Healthcare data insecurity: Lack of access controls or tech advances?
When it comes to protecting personal health information, legacy processes are just as vulnerable as legacy operating systems, hardware and software. In other words, the lack of proper access controls for technological advancements in healthcare, leaves private data susceptible to attack.
“Just because our EHR [Electronic Health Record] forces a username and password, doesn’t mean you’re compliant,” said Mac McMillan, chair of the HIMSS Privacy & Security Policy Task Force at the 2016 HIMSS Annual Conference & Exhibition.
At last count, the Anthem breach is estimated to cost $31 billion — a pricey lesson on healthcare security best practices and, specifically, how to control access to sensitive data in organizations. Anthem authorities believe the lack of proper access controls allowed hackers who had gained authorized credentials to breach Anthem’s patient information. The vulnerability was not in the operating system, hardware or software, but in the process of managing proper access controls.
Until healthcare as an industry improves both its legacy technology and adoption of security practices — including data access control — cybercriminals will continue to view healthcare data as a vulnerable target.
Today’s healthcare data security
According to Forrester, “the U.S. healthcare industry is significantly underprepared for an attack on their information databases or even for an accidental data breach.” And according to a report by Raytheon|Websense Security Labs (now Forcepoint), the global healthcare industry is highly vulnerable to cyberattacks compared to other industries.
“Cybercriminals view healthcare organizations as a soft target compared with financial services and retailers because historically, healthcare organizations have invested less in IT, including security technologies and services than other industries, thus making themselves more vulnerable to successful cyberattacks,” says Lynne Dunbrack of IDC Health Insights in this Healthcare IT News article.
Healthcare is responsible for more than 720 data breaches in 2015, with the top seven cyberattacks exposing more than 193 million personal records to fraud and identity theft, according to 10Fold Communications. Of the seven, the healthcare industry holds the top three spots, with the Anthem breach in the lead.
Experts suggest medical information is 10 times more valuable than a credit card number on the black market, according to Reuters. While healthcare organizations are known for low security, they also hold large batches of personal data for profile. “The social security number is the crux there,” said McMillan.
Tomorrow’s healthcare data security
In McMillan’s speaker handout for HIMSS16 session, Compliance does Not Equal Security, “HIPAA was not intended to cover all forms of information or to be a complete standard for data protection. The Security Rule initially conceived in 2001 did not envision cloud computing, the proliferation of mobile devices, bring your own device, networkable medical devices, wearables and many other technology advancements seen since that time.
“Compliance and security are two different paradigms. Certification is not a ‘magic’ pill. Compliance is a ‘floor’ rating, a point in time. Manual processes are too slow. Controls are not enough.”
McMillan urged healthcare organizations to follow the National Institute of Standards and Technology (NIST) Security Framework, which includes to:
- Look at your organization’s current cybersecurity posture.
- Describe your organizations target state for cybersecurity.
- Identify and prioritize areas of improvement.
- Employ a repeatable process for review.
- Continuously assess your cybersecurity posture.
- Communicate cybersecurity risks to both internal and external stakeholders.
“Being compliant does not make you safe, being certified does not mean you are protected, and neither of those things are going to save you from the impact or fall out associated with a breach,” McMillan said. “The things that matter are discipline, vigilance and readiness.”
According to this Healthcare IT News story that explores where healthcare IT security will be in the next three years, hospitals will have to require higher levels of compliance from the parties to which they’re connected, including labs, imaging centers and doctors, including the power to audit IT infrastructure.
“When it comes to healthcare IT, there is the potential for millions of computers to be at risk of cyber-attacks and data loss,” said David Cristal, VP and General Manager, Insight Public Sector. “Healthcare is constantly evolving and our nation’s hospital systems and organizations need the technology to evolve with it to effectively serve their patients and meet compliance regulations.”
While hospitals may not be ready to implement such restrictions with their healthcare partners, on-site safety measures should always be in place. Safeguards that are critical to control access to sensitive data, include granting role-based access to data and applications on a need-to-know basis; controlling physical workstation access and access to clinical applications; and creating comprehensive policies and auditing tools that allow a compliance manager to report on who has access to which systems, applications and patient records as it applies to their role.
Solving healthcare data security
“Addressing the challenges with health information security is a priority for us,” says Scott Jamison, VP of application services at BlueMetal, an Insight company. “Our clients trust us to build custom solutions and processes that protect patient data while providing industry-leading capabilities that improve patient care.”
Take the Forrester security assessment to begin treatment of your healthcare organization’s security. And find answers to your other pressing healthcare security questions and challenges to help you make well-informed decisions about legacy technology and security practices.