The inability of retail giants like Target and Neiman Marcus to protect customer data from an alleged foreign hacker got national attention recently. But when a large healthcare system experiences a security breach that puts the protected health information (PHI) of thousands of patients at risk, it is often the case that few outside of the industry ever hear about it.
While healthcare IT security breaches have been increasing over the past few years, they are being detected much more quickly.
Mac McMillan, co-founder and CEO of Austin, Texas-based consulting firm CynergisTek Inc. and co-chair of the HIMSS Privacy & Security Policy Task Force, sponsored by the Chicago-based Health Information & Management Systems Society, says a growing awareness within healthcare organizations and higher levels of security put in place between 2000 and 2014 have helped reduce the number of major breaches.
Although a number of the breaches now being reported are the result of lost or stolen mobile devices like laptops, tablets or smartphones, targeted attacks are on the rise. “There’s an increase in the use of malware looking for specific types of systems,” McMillan says.
Unfortunately, the adoption of newer technologies is putting more data at risk, he notes. “Healthcare has more information digitized now. Over 90 percent of patient information is in digital form.” That includes medical ID numbers, addresses, and medical history. “Patient information is more valuable now than credit card information,” he says. “If someone steals your medical identity, you can’t cancel your medical history.”
Typically, this type of identity theft is used to set up false claims so that the person can receive expensive medical care while the victim’s insurance company pays for it.
Leon Hoover, CIO of Hendry Regional Medical Center in Clewiston, Fla. points out that whatever care the thief received is also entered into the victim’s health record, which could result in non-payment by the insurance company if the identity theft victim ever had to undergo the same procedure.
Aside from the ease with which digital data can be compromised, are the emerging trends in managing and delivering IT services, McMillan says. These include cloud services, mobile apps, social media, texting and the use of third-party service providers.
Nader Mherabi, senior vice president, vice dean and CIO of NYU Langone Medical Center in New York, agrees. “As healthcare services move online and patients become more directly engaged in their care processes, security and safety issues loom ever larger. At the same time, the proliferation among our faculty, staff and students of sophisticated devices such as smartphones and laptops, and the necessarily collaborative practices of our research and educational missions pose additional challenges.”
Mike Fleck, CEO of CipherPoint Software, Inc., Denver, notes, “There is pressure to make more information available to patients. But anytime you have a new way of doing business, you’re going to increase the risk of exposure.”
There may also be a generation gap that can put personal data at risk, says McMillan. The younger generation, which uses social media outlets like Facebook and Twitter, tends to view privacy differently than the older generations that fashioned the current privacy laws. “Because they share everything about themselves and share information liberally with others, they don’t perceive a personal ownership of information,” he says.
Cottage Health System in Santa Barbara, Calif. reported in early December that a third-party vendor appeared to have removed electronic security protections from one of its servers without informing Cottage, resulting in the exposure of patient information stored on a server. The information that may have been compromised involved patients treated at Goleta Valley Cottage Hospital, Santa Ynez Valley Cottage Hospital, and Santa Barbara Cottage Hospital, between September 29, 2009 and December 2, 2013.
While no one from Cottage Health agreed to be interviewed for this article, a press release dated December 11 says the file contained information on approximately 32,500 patients including “the name, address, date of birth, and very limited protected health information for some patients related to diagnosis, lab results, and procedures performed. The file did not include any Social Security numbers, driver’s license numbers, health insurance numbers, bank account numbers or any other financial information.” Cottage Health removed the server from service; conducted a review of all other servers; began an audit of its security protocols; and mailed letters to each of the affected patients.
Steve Fellows, executive vice president, COO and chief compliance officer at Cottage Health, states in the press release, “We deeply regret this incident. Cottage takes its obligation to protect health information very seriously and is taking aggressive steps to safeguard against this type of incident in the future.”
Another recent breach occurred at AHMC Healthcare Inc., a six-hospital system in Alhambra, Calif. In this case, two laptops were stolen from a secure office on October 12, 2013. The laptops contained information on approximately 729,000 patients—one of the largest HIPAA privacy breaches on record.
Again, officials at AHMC declined to be interviewed. But a press release dated October 21 says the laptops contained data on patients treated at Garfield Medical Center, Monterey Park Hospital, Greater El Monte Community Hospital, Whittier Hospital Medical Center, San Gabriel Valley Medical Center and Anaheim Regional Medical Center.
The press release also states: “The protected health information contained in the laptops includes patient names, Medicare/insurance identification numbers, diagnosis/procedure codes, and insurance/patient payments.
“At this time, AHMC Healthcare Inc. has no evidence that the information has been accessed or used in any manner, but because this cannot be ruled out, this notice is being provided out of an abundance of caution and in order to comply with the legal obligations of the hospitals.”
It further states: “AHMC Healthcare Inc. had recently engaged a third-party auditing company to perform a security risk assessment and is working through its recommendations, and in that connection will be expediting a policy of encrypting all laptops.”
A major breach also has also been reported by UW Medicine in Seattle, Wash. Although officials declined to be interviewed, a press release dated November 27, 2013 explaines how the breach occurred. “In early October 2013, a UW Medicine employee opened an email attachment that contained malicious software (malware). The malware took control of the computer, which had patient data stored on it. UW Medicine staff discovered this incident the following day and immediately took measures to prevent any further malicious activity.
“Based on the results of an internal investigation, it is believed that patient information was not sought or targeted. However, the malware accessed the data files of roughly 90,000 Harborview Medical Center and University of Washington Medical Center patients.”
The press release further states: “Data about patients may have included: name, medical record number, other demographics (which may include address, phone number), dates of service, charge amounts for services received at UW Medicine, Social Security Number or HIC (Medicare) number, date of birth.”
PREVENTING A BREACH
Although McMillan doesn’t believe patient information belongs on a personal mobile device, he says the growing use of these devices and the use of texting as a primary means of communication demands that efficiency be balanced with protection. “We need to work with the workforce to make it easier to do their job but to secure their texts,” he says. “The simplest way is to encrypt it.”
The same is true for email. “The average email encryption solution costs less than $100,000,” he says. “Everything costs money, but if you look at overall costs, a breach can cost a lot more than the protection.”
Ed Ricks, vice president of information services and CIO of Beaufort Memorial Hospital in Beaufort, S.C., admits that a majority of his hospital’s physicians use their mobile devices for texting, but he says, “We now have an app to encrypt their text messages, which is HIPPA compliant.” Protecting email is a little different. “We do have an encrypted email system. Internal email is on our secure network, but those going offsite are not always encrypted,” Ricks says.
While Fleck views encryption as one security solution, he says there also needs to be controls in place to follow the data. “It’s trying to control the use of information by a certain number of users, but if you can’t actually follow the data, you can at least know where the information goes,” he says.
Hoover agrees. “A lot of people focus on what’s coming into the network, not what’s going out,” he says. He adds: to ensure true data security, you have to address data in rest, data in use and data in motion.
In some cases, though, information that needs to be shared among many entities creates what Fleck calls a “cultural” challenge. “Many big hospitals are linked with educational systems, and some research is linked to the National Institutes of Health,” he says. “Folks aren’t trying to change that culture, but to put controls on that culture—to be aware of what is going on with all that information.”
That hasn’t been a problem for NYU Langone, which, according to Mherabi, has instituted strict policies concerning the storage and transmittal of data. “The NYU Langone Medical Center employs various technologies to secure information at rest and in transit on its network, including firewalls to control inbound malware, digital loss-prevention systems to control outbound PHI (protected health information) and other sensitive data, and encryption to protect sensitive messages and data residing on portable devices such as laptops, phones (including end user-owned devices) and USB drives,” he says. “We continually review our technology posture and policies to meet and minimize threats to the Medical Center’s environment and data. It is NYU Langone policy that storing PHI on any unencrypted mobile device is unacceptable.
“Because we are committed to protecting the privacy and security of our patients’ medical information and other sensitive information, we have taken affirmative steps, including moving protected health information from desktop computers to secure network drives and retraining staff regarding proper safeguarding of private patient information.”
As for offering advice to CIOs concerned about data breaches, Ricks says, “The best thing is to be open to visibility. Understand your vulnerabilities and understand where your risks are.”
Adds Hoover: “It’s all about discovery and prevention. It’s about watching that data in motion and knowing who is accessing that data.”
Fleck says he’s pleased to see the efforts being made to protect patient information, but he says more needs to be done. “If this is not a top priority, it should be.” He also says that most CIOs now have an actionable strategy to prevent breaches. “Some look at it in terms of building blocks—devices, networks, applications. Encrypt your devices, encrypt your networks and secure information in applications,” he urges.