Is your health data more safe or vulnerable in the cloud?

The illusion of control is tempting, even intoxicating. It’s also a common characteristic that almost all humans manifest to one degree or another as we work to satisfy competence motives, the need for security, survival instincts.

Because proximity often feels like control, it might also get in the way of secure healthcare IT.

“Files stored in reliable cloud services are some of the most secure files you can have, provided you have good passwords,” says software engineer John Miller, PhD. “Google, Microsoft, and Amazon all provide reliable cloud services for consumer file storage.”

What, in particular, makes cloud storage superior, according to Miller?

  • Redundancy: The chances of losing the same data saved in at least a couple of different places are low.
  • Security: Keep passwords and access to local machines safe and you’re in good shape. Data centers are not easily hackable and very difficult to physically penetrate.
  • Safe Sharing: You can give trusted individuals read access to data without having to deal with security risks like thumb drives and file copies.

Still, it’s a mistake to think that Amazon or Google can be entrusted with all security precautions. Your healthcare IT vendor is an active player in making sure your particular system is secure. When shopping vendors or considering a move to the cloud, have a conversation that includes these specific concerns:

Risk: How much risk will you be comfortable with? While you could choose to lock your system up tight, there is a tension between system security and ease of access. Find a balance between the two. In striking that balance, ask for assessment process documentation that includes establishing a risk threshold and effectively managing potential security issues related to third-party vendors.

Cloud Security Tools: It’s not wise to rely exclusively on cloud vendor security, but it is also unwise to reject any inherent security they provide. Document succinctly what is part of the cloud service and what your healthcare IT vendor layers on. Two-factor or multi-factor authentication, now widely used, may be one example of a security protocol built into the cloud vendor package.

Responsibility: It will be vital that you ask relevant and pointed questions about responsibility across all three spheres: the cloud vendor, the healthcare IT vendor and your organization. Evaluate documentation that describes what security measures come from each and how they complement one another. It’s critical that you understand whether there are any holes in the security mesh you’re looking to create.

One of the more challenging aspects of moving to the cloud for many healthcare organizations is an uncertainty about what questions to ask. Too often, hospitals and other healthcare organizations may be tempted to just say, “That’s your area of expertise. Make it work.”

It will benefit you in the long run to probe and make your healthcare IT vendor defend and quantify their security approach.

And what, at a minimum, should that approach include?

  1. A Design Philosophy: It may go without saying that your healthcare IT vendor has had to work HIPAA and HITECH considerations into their design approach, but you will still want to see documentation detailing exactly how. Protecting patient data, for example, will require that your data be isolated via network layout from other customer instances. Live and back-up systems should be geographically separate in case of catastrophe. And network access controls should be layered at multiple levels so easy access is impossible. Again, find the right amount of tension between access and security.
  2. Access Control: The security of your system will be preserved because everyone in your organization adheres to access protocols. Communication between the clinical site and the cloud location should be transported via an IPsec virtual private network (VPN). End users will transparently use the VPN to access system applications in the cloud. Multi-factor authentication for user access and constant system monitoring are both big steps toward a system that’s hard to breach.
  3. Encryption: Make sure that your patient data is encrypted both in transit and at rest, i.e., when it’s sent across the VPN and when it is stored in the cloud. All operational, backup and log data should be encrypted using, at a minimum, the FIPS 140-2 compliant AES-256 standard. Ask about the encryption standard and for documentation of the protocol for moving to newer, more rigorous standards.
  4. Disaster Recovery/Business Continuity: One of the strongest and most obvious arguments for moving to the cloud is the availability of disaster recovery and high availability backups. While unlikely, a disaster could destroy both the live and backup systems if both are in the same place, so ask if they are geographically distinct. You will want primary-to-secondary data replication to be constant, and hourly system snapshots should also be provided in the event of extreme situations. Also, make sure the disaster recovery site is ready to take over organizational operations at the drop of a hat if necessary.

Ultimately, while cloud security makes your organization no more vulnerable to breaches than you are with an onsite data center, there are better and less good ways to approach the cloud. A hybrid model, for example, of some local servers and some cloud hosting actually creates more vulnerabilities than a strictly public cloud approach. Your goal is to have fewer, not more, access points that could be breached.

“To be fair, much of the common perception of cloud security—or insecurity as the case may be—is just myth. Pervasive myth, but myth nonetheless,” says Tony Bradley at Forbes.

And it’s a myth many organizations now benefit from having banished. So, while you’re cleaning out the closet of long-held but possible incorrect beliefs like the illusion of control, just toss cloud insecurity on the trash heap as well. When managed with the same level of care as local data centers, the cloud offers clear advantages.

Richard Sullivan, MSIS, is chief government officer for Medsphere Systems Corporation

Category: Security

Hurricanes highlight healthcare IT improvement, expose gaps

Yes, Katrina was already losing appeal as a girl’s name by 2005, when it had fallen to 247th most popular in the United States. But the so-named hurricane that swamped New Orleans in August of that year pushed it off a ledge. By May of 2007 Katrina had fallen more than 100 spots to number 382, its lowest level since the 1950s.

Less trivial is the impact of Katrina on hospitals and healthcare, which has regularly measured itself against the ghost of a seemingly manageable Category 3 storm that morphed into a disaster of historic proportions and nearly destroyed one of America’s more storied cities.

Since Katrina there’s been Rita and Wilma, also in 2005, and Superstorm Sandy on the eastern seaboard in 2012, but nothing else. The recent arrivals of Harvey in Texas and Irma in Florida are healthcare IT’s first real opportunities to test existing infrastructure against mother nature.

So, what are the early reports on the shift to electronic records, remote / cloud hosting and disaster recovery sites after the hurricanes? Things are better, but it’s still a work in progress. After all, many hospitals in New Orleans had EHRs, but it didn’t matter when the water kept rising.

“When Hurricane Katrina smashed into New Orleans in 2005 … tens of thousands of patients lost their entire medical histories—boxes of paper files disintegrated or washed out to sea by the rising waters,” writes Megan Molteni in Wired magazine. “Widespread data loss won’t be as much of a problem for Houston. Today, about 75 percent of providers keep records electronically. But patients still may have trouble accessing their records when it matters most: in the middle of crisis and recovery.”

That’s right. Interoperability remains the hill healthcare IT still has not taken, despite the proliferation of EHRs.

The fear of a Katrina redux inspired many hospitals to improve their physical infrastructure by installing “submarine doors, flood gates, and above-ground backup generators,” which kept 90 of 110 Houston-area hospitals from having to evacuate patients. Darrell Pile, CEO of an organization that coordinated patient evacuation and relocation related to Harvey, said he knew of no hospitals in Houston that lost access to patient records.

And yet, everything was still not totally copacetic in Texas.

“For lots of these patients, these are not their normal clinics,” explained Dan Jensen, manager of 11 clinics in the VillageMD Houston network. “We can try to pull data on some of them, but it’s very limited what we can get. A lot of times we have to start from scratch.”

But Jensen also illustrated the ways in which healthcare IT enables flexibility and rapid response during emergencies. Able to reach only 10,000 of 160,000 patients before the storm, VillageMD Houston’s IT provider was able to engineer a patient portal fix overnight that extended portal communication to all patients, even those who had not signed up.

While Houston was drying out, Irma’s visit to Florida ended up being less destructive but more directly impactful because it shut down most of the state. In total, 36 Florida hospitals closed either in anticipation of the storm or because of its impact. Statewide, 54 hospitals were forced to use backup generators and some reported modest flooding but remained open.

And the Florida Hospital Association received no reports of EHR failure.

Arriving so close together, Harvey and Irma almost entered the national consciousness as one storm. Taken together, early returns suggest healthcare IT has progressed significantly since Katrina.

“Policymakers and health care providers can celebrate one quiet success in the wake of the Houston storm: the computers are still running,” writes Darius Tahir in Politico. “The preservation of patient health records represents a partial vindication for the HITECH Act … that was conceived, in part, as a way to ameliorate natural disasters like Hurricane Katrina by replacing waterlogged paper with modern technology.”

But it wasn’t just Katrina that spurred lawmakers to pass the HITECH Act. It was also the VA’s response to the hurricane.

“The VA — with its pioneering VistA EHR — was able to retain records and access them much more rapidly than its private-sector peers during Katrina,” says Tahir, “… the organization restored access to records from 40,000 New Orleans-area veterans within days; it would take years for the private sector to reassemble its records.”

Indeed, where former Surgeon General Regina Benjamin thought she couldn’t afford an EHR before Katrina, she knew she couldn’t run a hospital without one after.

And yet, despite the generally positive results and clear benefits of healthcare IT proliferation, obvious gaps remain. Patients often scatter to the four winds in a disaster and reattaching them to their records is both challenging and not yet reality.

Plans are, however, in the works to fill this gap. The PULSE project, initiated by the Department of Health and Human Services in 2014, is working to create a data-sharing network that’s switched on in emergencies and makes patient records available to first responders and clinicians when they enter patient name, birthdate and gender.

Initial PULSE tests in disaster-familiar California have gone so well that the California Emergency Medical Services Authority plans to keep the system in place and may switch it on during one of the Golden State’s regular events.

All the testing in the world can only provide so much real-world preparation. With climatologists suggesting that the relatively hurricane-free period between Katrina and Harvey is probably over, it’s encouraging to see the progress represented by both PULSE and the performance of Texas and Florida hospitals. Any optimism at this point, however, should be buffered by an urgency to get it even more right the next time the winds start to swirl in the Atlantic, regardless of what name we give them. 

Irv Lichtenwald is president and CEO of Medsphere Systems Corporation, the solution provider for the OpenVista electronic health record.

5 takeaways from the WannaCry ransomware attacks

Will information technology ever realize an imagined future where security is strong enough, reliable enough, secure enough to block any and all attacks?

It’s a dubious proposition made more uncertain by the recent WannaCry ransomware incident that started a couple of weeks ago and continued around the globe for several days. The virus was seemingly halted on Friday, May 12, when a security researcher found weaknesses in the code, but additional versions without those weaknesses have been sent out since.

Whoever is sending out WannaCry will continue, or someone else, someplace else, will send something similar or more virulent. The war is never over.

Which means hospitals, IT vendors, security firms and other HIPAA business associates must constantly work to develop better tools. In pursuit of that goal, what can we learn from the WannaCry attack thus far that can help with security moving forward?

  1. System updates are essential. WannaCry targeted Windows operating systems and succeeded where those operating systems lacked security updates. Hospitals in Britain’s National Health System suffered considerable damage because so many are still using Windows XP, a 16-year-old operating system. Contrast that with U.S. hospitals, which were minimally impacted. Indeed, a major concern for hospitals around the world is the use of old operating systems in a variety of settings that are no longer upgraded or supported. Microsoft rushed a Windows XP security update out after WannaCry was unleashed, but it’s not something the company wants to do or would probably be willing to do with any regularity.

    It probably goes without saying, but the use of unlicensed and unlicense-able software leaves hospitals completely vulnerable to malware attacks. In the U.S., this is not a significant problem. However, in China and countries similarly resistant to strong policing of intellectual property licensing and use, computers may as well put out a virus welcome mat. Reportedly, WannaCry impacted around 29,000 institutions in China. 

  2. Devices are vulnerable. Specifically, WannaCry successfully attacked Bayer Medrad radiology devices in at least a couple of examples, the first known hacks of medical devices. The concern about medical devices is acute simply because they often control something directly related to the patient condition. A hack of the EHR system is problematic and disruptive. A hack of a medical device is potentially life-threatening. 

  3. Even inept hackers are successful enough to be very disruptive. Possibly derived from hacking tools originally created by the National Security Agency, WannaCry had certain post-NSA vulnerabilities that researchers and security experts could identify relatively quickly. Using terms like “amateur hour” and “easy fix” to describe WannaCry, security professionals said the virus was not a particularly challenging nemesis. But even imperfect malware spread rapidly to more than 150 countries, infected hundreds of thousands of workstations and cost as much as $4 billion. Imagine what kind of damage a more successful hack could do. 

  4. The most expensive part of ransomware is not the ransoms. It’s not unreasonable to see many hackers as anarchists with active minds, time on their hands and a perverse motivation to kick at the pillars of modern society. Most of the ransoms demanded in the WannaCry case were in the $300 to $600 range, and most organizations chose not to pay them. As of Friday, May 12, one consultancy estimated only $100,000 in total had been sent to hackers. No one was going to get independently wealthy off this hack. Still, WannaCry bled an estimated $4 billion dollars from the system. Again, imagine a much more successful effort than WannaCry and you can see how motivated hackers might be determined to bring certain essential industries—healthcare, for example—to a grinding halt without getting dollars in return.

  5. Subscription services are a viable alternative. A primary reason WannaCry succeeded at all is because there is so much old software out there running various computing devices. Subscription software is one way to get old software out of the market. With the subscription option, to use WannaCry as a specific example, Microsoft can quickly and easily provide security updates to all applications and operating systems. The company did, in fact, provide updates in March to patch the security hole WannaCry exploited, which made the damage in the United States much less extensive. Clearly, however, those updates did not extend to the millions of Windows instances in use globally. While technology companies have been promoting subscription software options for years, buyers have been slow to sign on. Perhaps instances like this will convince many that subscription is both the more affordable and safer option. 

Right now, failsafe responses to malware and hackers are multi-pronged, and subscription software can be a significant component in that defense. Each hospital must develop a comprehensive and stringent security program as a necessary foundation for overall protection.  

The security battles will continue into the foreseeable future and each will give us an opportunity to make the defenses more responsive and sophisticated. The hospitals that can learn security lessons without having to pay ransoms or endure systems shutdowns will be those that react rapidly and prepare for the various threats.

Speaking of which, have you installed those Windows security updates recently? 

Richard Sullivan is chief operations officer for Medsphere Systems Corporation, the solution provider for the OpenVista electronic health record.

Category: Security

Time to update your security precautions? Take these five basic steps.

If you’re a small healthcare IT operation, a simple spreadsheet might do the trick. If you’re larger, a not-so-simple spreadsheet might be in order.

Regardless of how you do it, hospitals, clinics and other healthcare organizations must identify and monitor every single instance of computer network access. They’re called endpoints, says Larry Ponemon, founder of the security consulting firm the Ponemon Institute, and for you they exist as vulnerabilities.

Your job is to eliminate them through a series of basic security-promoting tasks.

While your IT security staff may have conducted such work in the past related to HIPAA, “in the past” is never recent enough for a robust security program in the hyper-changing technology world, especially if the work was incomplete or conducted over a year ago. In too many hospitals, security protections have been a one-shot effort conducted years ago with little follow-up. Your hospital may need to undertake the following actions from a blank slate perspective in order to combat today’s sophisticated threats.

Identify every device on the network.

We’re not talking about just desktops and laptops, here. Think more broadly and identify everything that has a network connection—desktops, laptops, tablets, mobile phones, IoT devices, etc.  You may have also permitted network access for clinicians and staff using their own devices, so take the time to identify those users as well.

Update your software.

After figuring out how many networked devices you have, make sure the security applications on each, which includes operating systems, are up to date.

“One of the main reasons hospitals have become ground zero for ransomware attacks is that almost every modern medical device is now a computer,” writes Phillip Hallam-Baker, vice president and principal scientist for cybersecurity firm Comodo, in Health Data Management. “It is not uncommon to find a multi-million dollar device such as an MRI machine running Windows XP Embedded, an operating system version that was last updated when it was retired in 2011.”

Hallam-Baker adds that defeating malware, particularly ransomware, requires a three-pronged approach:

  • Scan inbound email for infected attachments and links to malware sites that automatically download to your computer.
  • Block access to malware sites.
  • Run anti-virus software on every computer in use.

Spread the security gospel.

Now, it’s time for the social engineering. According to respondents in a Ponemon Institute study on networks and cybercrime, 81 percent feel the greatest threat to security is negligent and careless employees who don’t follow established policies and practices. This issue has been complicated in recent years by threats from insecure mobile devices. Train every employee in proper security practices, and reinforce them frequently.

Secure the patient portal.

At some point, turn your attention to the patient portal you installed to meet Meaningful Use. Keith Fricke, the principal consultant at tw-Security, wants you to know that it could create vulnerabilities. Imagine, for example, hostile code that lives on a popular website and downloads to a patient’s home computer. Later visits by that patient to an insecure hospital patient portal might provide a hacker with access to numerous patient records and the opportunity to pass along a virus, hitting your organization with a double whammy.

Cover your business associate bases.

In recent years, according to Ponemon, business associates (BAs) have endured even more data security incidents than healthcare providers.  A major reason is that HIPAA-required BA agreements, once signed, tend to sit on the shelves of all parties. Your partners, including IT vendors, may feel much less urgency about patient data security than you do. Make sure their lack of urgency does not impact your security by taking these steps:

  • Evaluate your entire list of vendors and similar partners to determine which have access to protected health information (PHI). Perhaps some BA agreements were never signed, which puts your organization at great risk.
  • Review all of your BA agreement files. Those dated prior to 2013 are obsolete, which adds to your hospital’s security vulnerability. The 2013 Omnibus HIPAA regulations are much stricter with business associates than the original HIPAA security rules, so it is critical to your security program that all BA partners sign an updated agreement.
  • Insist on compliance with the newer rules as a condition of your continued relationship. Double check your BA’s level of security and ask to see its most recent security risk assessment, one of its many obligations under HIPAA.

Taking these actions will greatly improve your organization’s security position and give you much, if not all, the information you need to perform your own HIPAA-required security risk assessment.

A final note on the costs of data security

Many organizations are ill-prepared for the growing onslaught of security incidents, not because they don’t care, but because of inadequate funding and security expertise. High expenditures for recent initiatives such as Meaningful Use and ICD-10 implementation have not helped. Moving forward, senior management must view data security as a cost of doing business, just as it is with financial services and retail. You will have to spend money on security regularly to make it work. As technologies change and security risks increase, a sustainable security program must include regular updates and different and/or additional spending.

In 2017, the security race between hackers and healthcare is going stronger than ever, but it’s not too late to secure your organization’s network if you move quickly and deliberately. 

D'Arcy Gue is Director of Industry Relations for Medsphere Systems Corporation. 

Category: Security
Subscribe to Security