A recent report from Redspin, Inc., a Carpinteria, Calif.-based provider of IT security assessments, revealed that in 2013, the number of protected health information (PHI) breaches were up 138 percent from 2012, with 199 incidents of breaches of PHI reported to the Department of Health and Human Services (HHS) impacting over 7 million patient records. The report, the fourth annual one from Redspin, found that nearly 30 million Americans have had their health information breached or inadvertently disclosed since 2009.
And when a security breach happens, the financial impact on healthcare organizations is often significant. According to The Ponemon Institute’s Fourth Annual Benchmark Study on Patient Privacy & Data Security, the average economic impact of data breaches over the past two years for the healthcare organizations represented in the study was $2 million—albeit that number is a decrease of almost $400,000, or 17 percent, from the previous year. That same study revealed that 90 percent of respondents had at least one data breach over the past two years, while 38 percent have had more than five data breaches in the same time period. Undoubtedly, increasing the security of patient records is an issue that can no longer be ignored.
As the rapidly-evolving healthcare industry faces increasing challenges to keeping PHI protected—including growing volumes of electronic health records (EHRs), new government regulations, and a more complex IT security landscape—there is a growing need to ensure knowledgeable and credentialed security and privacy practitioners are in place to protect this sensitive information.
Enter (ISC) 2, a provider of security education and credentials to nearly 100,000 security professionals across the globe. (ISC)2 recently launched its first healthcare-specific credential: the HealthCare Information Security and Privacy Practitioner (HCISPP). Given increased regulation with the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) around the security of PHI and widely reported data breaches in hospitals and the like, (ISC)2 officials said they felt the timing was right to bring to market a credential to ensure that healthcare information security professionals have the right skills and education to do their jobs. The HCISPP credential targets a whole new audience, the healthcare community.
Sarah Hendrickson, interim chief security officer at Children’s Medical Center in Dallas, Texas, was one (ISC)2 expert who was asked to define the HealthCare Information Security and Privacy Practitioner exam, and write the actual questions for the taker. In a recent conversation with Healthcare Informatics Assistant Editor Rajiv Leventhal, Hendrickson spoke further about the significance of this exam as it relates to health IT security, as well as strategies, challenges, and lessons learned from industry leaders when it comes to providing a frontline defense for protecting health information. Below are excerpts from that interview.
How does the HealthCare Information Security and Privacy Practitioner differ from previous security/privacy credentials?
(ISC) 2 is looking to make sure to have more than just the security and privacy pieces involved. For example, I can say I work for the security department in my organization, but that might mean only doing one thing a day under the security umbrella. So I think this certification really is helpful because it’s looking across all these different domains, making sure you have healthcare, security, privacy, and IT backgrounds before you even sit down for the exam. It identifies the niche of the candidate for the healthcare environment rather than just being another generalized exam that you can leverage across any industry.
For this exam, they’re looking at a broad audience of just about anyone who needs to have security and privacy in the healthcare industry for their job, including compliance officers, auditors, and privacy officers—it covers the gamut of anything that could be security and privacy, but is also specific to the healthcare industry. The exam is already live, and people are taking it, so it’s generating interest. When I look for candidates for healthcare roles, I want to make sure they understand the nuances around the data we’re trying to protect. To see a certification like this come forward is great. I see this becoming the standard for healthcare credentialing.
Across the industry, has protecting data become more of a priority now in healthcare organizations?
Definitely. Looking back through the years, we had HIPAA come about in the late 1990s, and it was pretty silent until HITECH introduced safe-harbor provisions. Then, in the past five years, there has been much more clarity and legislation, whereas prior to that it was about industry best practices rather than a blueprint on how to maintain and achieve that compliance.
And for C-level executives, they are seeing all of these breaches; there is a “wall of shame” on HHS’ website for breaches affecting 500 or more people. We’re seeing the same things happen such as unencrypted laptops, and it’s really surprising to me that these same attacks are reoccurring. With all of these big breaches we are seeing, the entities are made aware there was an issue, either by a third party or internally, and they just might not have addressed it in the matter they needed to. That’s looking in hindsight, but as we see more come up, people are starting to realize the impact. So you need to invest in the process, tools, and solutions rather than in the back end in the ongoing remediation that happens when you have a breach.
Why are these breaches so difficult to stop?
Each organization needs to understand the risks and do their due diligence. Technology solutions are out there, so will they embrace them, assume that risk, and do what they need to do to keep their data’s integrity? That’s their call, and we are seeing more of that recently with the influx in breaches.
What is your organization’s strategy to keep your data’s integrity?
We have a variety of tool sets and right now we’re looking at improving tool optimization, meaning making sure that we know what any noise that we have identified is, making sure we’re not ignoring anything that might be an indicator, and really just trying to shift from a reactive culture to a proactive one.
There are technical things you can do to look at your traffic in a proactive manner. Personally, for me, part of it is the basic level of education for your employees. A lot of times, companies often have annual training or new hire training, and that’s it. We have social media [initiatives], discuss emerging threats, and continually educate our staff how it could impact them on a daily basis. Continual education at a basic level is crucial—you need to keep everyone aware, all the way up to the C-levels.
Are attacks coming from unexpected places?
One area that I think is most neglected is the guest wireless network, which is popular among many organizations. But because it is a guest network, many people feel as if they don’t have to monitor the activity that’s going on or need to do anything because it’s segregated at some level. Companies need to really focus on what’s going on there, though.
As far as threats to an entity’s infrastructure, you need to pay attention to your logs. Uncomfortable situations occur when you are unaware of your traffic in your environment and a third party, be it the secret service or whoever else, comes in and lets you know what’s going on in your own organization. And if you don’t know what’s going on, what are the odds are you’d have logs retained and the knowledge of the situation at hand? It really comes down to the type of company you are and the capabilities you have in house.
What are some lessons healthcare organizations are learning from the high number of recent breaches?
The more we see reported, the more it’s impacting more people every day. And the high number is also making it easier to provide that basic level of education that is so important. The healthcare industry is starting to wake up to that. With more requirements coming forward and regulatory changes to boot, people are starting to realize that they have to go the extra mile and make sure they are covered in several different areas.