There’s a storm brewing in the healthcare security and privacy arena that will stretch the resources of even the most nimble healthcare provider organizations, as they face challenges on multiple fronts. On the policy side, providers will face steeper fines for breaches, backed up with tighter enforcement. Meanwhile, rapidly evolving medical devices, coupled with the emergence of mobile devices in the workplace, are requiring that providers reevaluate their security policies. At the same time, new care delivery and communication models, such as accountable care organizations (ACOs) and health information exchanges (HIEs), are remaking the healthcare delivery landscape—and the security and privacy policies that go with it.
As if this was not enough, these developments have been taking place at a time when data breaches at healthcare provider organizations are on the rise. In 2013, medical identity theft was up 20 percent compared to the year before, according to a report released last September by the Traverse City, Mich.-based Ponemon Institute. Malicious attacks have increased in number as well as the level of sophistication, say experts.
Meeting security challenges and protecting patient data will require extra vigilance, as well as rethinking how technology and policy decisions can help minimize those risks, according to security professionals interviewed.
Compliance Issues Come To The Fore
Compliance in general is going to a big issue across the board for all CIOs, according to Micky Tripathi, founding president and CEO of the Massachusetts eHealth Collaborative (MAeHC), Waltham, Mass., who has also named co-chair of the Office of the National Coordinator Tiger Team, a workgroup on privacy and security issues. He notes that the Health Information Portability and Accountability Act (HIPAA) Omnibus Rule has raised the penalties for breaches significantly—to as much as $1.5 million per incident.
Tripathi expects to see more compliance audits from the Department of Health and Human Services’ Office of Civil Rights (OCR). “Starting with the passage of HIPAA Omnibus, they have upped their diligence around these audits, because the realize that with these electronic systems, there is a different type of exposure they need to be on top of; and as these rules are getting more stringent, they need to do more audits,” he says.
Mac McMillan, co-chair of the HIMSS Policy and Security Policy Task Force and CEO of Austin, Texas-based CynergisTek, Inc., agrees, noting that the heightened HIPAA requirements have strengthened the bond between covered entities and their business associates. Formally, business associate agreements are required; but informally, the risk is much higher, because of business associates have a breach, they are going to be investigated, he says. If a provider’s vendor experiences a breach, the covered entity must make all of the notifications to the affected parties and media; and when a vendor is investigated, the OCR is going to want to know how the relationship is defined and managed by the covered entity. The upshot: “You can’t just give the vendor a business associate agreement and say, ‘I’m done.’ You have to have more visibility into what they are doing and whether they can meet their obligations,” he says.
In addition to all of this, the rapidly increasing level of consolidation and affiliations taking place in healthcare today, as the result of trends such as accountable care and HIE, is putting extra security demands on organizations. This has raised significant technology challenges, according to Tripathi. In some cases, hospital systems try to wipe the slate clean of disparate systems and put everyone on the same network with a single set of technology controls around security and uniform policies around them, he says. Most often, the result of such efforts is a hodgepodge of different acquired platforms, raising the challenge of enforcing uniform security across disparate systems.
In fact, consolidation and acquisitions raise a host of issues around the need to control access to patient records for physicians from affiliated organizations—a challenge that becomes especially acute in the ambulatory world, with organizations that are setting up private HIEs. “Ambulatory tends to be a whole different world,” Tripathi says. “How do you bring all of those users under the same security and policy umbrella, where they have a different system and they have been operating under less formal policies? Now they are part of a bigger enterprise, and you have to extend your policies out to make sure the diligence is applied to the smaller practices under your umbrella.”
Tripathi offers this advice to organizations: first, consider the nature of the affiliations involved, and the nature of the information that is going to be exchanged to support the clinical and business models that are being put in place. If the nature of the relationship is limited—such as jointly sharing some specialists who will work part time at each hospital—it may be possible to enable technology to support only that limited type of integration, which will limit the risk of the organizations involved, he says. Second, take a look at the orchestration of technology and policy controls. In some cases, technology can implement the policy—for example, allowing physicians to see only the patients with whom they have a care relationship, by locking down areas of the electronic health record. Policy controls should be strengthened where technology can’t be used as an enforcement mechanism, he says.
Keeping Technology Current
McMillan observes that technology is an essential tool against security threats, but can also be a significant vulnerability if it is not kept current. As a tool, encryption will be one of the top security issues for the foreseeable future. “We are still losing devices that are not encrypted,” he says.
Within the enterprise, healthcare provider organizations need to do a better job of privacy monitoring—“paying attention to what people are doing ion our system. We still have way too many incidents occurring where authorized users are looking at things they are not supposed to, or getting involved with medical identity theft with the access they have,” he says. Fortunately, data-loss prevention (DLP) technology has proven effective in helping CIOs enforce their security policies and avoid breaches before they happen. “We are just beginning to see DLP become recognized for the benefit it provides to healthcare in avoiding a lot of these things,” he says.
Yet McMillan sounds the alarm on end-of-life or obsolete operating systems—particularly Microsoft’s announcement that it will cease to support the XP operating system in April. He points to factors that make this a bigger issue than normal. One is that there is increasing evidence of malware, both in terms of the frequency of directed attacks as well as more malicious and sophisticated forms of those attacks. At the same time, anti-virus solutions that organizations have relied on to protect themselves from malware are only about 60-percent effective. “That means that 40 percent of the stuff they don’t even see it anymore; so the more systems you have in your environment that are not up to date, the higher the risk,” he says.
This is happening as the normal refresh rate of operating systems is compressing, from the once-typical three-year refresh cycle to 18 to 24 months. “Everything is happening so much faster, so end-of-life is happening so much faster,” he says. “The issue of end-of-life systems and the way we protect against malware today is a big issue that hospitals are going to have to start thinking about differently in order to address effectively,” he says.
George Bailey is senior advisor of security at Purdue Healthcare Advisors, a not-for-profit organization in West Lafayette, Ind. Among his clients, many small- and medium-sized provider organizations have opted to stay with Windows XP well after the April cut-off date, he says, adding that some use specialized applications that are vendor-bound to XP.
He acknowledges that traditional security vendors will continue to support XP, so organizations that have a management system fir their XP systems are in a better position; and they can further protect themselves by isolating those systems where possible. On the other hand, he says, that fix doesn’t address the related issue of browsers such as Internet Explorer, which someday will also face end-of-life. He points out that Explorer is the primary browser for many Web-based clinical applications, so those machines will be inherently susceptible to compromise.
He recommends that organizations that have the ability to move away from XP should so, and those that don’t should restrict devices running XP, either with content filtering, putting them a segmented guest wireless network, or prohibiting Internet connectivity.
Bailey also cautions that medical devices, which are increasingly networked, often run on embedded Microsoft Windows or Linux operating systems, and can’t be updated very easily. Those devices aren’t maintainable within the same ecosystem as desktops and laptops, so they aren’t running malware protection and generally don’t have security controls enabled on them, he says.
Yet even those medical devices run within the hospital clinical electronic network, so have some level of protection. Another potential red flag is the “bring-your-own-device” trend, in which personal smartphones are making their way into the clinical environment. That can be a point of vulnerability in hospitals that haven’t fully segmented their BYOD and guest wireless networks, he cautions.