At the iHT2 Miami Health IT Summit, expert panelists discussed the best ways to protect patient data, agreeing that the vulnerability of the healthcare industry and the value of medical data makes the sector ripe for attack.
On Feb. 10, at the Health IT Summit at the Ritz-Carlton Coconut Grove in Miami, Fla., sponsored by the Institute for Health Technology Transformation (iHT2—a sister organization of Healthcare Informatics under our corporate parent organization, the Vendome Group LLC), panelists discussed data security as part of a session titled, "IT Risk & Compliance: Securing ePHI." On the panel were: moderator John Christly, CISO/HIPAA security officer, Nova Southeastern University; Tim Ramsay, associate vice president and CISO, HIPAA Security Officer, IT, University of Miami; Marlon R. Clarke, Ph.D., director - network operations and services adjunct faculty - Graduate School of Computer and Information Sciences, Nova Southeastern University; Leon Hoover, CIO, Hendry Regional Medical Center; and David Finn, Health IT officer, Symantec. Below are excerpts of that panel discussion.
How does the risk of an attack in the healthcare sector compare to other industries?
David Finn: I'm tired of seeing the 'wake-up call' headlines every time we have a major breach. We continue to see it, yet most of the industry seems to be sound asleep. CFOs and CIOs need to understand this fact: this is an industry problem, a business problem. Healthcare is a target, the FBI has said that repeatedly to us. The new business model is about sharing data that is more secure than ever before. Talk about mixed signals! A credit card record might be worth a dollar or two on the black market, but a patient data record is worth $40 to $80 perhaps.
Marlon Clarke: It comes down to value. Data from a medical facility can be used to do phony medical care in additional to the financial stuff, so the value is just so high. It was reported a medical record was sold on auction for $251. Financial data and medical data is not comparable anymore. It's a no-brainer.
What are the main threats in 2015 and beyond?
Tim Ramsay: Look at the automobile industry, it was the race cars that developed brakes, as they let you go even faster in and out of turns. When we are deploying telehealth, moving out to the patient community and sharing data, it's about going safely under control. The only worse thing than making a billion dollars is spending two billion on fines. You see what Capital One and Bank of American are doing, monitoring potentially fraudulent charges, saying "this person has never signed on at 2 a.m. to make a transaction." Charge denied! That is the level of granularity we need. It's about visibility first of all, and then the approach.
Finn: Everyone has their top 10 or 15 things that you need to do as we enter a new year, but at the end of the day, security is a people issue. We have to make it a business problem—businesses need to recognize the tools, and be trained too. A fool with a tool is still a fool. They are guardrails, they are there to help. If we're not turning data into information that is actionable, all we're doing is helping the hardware vendors that sell storage. Educate those who are using the tools about how to use it properly.
Leon Hoover: People are the biggest risk. Also, you have to ask, how do you validate that the person sitting in front of you really is that person?
Clarke: Look at Target. One of the trends is that there are more connected devices than ever before. It has expanded significantly. Security wise, we see that as the threat increasing. Target was compromised by a third-party system. If an attacker is able to compromise a system that takes the vitals of a patient, that increases the threat. We need to develop strategies to better manage the influx of connected devices. Will we ever get our hands around it? It's going to be a challenge.
So it's not the Russian and Chinese hackers?
Ramsay: (Shakes head). Academic medical centers are generally wide open environments, so it's that insider threat, knowing you're at risk; someone who has been taken advantage of and compromised. Our own freedom is being used against us.
Clarke: There is a term "advanced threats." One of the main stages in the attack is a phishing email, and the objective of that is to deploy malware on a computer within the environment. Once the person trusts that link and clicks on it, the entire environment within your organization is now at risk. Yes, the original person might be someone external, but without the person who clicked it and started that chain reaction, the issue would not be happening. Inside employees play a major role.
Is it any different if you're planning for risk in the cloud?
Finn: The due diligence you would due for an electronic medical record (EMR) shouldn't change for the cloud. The cloud isn't something to inherently fear, but you do have to address security up front. Understanding your data shouldn't change anything, and in some ways it should make your life easier. The cloud is unforgiving though, if you make a mistake, it's gone.
Clarke: Addressing all of these concerns up front is the key. It is difficult to go back afterwards. You need to ensure it's all incorporated to whatever agreement you sign up with your cloud provider.
So what are the best practices for being compliant?