Privacy & Security
Single points of failure could open the door for hackers to take out significant portions of a hospital's medical network, expert at HIMSS16 says.
(SPONSORED) The major trend in healthcare in 2016 and beyond is how to nail down the issue of interoperability.
The telemedicine tech vendor is betting the ubiquitous Microsoft systems will enable a more robust, secure and scalable collaboration platform.
SPONSORED
(SPONSORED) The average global cost of a data breach as a result of a lost or stolen record is $154.
A new agreement with FHA will allow DirectTrust's federal partners to operate their Direct implementations within its Security and Trust Framework.
Cybersecurity concerns have become much more than a hypothetical for vulnerable hospitals, most of whom are finally realizing just how vulnerable they are. So it’s no surprise that IT security vendors will surely be among the most visited booths on the HIMSS16 exhibit floor.
Among those: Imprivata will be showcasing the expanded capabilities of its Confirm ID technology, touting new remote access features and two-factor authentication for medical devices.
Initially launched in early 2015 as a comprehensive security tool for e-prescribing of controlled substances, Confirm ID helps providers meet DEA requirements for EPCS while also simplifying eRx workflows in general.
The new platform aims to address, on an enterprise level, other cybersecurity imperatives such as remote employee access, medical device security and in-process authentication for clinical transactions, officials said.
[HIMSS16 survival guide: what you need to know now]
"As healthcare goes digital, critical clinical workflows are using simple usernames and passwords to provide access, making patient information easily vulnerable to hacking," Imprivata CEO Omar Hussain said in a prepared statement.
Imprivata officials said Confirm ID enables fast and secure authentication, protecting workflows against hacking and leaving an auditable "chain of trust" wherever users interact with patient records, financial information or other sensitive data.
"A single, centralized authentication management platform improves security and compliance auditing across the enterprise by enabling better control over how, when, and where users interact with patient records and other sensitive information," added Aaron Miri, chief information officer of Dallas-based Walnut Hill Medical Center.
Miri will discuss Walnut Hill’s use of Imprivata’s identity management and security tools at HIMSS16. Others include Martin Littmann, CTO and CISO at Kelsey-Seybold Clinic, who will present on sstrategies and best practices for achieving EPCS Success, and Rebecca Carter, director of informatics at Bon Secours St. Francis Health System, who will talk about improving patient safety and reducing duplicate records with biometric patient ID.
Plenty of industry partners will also be touting their Imprivata collaborations, with vendors including Allscripts (booth #2612), Cerner (#2032), Citrix (#3412), First Databank (FDB) (#1143), HP (#1332), MEDHOST (#3821), Nuance Communications (#2612), Samsung (#724) and VMware (#2221) displaying the company's tools in their in booths.
Imprivata, meanwhile, can be found at booth #3403.
Twitter: @MikeMiliardHITN
This story is part of our ongoing coverage of the HIMSS16 conference. Follow our live blog for real-time updates, and visit Destination HIMSS16 for a full rundown of our reporting from the show. For a selection of some of the best social media posts of the show, visit our Trending at #HIMSS16 hub.
The same week the Hollywood Presbyterian attack was making headlines around the world, another species of ransomware – aptly named "Locky" – was first observed in the wild.
It seems simple enough: If a piece of medical equipment is storing, receiving, transmitting, or processing electronic protected health information, it falls within the category of devices that are covered under HIPAA.
Yet, “for many practitioners, it just hasn’t occurred to them that medical devices are computers or are interfaced with computers,” said Steve Spearman, vice president of HIPAA Compliance Services of Healthicity, an information security consulting and services firm focused exclusively on healthcare.
In turn, they fail to include the security of medical devices in their risk analysis processes. And that, Spearman warned, can be a dangerous and costly mistake. “In addition to the standard problems with computer vulnerabilities, compromised security in medical devices are particularly prone to issues that can affect patient care, even patient safety,” he said.
[Also: 21 awesome photos from past HIMSS conferences]
As recently as November 2015, Lahey Hospital and Medical Center in Massachusetts agreed to pay $850,000 and implement a corrective action plan after settling with the Department of Health and Human Services Office for Civil Rights over a stolen laptop that was used to operate a portable CT scanner.
The nonprofit teaching hospital was cited for failing to conduct an accurate and thorough risk analysis, failing to implement appropriate physical security measures, failure to assign a unique user name to identify and track users and, lastly, for disclosing the ePHI of 599 individuals whose data was stored on the laptop, Spearman said.
“Medical devices pose risks similar to all other computers,” he said. “Vulnerabilities in medical devices can be exploited to gain inappropriate access to network resources.”
Spearman, along with Mary McGuirl, Director of IT at Oneida Healthcare in New York, will present the session, “Assessing the Risk of Your Medical Devices,” at HIMSS16.
[Like Healthcare IT News on Facebook]
With Spearman as a “nuts-and-bolts kind of guy” and McGuirl providing perspective on practical issues such as resource constraints and organizational challenges related to meeting federal requirements at a small regional hospital, the pair hopes participants come away better equipped to include medical devices in their annual risk assessment.
Left out of risk analyses, medical devices “can be a vector for malware,” Spearman said, noting that many run on software or firmware, and are therefore not easily updated to more secure versions.
He pointed to “inappropriate access controls,” such as weak or non-existent credentials, as a common issue that can be exploited “to undermine the integrity of the medical record.”
“Even worse,” he continued, “sometimes these credentials are hard-coded and they can’t be changed! If there are no ‘unique users’ how can you conduct audits, research complaints, respond appropriately to incidents? You can’t.”
The session “Assessing the Risk of Your Medical Device,” will take place from 11:30 a.m.-12:30 p.m. on Thursday, March 3, in Palazzo L.
Twitter: @HealthITNews
This story is part of our ongoing coverage of the HIMSS16 conference. Follow our live blog for real-time updates, and visit Destination HIMSS16 for a full rundown of our reporting from the show. For a selection of some of the best social media posts of the show, visit our Trending at #HIMSS16 hub.
Aiming to help HIPAA covered entities strengthen their cybersecurity preparedness, HHS Office for Civil Rights has published a crosswalk identifying mappings between NIST's Framework for Improving Critical Infrastructure Cybersecurity and the HIPAA Security Rule.
Developed in partnership with NIST and ONC, the crosswalk also includes mappings to other commonly used security frameworks, officials said.
In February 2014, NIST released the framework to help organizations better understand and manage cybersecurity risks. Many organizations in healthcare and other industries voluntarily rely on detailed security guidance and specific standards issued by NIST.
[Also: HIMSS presses NIST to keep cybersecurity framework voluntary]
Entities bound by HIPAA, meanwhile, are required to implement strong data security safeguards to comply with the HIPAA Security Rule and protect the health data they create, receive, maintain or transmit.
"We hear frequently from covered entities and business associates who said they are working hard in an increasingly challenging atmosphere to assure their PHI is adequately protected," OCR officials said. "We also know from our HIPAA enforcement work that far too frequently entities are leaving PHI vulnerable to breach and access by unauthorized persons."
The goal with this new crosswalk is to help health organizations that have aligned their security programs to either the NIST Cybersecurity Framework or the HIPAA Security Rule to identify potential gaps in their programs, they said.
[Also: Cybersecurity Information Sharing Act sails through Senate]
By addressing those gaps, covered entities can improve their compliance with the Security Rule and better protect patient data.
OCR noted that the HIPAA is meant to be flexible, scalable and technology-neutral, enabling it to better integrate with frameworks such as the NIST's.
[Like Healthcare IT News on Facebook]
The Security Rule doesn't mandate use of the NIST Cybersecurity Framework, officials said – and at the same time, use of the framework doesn't guarantee HIPAA compliance. But the crosswalk is meant as a tool to help health organizations manage security risks in a more comprehensive way.
Noting that both the HITECH Act of 2009 and the Cybersecurity Information Sharing Act passed this past October called for guidance on implementation of NIST frameworks, OCR officials said the crosswalk "provides a helpful roadmap for HIPAA covered entities and their business associates to understand the overlap between the NIST Cybersecurity Framework, the HIPAA Security Rule, and other security frameworks that can help entities safeguard health data in a time of increasing risks."
Twitter: @MikeMiliardHITN
Too many healthcare organizations are focused on securing the wrong assets, leaving them vulnerable to cyberattacks and putting patients at risk, a new report from Independent Survey Evaluators claims.
When healthcare leaders focus primarily on protecting patient data, they often fail to address actual cybersecurity threats that directly affect patient health, the report said. So if an active medical device or electronic work order were infiltrated by cybercriminals, the patient could be directly affected. On the other hand, an electronic health record is secondary – it requires a provider to alter the data before it could potentially harm a patient.
ISE studied 12 healthcare organizations, two healthcare data facilities, two active medical devices, two Web applications and other devices found on healthcare networks over the course of two years to determine the possibility of remote attacks and the readiness of these institutions to keep data secure.
"We found hospitals were antiquated in their network designs and unsure about the technologies that could effectively help them," the study's authors said.
[Also: Hollywood Presbyterian gives in to hackers]
"In many cases, vendor products purchased for a security purpose were inappropriate for the organization, and those systems that were appropriate were deployed incorrectly, all resulting in heavy waste while not achieving an improvement in security posture," they added.
Researchers separated threat vectors into primary, secondary and tertiary "attack surfaces" that expose patient health, more than their health data.
Many systems that are the focus of prevention efforts "have little value with regard to personally identifiable information or personal health information – the assets hospitals strive to protect
most – yet they have direct consequences with regard to patient health," according to the report.
"These attack surfaces are largely left unprotected by hospitals and are precisely the attack surfaces to be targeted by an adversary seeking to harm a patient."
Among the primary surfaces: clinicians, medicine, active medical devices and surgery. Secondary (EHRs, passive medical devices, test results, work orders) and tertiary surfaces (climate controls, physical storage, barcode scanners, connected power) often get outsized attention.
Actions taken by health leaders often only handled unsophisticated threats, according to study, which left plenty of openings for attackers to get into information systems. Often, protection strategies assumed the attacks weren't aimed toward garnering targeted information, and therefore ignored the specific strategies and motivations of cyberattackers.
All of the hospitals in the study were failing on a range of levels to address modern security issues, largely in part, due to a lack of funding.
[Like Healthcare IT News on Facebook]
"Security vulnerabilities in healthcare are a result of systemic business failures," said Ted Harrington, executive partner at ISE and one of the study's leaders, in a statement. "We found egregious business shortcomings in every hospital, including insufficient funding, insufficient staffing, insufficient training, lack of policy, lack of network awareness and many more."
According to the study, one of the greatest vulnerabilities is that patients and visitors often have physical access to networks and equipment – an issue unique to healthcare. Time, accuracy and the environment also played into sometimes adverse security circumstances.
Along with the study, ISE published a blueprint to aid healthcare organizations in shifting the security focus. It outlines specific threats and the consequences of a breach, in addition to methods for healthcare institutions to better secure its systems.
Twitter: @JessiefDavis
