Privacy & Security
The federal regulatory environment has not kept pace with the progress of mobile health, which is driven by consumers who expect to have all sorts of information, including health data, on their phones.
Nearly 90 percent of healthcare organizations have experienced data breaches, and for the second year in a row criminal attacks are the leading cause of breaches in healthcare, according to the Sixth Annual Benchmark Study on Privacy and Security of Healthcare Data.
LOS ANGELES — Building on several best practices and basic blocking and tackling of cybersecurity, healthcare organizations must also take a higher-level view to effectively address the problems of today.
“Cybersecurity could not be more important. The breaches continue to happen, in the federal government, the private sector, it’s all over,” said Ronald Ross, a fellow and data scientist at the National Institute of Standards and Technology here on Monday at the Privacy and Security Forum.
In addition to outlining the new security engineering guidance document that NIST released on May 4, 2016, which he described as “the most important, most transformational,” he has worked on at NIST, Ross offered that high-level solution.
“Leadership, governance, and accountability will solve 90 percent of our cyberbreaches,” Ross said.
Sign up for the Healthcare IT News Privacy & Security Update newsletter.
Symantec health information technology officer David Finn agreed, saying that a strong leader with governance in place can then hold people accountable when those policies and procedures are not working.
“Governance has to include the CEO, CFO, the board,” Finn added. “Because that’s the only way it works.”
That approach should take into account: expenditures, insurance, regulatory compliance and “all the things that companies do to mitigate risk,” said PwC managing director Lisa Gallagher.
Kyle Gilliland, director of information security at Huntington Hospital said that healthcare entities cannot simply buy security.
“It starts with taking a look at your business needs and trying to build security into those,” Gilliland said.
Ross also said cybersecurity needs to be proactive, not reactive, and that healthcare organizations should build security into every facet of their business — and explained that when NIST was working on the new document, it reached out to engineers who build bridges, planes and other large systems to understand and incorporate their best practices.
[Also: NIST to release new guidance for strengthening hospital cybersecurity]
“When a plane crashes or a bridge collapses, the first thing we do is call the engineers to find out why it happened,” Ross explained.
In the event of a data breach, however, healthcare organizations typically collect more threat intelligence, rather than actually understanding their own weaknesses to improve upon those.
NIST’s new guidelines can help lead entities in that direction, though Ross said regardless of which framework a hospital chooses, the best tactic is to pick one the organization understands, is comfortable with, and can execute against.
“The only way to improve security is to architect and engineer your system,” Ross said. “You have to use engineering techniques to limit the damage adversaries can do.”
Twitter: @SullyHIT
Email the writer: tom.sullivan@himssmedia.com
Like Healthcare IT News on Facebook and LinkedIn
OhioMHAS sent clients a postcard inviting them to take part in a satisfaction survey, thereby disclosing that the individuals had received treatment. And it’s not the first time the department has sent such a postcard.
Former Walnut Hill Medical Center CIO will also serve as VP of government relations for the security vendor.
The Health and Human Services chief said that HHS is working to eliminate data blocking, enable interoperability, and protect patient data as it moves around the healthcare system.
The Office for Civil Rights said that many HIPAA-covered entities do not believe business associates will notify them in the event of a data breach but since providers are on the hook anyway they must be ready should that happen.
Two-thirds of healthcare organizations believe personalized medicine is already having a measurable effect on patient outcomes, according to a new survey. Even more, 75 percent, say it will impact their organizations over the next two years.
With the healthcare industry suddenly accounting for nearly 25 percent of all data breaches, a new study from The Brookings Institution suggests some new cybersecurity strategies are needed.
Niam Yaraghi, a Brookings fellow, conducted in-depth interviews with 22 healthcare organizations – providers, payers and business associates – that had each experienced at least one data breach.
He found some things in common across them, and some differences. But his biggest takeaway was that guidance and enforcement from the federal government isn't doing enough to keep patient data safe, and that a more concerted private-sector strategy is needed to help ensure security best practices.
In his report, "Hackers, phishers, and disappearing thumb drives: Lessons learned from major healthcare data breaches," Yaraghi offered a series of suggestions for both the HHS Office of Civil Rights and those working in the healthcare trenches.
"Consider a simple office visit," he said. "In addition to the physician who sees the patient, it may involve an independent entity that facilitates the scheduling of the visit, an electronic medical records vendor that provides software and cloud storage for saving the doctor’s notes, a health information exchange platform that shares this data with other physicians, another party that creates the bill, the insurance company that pays for it, and sometimes a collecting agency that manages the patient’s late payments."
That scale and complexity has left healthcare "uniquely vulnerable to privacy breaches."
A host of other factors, from the value of detailed patient medical records – containing both medical and financial data – to hospitals' historic ill-preparedness, has led to healthcare earning the dubious distinction of being hackers' new favorite target.
[Also: Status report: OCR's effort to guide HIPAA compliance in mobile health]
"Government incentives led healthcare organizations to adopt electronic health records without being ready to adequately invest in security technologies," said Yaraghi. "Privacy breaches used to have little to no effect on the revenue stream of healthcare organizations, and thus, they did not have strong economic incentives to invest in digital security and patient privacy."
That's all changed now, of course: 23 percent of all data breaches happen in the healthcare industry, according to Brookings. Over the past six years, health records of more than 155 million Americans have potentially been exposed in whopping 1,500 separate breaches – the per-record cost of which is $363, the highest of all industries.
The government isn't always helpful when it comes to addressing this all too vexing problem, the Brookings report argues.
While HIPAA "is clear about the requirement to protect health data," for instance, "it does not specify how to do so and is open to interpretation," Yaraghi said. "HIPAA is also outdated and falls short of addressing modern cybersecurity challenges."
After a breach happens, meanwhile, OCR initiates audits. "While one does not expect the organizations that were audited to have a positive view about OCR, most of them mentioned that the process is very punitive and contributes to organizations’ reluctance to share the details of breaches with peers," he added. "Furthermore, audits usually take more than two years and organizations incur significant legal fees during the process."
As a potential way forward, Yaraghi offered some pointed suggestions to both the healthcare industry and the government.
First and most obvious, health organizations must prioritize patient privacy.
"In many of the interviewed organizations, privacy breaches could have been prevented had the organization spent enough on security technologies or diligently implemented and followed privacy policies," he said. "Healthcare organizations now have access to both the knowledge and technology that is required to ensure the privacy of their patients, and thus should use these resources to their fullest potential."
He emphasized the acute need for better communication: "Information sharing about security technologies, privacy policies, and breach incidents should take place among healthcare organizations and also between healthcare organizations and federal agencies," Yaraghi said.
And he touted the value of cyber insurance – not just as a protective mechanism for individual organizations, but as lever to help drive improvements in security practices industry-wide.
Such an insurance market could "fundamentally improve how patient privacy is viewed and managed in the healthcare sector," he said. "To underwrite the privacy risk of healthcare organizations, cyber insurance companies will be willing and able to conduct timely and efficient audits and proactively manage their clients’ privacy protection efforts. Healthcare organizations will also have a direct economic incentive to reduce their cyber insurance premiums by addressing their security weaknesses and preventing privacy breaches."
Sign up for the Healthcare IT News Privacy & Security Update newsletter.
Meanwhile, Yaraghi had two key recommendations to the Office for Civil Rights.
First, it should better communicate the details of breach incident audits, he said.
"After a breach happens, OCR conducts a thorough investigation to identify its causes. Through these audits, OCR also ensures that the victim organization has put corrective and preventive policies in place to avoid future incidents. Although the lessons learned from each breach can prevent other similar incidents, OCR does not share the details of its investigations. OCR should provide detailed reports on how each breach happened, and how other healthcare organizations can avoid similar occurrences."
Also, the government should get more specific about HIPAA – ideally establishing a "universal HIPAA certification system," said Yaraghi.
"OCR should prevent more than it punishes," he said. "Although the audits that happen after a breach effectively reduce the chances of second incidents, they cannot prevent privacy breaches in the first place. Random audits that take place before a breach occurs will be helpful in preventing one. These random audits are currently conducted very rarely. OCR should accredit certification agencies that can conduct preventive audits in accordance with OCR standards and certify the compliant organizations."
Twitter: @MikeMiliardHITN
Email the writer: mike.miliard@himssmedia.com
Like Healthcare IT News on Facebook and LinkedIn
Michael Kaiser on how healthcare organizations struggling to find great employees can guard against an array of new cyberthreats. And it begins with finding farm teams akin to ones that Major League Baseball teams use to cultivate players.