Healthcare is facing a bombardment of challenges when it comes to the privacy and security of patient data. Viruses, hackers and other new threats continue to emerge even as more data become available, thereby increasing vulnerabilities.
A report from consulting and outsourcing firm CSC found that 69 percent of healthcare chief information officers report “elevated IT security/cybersecurity expectations” as the most significant development in their IT departments.
Those expanded expectations come with a high price tag so many providers are focused on managing the effort and expense, according to the report. When asked about “management of expanding IT security/cybersecurity,” 43 percent reported it as “very important,” and respondents ranked “more effective management of IT security/cybersecurity” as a “very high priority,” at 36 percent.
Many look to innovation to address efficiency challenges but that too can introduce security issues. When asked about the main issues limiting the IT department’s leadership in terms of innovation, 44 percent cited “budget constraints (48 percent)” and “concerns in effectively managing IT security/cybersecurity risks” (44 percent).
“The innovative technologies the healthcare industry wants to use and explore create additional security challenges,” says Richard Staynings, CSC global coordinator. “For example, to improve a population’s overall health requires huge systems and massive amounts of data, which in turn, creates more security issues.”
Adopting new technologies and the applications to support them also can present risk. “The majority of healthcare applications are ancient by today’s standards and have been running in a traditional client/server environment for a long time,” Staynings says. “Employees expect to access them from smartphones and other personal devices. At the same time, increasing numbers of other clinical applications need to access these old iron systems and their data for the meaningful exchange of information. However, they weren’t built to do that securely.”
On the federal level
Healthcare providers also must ensure that privacy and security policies meet the continuously changing expectations of the federal government. The Office for Civil Rights conducted an audit pilot program of sorts but has yet to reveal its ongoing strategy on this front.
A hint of the agency’s plans came when OCR published an information collection request for HIPAA covered entities and business associates (BAs) in the Federal Register late in February. The survey will help the agency finalize its audit plans by getting a better idea of organizations’ readiness for the OCR HIPAA Audit Program.
A review of security breaches that took place between September 2012 and October 2013 at healthcare institutions revealed 49,917 malicious events and 723 malicious source IP addresses at 375 organizations. Devices most likely to be affected by cyberattacks include call contact software; digital video systems; edge devices like firewalls and routers; radiology imaging software; and videoconferencing systems.
Source: Health Care Cyberthreat Report, SANS Institute, February 2014
According to OCR, the survey also will allow it to “assess the size, complexity and fitness of a respondent for an audit.” Specifically, OCR will seek recent data from organizations regarding the number of patient visits or insured lives, use of electronic information, revenue and business locations to determine which entities are suitable for audits.
Meanwhile, Commerce Department’s National Institute of Standards and Technology released a cybersecurity framework in February designed to help organizations protect their data assets from the increasing number of cyber attacks.
The framework is the response to a February 2013 executive order issued by President Obama that called for the development of a voluntary, risk-based cybersecurity framework—a set of existing standards, guidelines and practices to help organizations manage cyber risks. The framework provides a common language to address and manage cyber risk in a cost-effective way, without placing additional regulatory requirements on businesses.
The three main elements described in the document are the framework core, tiers and profiles. The core presents five functions—identify, protect, detect, respond and recover—that when taken together allow groups to understand and shape a cybersecurity program. The tiers describe the degree to which an organization’s cybersecurity risk management meets goals set out in the framework and “range from informal, reactive responses to agile and risk-informed.” The profiles help organizations progress from a current level of cybersecurity sophistication to a target improved state that meets business needs.
Along with the new threats come new tools to manage privacy and security. West Virginia University Hospitals has been using electronic tools since the 1990s, says Mark Combs, director of information systems. “Even back then we knew we needed to do some level of audits.”
When the first privacy laws came into effect, “we tried to do auditing as best as we could but we realized we were only hitting a small percentage. We were getting less than one-tenth of our visits and employees and the paper-based process was extremely time-consuming.”
With more than one application producing and containing protected health information, the system wanted a tool that would pull all the information together and generate reports. They found a tool that pulls the audit logs from up to 10 applications. An audit team of three runs regular reports and directs anything flagged to managers for preliminary investigation.
The process serves as a good deterrent, Combs says. Before going to a commercial EHR, the system used homegrown apps that consolidated mainframe information into a web-readable format. “That allowed people to use their sign in to get in and look at their record in a read-only format.
“Once we moved, we changed our policy. People still wanted to login and look at their own record,” he says. But, to protect the integrity of the record, the system decided to discontinue that access. Through reports, updated policies, education and training, employees now know they can’t look at their own records—or any other record that is not part of their job. “We took a nonpunitive approach at first, but now there is very little excuse” for inappropriate access.
Going forward, Combs says he plans to grow the process and build it into his organization’s app procurement process. That includes considering the cost when buying applications of linking the auditing feed into the third-party auditing tool.
There’s a lot healthcare organizations can do to prepare for emerging threats, says Tatiana Melnik, principal of Melnik Legal, who spoke at the Health Information & Management Systems Society’s annual conference. “Take stock,” she recommends. “Know what personal information you have in your files.”
Most providers can scale down, she says. “Keep only what you need for your business. Develop a written records retention policy and truncate the account information on electronically printed credit and debit card receipts.”
Information kept must be protected. Consider the myriad ways information can become vulnerable, such as through employees and contractors, electronic issues and physical insufficiencies. Make sure effective, regular employee training is part of your policies and procedures, she says.
“Properly dispose of what you no longer need,” Melnik says. Use wipe utility programs on old computers and be sure to apply the same process to hardware used by remote employees.
Melnik also recommends that providers choose their vendors carefully and then tailor business associate agreements to the situation. “The standard agreement may give too much leeway to the business associate.”
Because breaches happen to every organization, Melnik recommends buying insurance. In 2012, the cost of remediation for a breach was an average of $188 per record. That translates to $94,000 for a 500-patient breach.
The healthcare privacy and security landscape is sure to keep changing, due to threats, vulnerabilities and potential solutions.