Another day, another HIPAA breach at a healthcare organization. Unfortunately, from a data security standpoint, that could be a headline for the health IT industry these days, which has become a sitting target for data breaches, many of which involve patients’ protected health information (PHI).
Here at Healthcare Informatics, we report on the big industry breaches, though it would be impossible to cover even all of those. But just in recent weeks, we have written about HIPAA settlements from two security breaches in Arkansas and Missouri; an incident when a Tennessee healthcare employee gave patients’ PHI to a competing provider; a fraudulent tax return scheme at the well-respected University of Pittsburgh Medical Center (UPMC); and a Los Angeles County data breach that astonishingly may have involved more than 300,000 patients.
What’s more, a recent report from Redspin, Inc., a Carpinteria, Calif.-based provider of IT security assessments, revealed that in 2013, the number of PHI breaches were up 138 percent from 2012, with 199 incidents of breaches of PHI reported to the Department of Health and Human Services (HHS) impacting over 7 million patient records. The report, the fourth annual one from Redspin, found that nearly 30 million Americans have had their health information breached or inadvertently disclosed since 2009. Heck, HHS has a “wall of shame” on its website for breaches affecting 500 or more people. The secret is out: Houston, we have a problem.
One of the most unfortunate parts about all of these infringements is that all across the country it’s often the same type of crime that is being committed. Far too frequently in healthcare organizations, we will see data out, laptops left open, and medical equipment that stores patient data being left around. These are the key problems, and it’s seen more in healthcare than in any other industry, said Jason Polancich, a 20-year veteran of the U.S. intelligence community and co-founder of HackSurfer, a Maryland-based cybersecurity firm, in a December interview with me.
Regardless of the attack method, though, the value for the criminals all lies in the data. Says Polancich: “What can they get access to and what can they sell? So primarily what we see are network intrusions, or employees being paid to provide access to networks and systems. Employees are helping the bad guys for profit, and we’re seeing more of that this year. Either employees are stealing the data, such as pharmaceutical and prescription data, and selling it, or they’re selling identities so these crime drug rings can use them to go out and falsify other information.”
There are many different ways healthcare organizations respond to data breaches, ranging from damage control teams to deeper investigations that may involve federal authorities, but it is becoming clear that reactive methods are not good enough anymore—organizations must be proactive and preventative, or the attacks will not cease.
To start, an organization’s preventative method should center on education. Regular education seminars, materials, and required training classes on protecting data are the norm in other industries, so there’s no reason why they can’t be in healthcare, too. Often, companies have annual training or new hire training, and that’s it. But with the influx of security breaches, there is really no excuse for that anymore—continual education for those who need to be in the know should be a requirement at this point.
Additionally, performing PHI risk assessment needs to be more of a priority for organizations. Facilities should perform a PHI risk assessment to inventory any healthcare information that is personally identifiable. Organizations must understand where their sensitive data resides, including all stages of information workflow (a study by Ponemon Institute found that 49 percent of respondents do nothing to protect mobile devices), and then, the information should be organized to determine their level of protection.
While I believe that both of these preventative methods could go a long way, neither might prevent an employee from leaving his or her laptop open for anyone to obtain sensitive information from. Although nothing is failsafe when it comes to the though process of others, Polancich told me a big problem is that too many organizations have the wrong mindsets when it comes to their employees. He said that because patient care facilities are designed to do just that—care for patients— he feels they are just not set up from the beginning to be disciplined about security and watching over people. He then recalled his last hospital visit where equipment, paperwork and books were just left out in the open for anyone to look at. Because of the nature of healthcare organizations, this seems to be an industry-specific problem. To this end, Polancich said that if organizations start treating data security like it’s an infectious disease, (which it is), we will start to see a lot of this begin to go away.
Digging even deeper, my colleague and HCI Senior Editor Gabe Perna blogged in January about HITRUST, a Frisco, Texas-based industry group working to establish a common security framework (CSF) for the healthcare industry, announcing that it is going to lead an industry-wide effort, called CyberRx, to conduct exercises to simulate cyber attacks on healthcare organizations.
Last week, HITRUST announced the results of its first cyber attack simulation. Among its findings were that organizations that participate in cyber exercises are more prepared for a cyber attack, regardless of the maturity and comprehensiveness of their information security program. “The simulation will help better prepare organizations in the healthcare industry against sophisticated threat actors, and assist leaders in identifying organizational vulnerabilities and opportunities for industry cooperation,” CyberRX observer Jim Koenig, principal, cybersecurity and incident response for consultant company Booz Allen Hamilton, said in a statement that accompanied the findings. “We believe this industry-specific approach, if not already being used, is a model from which other critical infrastructure sectors can learn and benefit.”
Indeed, there is no doubt anymore that the time is now to seriously get preventative about protecting your data. Whether it’s an insider job, cybercrime, or both, reactive approaches simply will not work at this point—unless, of course, you’re okay with being on the “wall of shame.”