Data breaches in healthcare have been steadily on the rise; a report from Redspin, Inc., a Carpinteria, Calif.-based provider of IT security assessments, revealed that in 2013, the number of protected health information (PHI) breaches were up 138 percent from 2012, with 199 incidents of breaches of PHI reported to the Department of Health and Human Services (HHS) impacting over 7 million patient records. The report, the fourth annual one from Redspin, found that nearly 30 million Americans have had their health information breached or inadvertently disclosed since 2009.
Breaches are coming from different fronts, varying from outside hackers to internal staff to accidental incidents. But what’s clear is that the industry being seriously affected by cybercrime. A 2013 white paper from RSA, the security division of the Hopkinton, Mass.-based vendor EMC, concluded that cybercrime in the healthcare industry is still in its relative infancy—and only because the exchange of healthcare information online is also in its relative infancy. “Recent history provides ample evidence to conclude that the increase in healthcare data sharing via electronic health records (EHRs), personal health records, insurance portals, and prescription sites will inspire a commensurate increase in cybercriminal activity targeted at healthcare organizations,” the report’s authors said. Undoubtedly, the increase in breaches at a time when cybercrime is apparently only in its “relative infancy” has to be very worrisome for patient care organizations.
Like all hospitals, email is a primary communication tool for the Dothan-based Southeast Alabama Medical Center (SAMC), a 400-bed community facility serving Southeastern Alabama and portions of the Florida panhandle. And also like other healthcare facilities, Southeast Alabama Medical Center is challenged by a deluge of spam, phishing schemes and adware.
The double use of phishing and malware within the same cyber attack is not uncommon or new. Earlier this year, in Sacramento, Calif., UC Davis Health System notified 1,800 patients of a phishing scam that compromised three physicians’ email accounts. In these attacks, hackers will often send emails or other communications to those inside the IT network in an effort to get victims to download self-executing programs that install malware compromising the entire system.
At SAMC, secure collaboration between the organization, health networks, research institutions as well as intra-departmental collaboration is a necessity. But the high-tech environment created to facilitate this collaboration and data exchange is often filled with security challenges. According to Clyde Williams, SAMC’s IT technical manager, many data breaches are tough to anticipate and control. “Most of our users are relatively intelligent, but people are still naïve on the internet and with email, so even our smartest users fall victim to little phishing things,” he says. “People at the department director level might get an email that that says it’s coming from a system administrator, so they want to reply to it, or click the link inside of it,” he adds.
Email attachments may carry malware, or phishing scams, where attackers simulate trusted brands, can gather personal information from unsuspecting users. Williams says SAMC has a layered approach, and before even thinking about cybercrime, you need to think about managing access to inappropriate material or controlling the flow of email into the facilities. “One thing we do with our web content filters, we specifically block all access to uncategorized content. So if someone is on the internet and there’s an obscure site, we pop up a warning message that says, ‘Hey this site is uncategorized, are you sure you want to go there?’” Williams says.
SAMC has also tapped the Gulf Breeze, Fla.-based web security company AppRiver, using its inbound and outbound spam and email filtering technology to block unwanted messages and keep its system free of adware, spyware and viruses. “We’re probably more meticulous than most organizations when it comes to being restrictive,” says Williams. “In fact, you could say that we’re more restrictive than we should be. But we have not had any direct breaches of patient information here, and our layered approach—with AppRiver being one of those layers—definitely contributes to that,” he says.
According to the EMC white paper, intentional incidents are evident by the sheer number of data breaches targeting healthcare organizations as well as the estimated 250,000 to 500,000 medical identity thefts that take place each year. But Williams says that it’s the accidental breaches that he sees most, and that the healthcare industry isn’t yet a main target. “It’s not usually someone reaching in and trying to specifically extract data, but maybe it was a vulnerability that got exploited, and someone stumbled across a hospital and decided to break in and get some of the data out,” he says. Also, there are lost or stolen devices such as laptops, hard drives, and mobile devices with PHI on them, he notes. “But from what I’ve seen, I don’t think the industry is a target yet.”
To this end, more than the health-specific information, patient data is a huge repository of identity information, Williams continues. “You think of banking and you assume they have this robust security built in. In banks, their IT infrastructure is set up to protect all that data. In a hospital, we have massive amounts of unique information about all of our patients. And our first priority is to make sure we can share that appropriately with all the people who need it, be it nurses, doctors, or registration folks. And not just in our facility, but other facilities that also might need all of our radiology images and X-rays,” he says. “Caring for folks is the first priority for [providers], and I understand that. “There isn’t as much a focus on security. But there is vulnerability with identity information, because hospitals have so much of it.”
Industry-wide, Williams doesn’t believe that healthcare organizations are focused at the level they need to be when it comes to data security. “There are people in every IT department who are aware there is an issue, but it’s really a matter of how big of an issue it is for them,” he says. Williams references the recent data breach and lawsuit involving the Tennessee-based Community Health Systems, saying that people started asking questions and showing interest at the time of the incident. “But after a few weeks, they will move on. There are too many other things that take priority,” he says.
Williams adds that Health Insurance Portability and Accountability Act (HIPAA) regulations and meaningful use requirements that say you must do regular risk assessments are simply not good enough. “The organizations that suffer breaches are PCI- DSS (payment card industry data security standard)-compliant,” he says. “It’s more than just regulations alone, it’s a mindset. And it will likely take a few more huge breaches for the industry to really get it.”