will have to spend money on security regularly to make it work. As technologies change and security risks increase, a sustainable security program must include regular updates and different and/or additional spending.

In 2017, the security race between hackers and healthcare is going stronger than ever, but it’s not too late to secure your organization’s network if you move quickly and deliberately. 

D'Arcy Gue is Director of Industry Relations for Medsphere Systems Corporation. 

Category: Security

Take these six steps to alleviate patient anxiety about data security

Not every patient admitted to your hospital will know that healthcare promises to be the most frequent target of hacking efforts in 2017.

But many will. They may be among the 21 percent of patients who withhold information from their doctor for fear of data breaches.

They might also be familiar with hacking and data breaches more generally, so they will put two and two together and figure out that they have much to lose—both personal and financial information—in a successful hack or ransom scenario.

You have a lot to lose, too, starting with patient dollars and trust, both of which are essential to what you do. Surveys suggest most patients will find a new provider should their information be hacked.

If they do inquire, allay patient fears by pointing to these specific strategies and values your hospital uses to safeguard patient data and prevent malicious access.

  1. Transparency: Some of your older patients are not and will never be comfortable with technology. Many of the younger patients will be very comfortable and knowledgeable about it. For both groups, the strategy is to be transparent, which is actually a much broader subject in healthcare than the scope of this blog post. For our purposes here, explain what patient data is maintained, why it is collected in the first place and what you do with it. If you share de-identified patient data, make sure patients know this. Explain the benefits of data accumulation and evaluation and how it could impact their lives or the lives of someone they love. 

  2. Dialogue: Continuing the transparency, consider asking patients if they are familiar with the transition to EHRs and how they feel about it. Ask if they have an idea about whether security is better or worse in an electronic system versus paper. Explain the weaknesses of paper and how it may impact patients. Talk to your patients about the commitment your organization has made to keeping patient data safe. Ultimately, your obvious goal is to inspire confidence in the patient and demonstrate your expertise with the technology. 

After demonstrating transparency with the patient and establishing open communication about the importance of protecting patient data, explain the measures your hospital has taken to prevent breaches and ransomware incidents.

  1. Security Technology: It will be wise and necessary to assess your patient’s understanding of healthcare technology before offering an explanation of what you’ve put in place. Making every effort to keep the explanation as simple as necessary, talk about what you’ve done to make sure unauthorized access does not happen. This can be as straightforward as talking about the use of strong passwords to access the system, giving different personnel varying levels of access and hiring a chief security officer (CSO), if you have one. 

  2. Training and Policy: Something your patients hopefully do not know is that clinicians and other hospital staff are the greatest security vulnerability. Without focusing on that fact, share with patients the security training your hospital has engaged in and policies that define much of your interaction with the EHR system. When you can speak authoritatively to the issues that crop up in a normal day related to security of patient data, your patients will feel more at ease.

  3. System Backup and Recovery: It might be appropriate and reassuring to tell patients that your hospital has a plan for system downtime, as is the case now with almost all hospitals. Perhaps you can also mention the organizational strategies associated with system backup and recovery, how often backups are created and, at a high level, how you test the backup system to ensure proper performance. 

  4. Familiarity and Comfort: Often, as patients become more familiar with the aspects of healthcare IT available to them—the patient portal—they also become more comfortable with the system overall. So, by introducing patients to the portal and getting them registered, you are moving toward two goals: lessening their technology anxiety and giving them a little more responsibility for their own care. Over more than a decade, Kaiser Permanente has tracked, documented and refined their use of a patient portal, which may give your hospital some ideas of what a portal can do and how to engage patients in using it.

So, that’s a lot of information to present to patients when many interactions with physicians only last 10 or 15 minutes. Is it too much for a doctor to present? Yes, it probably is, and it might also be inappropriate for the doctor to be focusing on EHR security instead of addressing clinical concerns. The hospitals that find other ways to communicate with patients about healthcare IT will find themselves ahead of the game and will be initiating a transparent dialogue with patients.

What tactic might further this goal?

  • Give them reading material. A really technologically advanced hospital might give patients tablets on which to read materials about IT security, but that’s expensive and creates concerns about theft. Instead give patients documentation on the hospital’s security policies and procedures during the check-in process. Make the same information available on the patient portal.
  • Train the staff. After or in lieu of reading, patients are going to have questions. Make sure the administrative staff are familiar with the healthcare IT policies and can explain them to concerned patients. Still, that’s probably not enough. To assist patients who need it, you will probably also need to designate and provide special training for certain strong communicators among your administrative and clinical staff.

So, in the end, it comes back to sufficient training and subsequent open communication, just as it so often seems to with healthcare IT. Ultimately, hospital staff are both the strongest asset and greatest liability with regard to both security and patient care. Sufficient and periodic training should give your people the knowledge and experience necessary to maintain a secure patient data environment, and it will also enable them to demonstrate why patients should have confidence in your ability to do so.

D'Arcy Gue is Director of Industry Relations for Medsphere Systems Corporation. 

Category: Security

IoT Devices Top a Long List of 2017 Security Threats

It’s worth remembering that 2016 was dubbed the “year of data security” after 90 percent of healthcare providers suffered data breaches in the previous two years. In particular, the Anthem breach of late 2014/early 2015 got everyone’s attention for the sheer magnitude (around 80 million records) of the hack.

Looking back, we can say 2016 lived up to its name as the number of records accessed was significantly lower than the year prior. But IT security is a game of whack-a-mole, so if fewer patient records were lost, malevolent forces simply found other ways to make the lives of healthcare CIOs very difficult.

Ransomware, for example, became the dominant security issue of 2016 and made everyone aware that hackers can always just hold your files hostage if they can’t steal them.

So, does 2017 look like more of the same or will hackers conjure up something new? Sitting here in January, the expectation is that the same security issues will endure, but they will also be accompanied by more challenging and complex concerns.

The Internet of Things (IoT): The difficulty of IoT security is represented by the numbers: There are tens of thousands, if not hundreds of thousands, of IoT devices connected to healthcare networks and the security on all of them is not iron clad.

“Internet-of-Things devices lack some of the most basic cybersecurity protocols,” writes Jessica Davis in Healthcare IT News. “As a result, these devices can be weaponized en masse – and in as little as three minutes.”

The hacking potential of IoT devices was made clear last October when domain name services provider DYN was breached via webcams and digital recorders, knocking Twitter, PayPal, Spotify and other internet behemoths offline for hours.

In a recent survey of healthcare executives conducted by Healthcare IT News, 52 percent said security was the highest IT priority for this year, with 58 percent elevating IoT devices to the top of the list of security concerns.

Ransomware: Hackers require access, and unsecured IoT devices give them that access. Once inside, they can continue the breakout year that ransomware had in 2016. In 2017, however, there may simply be more players in the game because the internet is an ever-evolving amusement park of wonders and horrors.

“There is already a ransomware as a service [RaaS] model, which provides automatically generated ransomware executables for anyone who wants to get rich by infecting potential victims,” Ondrj Vlcek, CTO for security firm Avast, explained to ComputerWeekly.com. “The bottom line is that creating or buying your own ransomware has never been easier.” 

A panel of security experts speaking with Health Data Management said they expect extortion attacks to increase and become more sophisticated. The solution? According to David Finn, health information technology officer for Symantec, hospitals and health systems must have robust backup systems so they don’t have to pay for extorted patient data.

Data-integrity Attacks: You may have heard of the Stuxnet worm the U.S. government used in 2010 to infiltrate and sabotage Iran’s nuclear program by engineering minor changes in targeted devices. That’s an example of a data-integrity attack. The not-so-good-news is that the technology has filtered down to black-hat hackers who can access hospital and health system networks through … wait for it … IoT devices.

"IoT is a massive attack surface that allows people to touch systems that for previous decades haven't been available to be interacted with," Daniel Miessler, director of client advisory services for security firm IOActive, told CNBC. "This is increasing exponentially.”

Instead of taking data or holding data hostage, hackers can manipulate data in subtle and often unnoticed ways so, for instance, payments don’t go where they’re supposed to. That’s one example of the potential data-integrity attacks offer to hackers.

Cloud Infrastructure: There is no shortage of articles touting the benefits of moving to the cloud, even if insufficient attention is paid to the attendant security risks.

As CynergisTek CEO Mac McMillan told Health Data Management, the cloud is “the proverbial double-edged sword. It’s an absolute necessity for advancement, but security continues to lag further behind, which ultimately risks the advancement.”

Extensive due diligence on your cloud services provider is essential, as is a contract that establishes responsibility, reaction and culpability in the event of a breach.

Artificial Intelligence: It would be difficult to imagine that most hospitals and health systems will have the resources to maximize the value of artificial intelligence and machine learning. Unfortunately, that won’t keep hackers from using AI and machine learning as a tool on their side of the security battle.

“From a hacker’s point of view, AI will power malware, and use data from the target to send phishing emails that replicate human mannerisms and content,” said Capgemini UK cyber security chief Andy Powell. “… these AI-powered attacks will resonate with the target better than ever before, meaning they’ll be more likely to fall victim.”

People: As always, there is no more enduring risk to your facility and organizational security than the people who work there. Thorough preparation of your staff is the best defense against the most common forms of hacking and data theft.

But, as Kasey Panetta of Gartner describes in a recent paper on 2017 security trends, it is only one component in an “adaptive security architecture.”

“The evolution of the intelligent digital mesh and digital technology platforms and application architectures means that security has to become fluid and adaptive. Security in the IoT environment is particularly challenging. Security teams need to work with application, solution and enterprise architects to consider security early in the design of applications or IoT solutions. Multilayered security and use of user and entity behavior analytics will become a requirement for virtually every enterprise.”

Does this sound like more technical sophistication and cost than your small or medium size healthcare organization can handle? That’s bound to be a common complaint. While all hospitals could potentially fall victim to the security breaches described here, not all hospitals can properly defend against them.

This common vulnerability calls for extensive sharing of knowledge and affordable strategies that guard against loss or manipulation of data. An ongoing Health and Human Services initiative and grant program endeavors to gather and disseminate the most current information on cyber threats, but it may take a few years for that effort to yield actionable information.

It may also call for smaller facilities partnering with those that are larger and more resource rich. We’re seeing relationships between large and small organizations develop in other areas of healthcare IT such as EHR implementation. Getting to the point where healthcare is not such an attractive hacker target may require the same with regard to security.

D'Arcy Gue is Director of Industry Relations for Medsphere Systems Corporation. 

Category: Security

How can we measure health system success without including mental health care?

If community hospitals are a general barometer of health in the surrounding area, the emergency room is the canary in the coal mine. Viral outbreaks, increases in violence, loss of health insurance from local layoffs—all are social ills that make their presence known first in the ER.

Based on recent ER studies, the U.S. is on the cusp of a full-blown mental health crisis.

According to a recent survey of more than 1,700 emergency physicians by the American College of Emergency Physicians (ACEP), three-quarters of ER docs evaluate at least one individual per shift who requires hospitalization for mental illness. Slightly more than 20 percent say patients wait from 2 to 5 days for an inpatient bed. Only 16.9 percent of ERs have a psychiatrist to call in emergencies, and 11.9 percent have no one at all to call when mental illnesses erupt in the ER.

"More than half (52 percent) of emergency physicians say the mental health system in their communities has gotten worse in just the last year," said Rebecca Parker, MD, FACEP, president of the ACEP. "The emergency department has become the dumping ground for these vulnerable patients who have been abandoned by every other part of the health care system."

The most recent survey results dovetail with a separate study presented at ACEP16 that looked at ER use between 2002 and 2011. From that review, we know that psychiatric visits to emergency rooms jumped 55 percent—from 4.4 million to 6.8 million—during the period evaluated.

The experiences of emergency physicians confirm that America is in the midst of a mental health crisis that requires time and attention. While rebuilding mental health care, we also need to use that process to learn. The state of mental health care can be both a measure of overall healthcare system progress and a cautionary tale about the unintended consequences of using information technology.

Healthcare is functioning when the mentally ill get treatment.

Yes, healthcare is in the midst of a revolution encompassing digitization of data, new payment models, the use of wearable devices and a host of other changes. It often feels like the entire healthcare enterprise is subject to some kind of change.

And yet none of the current overhauls will keep the mentally ill from showing up in emergency rooms. The House has passed legislation intended to help improve the mental health care system and, in part, alleviate some of the stress on emergency services. Hopefully the Senate will do likewise.

What would system changes that benefit the mentally ill look like, beyond a drop in ER visits? Probably something like a patient-centered medical home.

The mentally ill would have a psychiatric professional who would be contacted in the event of an episode at the ER. A network of care givers, friends and family could provide some confidence that proper care would follow the ER visit. An integrated healthcare IT system would give ER docs the data they need when a man with bipolar disorder wanders in, and it would let the man’s physician know he perhaps forgot to take his meds and had an episode.

Current fractures in the mental health care system mean those who enter the ER with a mental illness are often admitted for lack of local mental health services and support.

When the mentally ill get the care they need, we will know that the intersecting but uncoordinated goals of parity, interoperability, coverage and coordination have finally been met.

Digitized mental health care is better mental health care.

It’s not just that EHRs and other forms of healthcare IT give ER docs more information at the point of care about mentally ill patients. Digital systems that incorporate complete patient records also back up behavioral health clinicians and empower them to provide better care.

A six-year study of mental health specifically by researchers at the University of Southern California’s Keck School of Medicine showed that electronic charting yielded noticeably better clinical documentation. The complete documentation of visits and procedure codes rose from 60 to 100 percent. The timely completion of records improved quality of care and proved an asset in clinical training.

More than just clinicals improve with healthcare IT. Billing and reporting, both essential for financial viability, are more straightforward tasks with electronic support.

“The way things are going, it’s almost going to be impossible to not have an EHR,” Jennifer D’Angelo, chair of the new HIMSS Long Term Care and Behavioral Health Task Force and vice president of information services for Christian Health Care Center in New Jersey, told Behavioral Healthcare. “From an interoperability standpoint, and from a reimbursement standpoint, it’s being required. All levels of care will need to have an EHR for care coordination among all providers.”

Caveat: System security and personal privacy are more crucial with mental health data.

If your patient records are compromised or inappropriately shared, your primary concern is not that people will know you had an appendectomy in 2006 and a mole removed in 2011. You’re most worried about all the other information that will make it easy for the thief will misuse your information or even assume your identity.

And then there’s the experience of Canadian Lois Kamenitz, whose patient record showed that she attempted suicide in 2006. When Kamenitz tried to enter the United States in 2010, U.S. Customs and Border Patrol pulled her aside and would not let her enter the country until she filled out lots of paperwork, paid an American doctor $250 to process it and signed a document saying her medical records would become the “permanent property of the United States.”

Her personal privacy violated in a most unexpected scenario, Kamenitz found out the hard way that personal health information could be used against her after Toronto police shared a database with the Department of Homeland Security. Her experience is not an anomaly. It's not just that a person’s health information could be improperly exploited if accessed by non-clinical reviewers. Non-behavioral health clinicians can also mistakenly complicate or skew physical evaluations, procedure orders and prescriptions. 

So, is the paradox of EHRs and behavioral health patient integrity—improve patient care, increase patient vulnerability—a challenge that requires special attention? Yes, it does. Of course healthcare’s standard is that ALL patient records must be secure, but the sensitive nature of mental illness can often necessitate special diligence beyond what works to secure patient data in acute care. Public perceptions of mental illness frequently include fears of violence or unexpected behavior; at the same time, mentally ill patients fear that public exposure may threaten their employment and community relationships.

Clearly, there are policy issues that have yet to be worked out. Canada changed a policy that will hopefully make what happened to Lois Kamenitz rare or maybe impossible. Let’s hope that the trial-and-error process of policy development works itself out quickly with as few casualties as possible.

While there is much work to be done in simply improving mental health care and the lives of those who suffer, we must put IT and data security measures in place to ensure that citizens are not punished once by their mental illness and then again by a society that fears them. 

Irv Lichtenwald is president and CEO of Medsphere Systems Corporation, the solution provider for the OpenVista electronic health record.

Your most valuable security assets are human, not technical

You know already that the biggest threat to healthcare IT security is the human element. But if human beings are the greatest vulnerability, that also makes them the strongest asset.

Here’s why.

According to the 2016 HIMSS Cybersecurity Survey, the two primary healthcare IT security concerns among provider organizations (hospitals and physician practices) are phishing attacks (most pressing concern for 77 percent of respondents) and viruses / malware (67 percent). Both events require a responsive actor on the organization side of the transaction for hackers to access patient data.

It may seem like this is a rather straightforward problem to resolve—just make sure clinicians and staff have the requisite knowledge and savvy to not get duped and all is good. In reality, especially among larger organizations with hundreds of potential points of entry, turning human beings into alert sentries is a constant human behavioral challenge.

So what strategies can even a large healthcare organization employ to ensure that the people who use IT systems are firmly engaged in system defense?

  1. Train, train and then train some more. A study by Wombat Security Technologies and the Aberdeen Group suggests that upgrading employee awareness can reduce security risk by anywhere from 45 to 70 percent. Among the highlights of the report are these bits of crucial and related information:

    • There is no such thing as a 100 percent secure IT system if it is used by people. It makes little sense to invest heavily in technology if you fail to effectively train system users.
    • An organization with $200 million in annual revenue can expect to lose $2.5 million per year from infections borne of employee behavior, with an 80 percent chance the loss could jump to $8 million annually. (Note that this is across organizations and not specific to healthcare.)

    Don’t assume that any bit of information about system security—maintaining strong passwords, keeping mobile devices secure, navigating the internet safely, etc.—is common knowledge to employees and staff. Someone may not know something that will cause your organization harm.

    Your goal in training is to inculcate a culture of security that becomes second nature to every user beyond just IT staff. Indeed, you are working to expand the awareness of the IT team outward to all staff and employees.

    According to the results of another recent survey conducted across industries by Experian Data Breach Resolution and the Ponemon Institute, there is room for much improvement when it comes to preparing employees.

    • Only 46 percent of companies require employee training on data security; only 60 percent require re-training after a data breach.
    • Half of survey participants think their current training programs actually reduce noncompliant behavior, and 43 percent said their organization provides only one broad training course that doesn’t include some of the finer points of system security.
  2. Beware the disgruntled employee. Internal staff members motivated to do harm are a particularly troubling challenge. Could there be a Snowden or Manning in your organization? It’s less likely where ideological issues are not a factor, but it’s also impossible to gauge exactly what might set people off. Prepare for the disgruntled just in case.

    • Make sure that all active privileged accounts are connected to a current team member.
    • Audit the system regularly and immediately after any kind of security breach. (Privileged accounts used in a breach that are not connected to a current member will lower the value of the audit significantly.)
    • Closely monitor and manage privileged accounts, and create alerts to enable rapid reaction when things go awry.
    • Make sure departing members of the team return laptops and other mobile technology immediately before departing the organization.
    • Ensure only the minimum necessary access to certain information for each member of the team.
    • Apply sanctions for violating known policy consistently, quickly and even-handedly.
    • Consider having managers and directors, especially those working with clinical staff, identify the people they have concerns about and share that information.
  3. Elevate the importance of strong security among organizational and leadership priorities. According to the Experian Data Breach Resolution and the Ponemon Institute study, only 35 percent of respondents said they think senior executives feel it is important for team members to understand the potential organizational risks from data breaches. That correlates with the 60 percent of companies that feel their employees are not sufficiently aware of potential security breaches.

    On a related note, only 33 percent said their organization rewards employees for being security proactive, and 32 percent said there is no penalty at their organization when an employee causes a breach. Perhaps executives should take a look at incentives as well.

Will you be able to eliminate data breaches by following these strategies diligently? It’s not likely. Make reduction and mitigation your goal, and if elimination happens, throw a huge party before getting back to work.

Healthcare data breaches are more expensive than those in any other industry, climbing to an average of $4 million in 2016, according to the Ponemon Institute. Can you afford to lose $4 million regularly, only occasionally or once in a blue moon? Let your answer to that question drive the energy with which you put your organization’s comprehensive security plan in place.

Category: Security

HIMSS Cybersecurity Survey: Medical identity theft remains number one concern

Most healthcare cybersecurity stories over the last year or so have focused on ransomware, the frightening new weapon in the hacker arsenal. But the results from the recent 2016 HIMSS Cybersecurity Survey suggest that medical identity theft remains both more lucrative than ransomware for hackers and the primary concern of healthcare IT leaders. According to the survey, 77 percent of respondents feel medical identity theft is the “most common reason” for virtual attacks on healthcare facilities.

What else can we learn from HIMSS’ survey of 150 provider organizations?

  • The lack of resources—both financial and human—is the underlying challenge in mitigating cybersecurity risk.  Nearly 60 percent of respondents said they don’t have adequate personnel, and 55 percent said they lack the funds to properly combat what has become a daily battle with hackers.
  • Employees are either an asset or a liability, depending on their level of preparedness. At 77 percent, phishing attacks are the number one cybersecurity concern of survey respondents, who also said email is the primary vulnerability.
  • Healthcare organizations are not using the full set of tools. When asked what cybersecurity tools they use, 64 percent of poll participants said data encryption in transit; 59 percent use encryption at rest, and 54 percent use intrusion detection systems. “Providers have implemented a modest amount of basic and advanced information security tools,” says the HIMSS report.
  • Ransomware has a lot of people scared. When looking to the future of cybersecurity, ransomware is the challenge most respondents fear at 69 percent. Never expected to disappear, phishing scams come in second at 61 percent.
  • The healthcare cybersecurity battle is a daily fact of life. Among poll respondents, 80 percent said they had experienced a “significant security incident” recently. HIMSS recognizes that cybersecurity is a sensitive topic for most if not all healthcare organizations and “… the pervasiveness of attacks presented here may actually be under-represented.”

Perhaps there are security measures mentioned in the report you could be taking but didn’t know about. Maybe you feel like an island in an ocean of hackers that for some reason have targeted you and seemingly no one else. The 2016 HIMSS Cybersecurity Survey report provides an industry overview, but it also enables you to compare your security readiness with others and understand the challenges all healthcare organizations face in the information age. 

D'Arcy Gue is Director of Industry Relations for Medsphere Systems Corporation. 

Category: Security
Subscribe to Security