Skip to main content

Privacy & Security

By Jessica Davis | 12:44 pm | January 28, 2016
Despite the record number of major healthcare breaches in just the past year, 74 percent of consumers surveyed by the National Cyber Security Alliance said they trust healthcare providers the most with personal information, according to a study released Thursday to mark Data Privacy Day. The day is an annual international effort launched by the NCSA to create awareness about the importance of securing personal information, both as a consumers and as organizations. This year's theme is "Respecting Privacy, Safeguarding Data and Enabling Trust." [Also: Flint hospital hit with cyber attack] "These are the three legs of the stool for the Internet," said NCSA Executive Director Michael Kaiser. "We believe everyone needs to have respect for the information."  The findings in the TRUSTe/NCSA Consumer Privacy Index show that people have a trust-based relationship with their providers, Kaiser said. "I think the expectation is that when they provide personal information, it's protected." To keep that culture of mutual respect, healthcare providers need to better communicate with patients about how their data is treated, he said. At the same time, providers have to build a culture of privacy within their organization -- one where privacy and security aren't just occasionally mentioned but frequently talked about. After all, healthcare providers are stewards of precious information. [Like Healthcare IT News on Facebook] "The data that healthcare providers have is extremely valuable," said Kaiser. "It's valuable to several different kinds of sources in the cybersecurity arena. We've seen this with some of the insurance breaches, where nation states gathered information of citizens through private data." Kaiser said the best way to protect data is to ask: What data do you have? Where does it go? Who can access it? Where is it? And what are you doing to protect it? Data Privacy Day began in North America in January 2008. It's an extension of Europe's Data Protection Day, which commemorates the 1981 signing of the first legally binding international treaty to deal with privacy and data protection. Twitter: @JessiefDavis
By Bill Siwicki | 11:22 am | January 28, 2016
MedicFP LLC, a new vendor that focuses on combating phantom billing and other healthcare fraud, and Fujitsu will debut an identity validation product that scans palm veins at HIMSS16.
By Jack McCarthy | 10:38 am | January 28, 2016
The onset of cloud computing brought with it an information technology revolution, allowing organizations to have their IT resources hosted off site, reducing their costs and simplifying operations. Unfortunately, the move to the cloud did not mean organizations could forget about requirements for a successful security profile. Healthcare organizations making the move to a cloud-centric strategy can’t lower their guard on security defenses, said Chris Bowen, founder and chief privacy and security officer of ClearDATA, a healthcare cloud computing company. “People may think that by offloading security responsibility to the cloud, they won’t have to worry, but that’s not the case,” Bowen said. “We know that threats exist in the cloud.” See all of our HIMSS16 previews Bowen will discuss this issue at HIMSS16 along with J. Gary Seay, senior vice president and CIO of Community Health Systems, Bowen will give a presentation entitled, “Developing a Cloud Security Roadmap." Bowen and Seay will look at the specific security problems facing healthcare organizations, which often rank behind retail and financial organizations in creating hardened, multi-layered approaches. The session will show how to develop a cloud security roadmap that can eliminate the main causes of data breaches using a "Defense in Depth" multi-layered approach to security. The discussion will also look at how a provider enterprise can develop a defense strategy that hardens security at seven distinct layers: physical; network; application; server; data; devices; and users. If done right, cloud technology enables organizations to take advantage of many layers of security, which may range from data encryption to threat management, and drive accelerated compliance, cost savings and data analytics for healthcare organizations. [Like Healthcare IT News on Facebook] Healthcare CIOs evaluating cloud providers as partners have to make sure that their security expertise is airtight, Bowen said. “Just because a cloud provider has a great set of building blocks doesn’t mean they have great solutions,” he said. “Your building blocks will fall if they are not in the right place.” The session will take place on Wednesday, March 2 at 10:00 a.m. in the Sands Convention Center, Palazzo E Ballroom. Twitter: @HealthITNews
By Bernie Monegain | 12:25 pm | January 27, 2016
Cyberattacks around the world are growing in size and complexity, according to Arbor Networks 11th Annual Worldwide Infrastructure Security Report, released January 26 by Arbor Networks, the security division of NETSCOUT. For the first time, nearly half of the respondents were from enterprise, government and educational organizations, with service providers at 52 percent. Healthcare is one of the verticals included in the enterprise category. The survey garnered 354 responses, up from 287 received last year, from a mix of Tier 1 and Tier 2/3 service providers, hosting, mobile, enterprise and other types of network operators from around the world. [Also: Understanding the 5 enemies of healthcare IT security] “This report provides broad insight into the issues network operators around the world are grappling with on a daily basis,” Arbor Networks Chief Security Technologist Darren Anstee said in a statement announcing the report. “The findings from this report underscore that technology is only part of the true story since security is a human endeavor and there are skilled adversaries on both sides.” Arbor Networks lists the top five Distributed Denial of Service trends and also the top five advanced threat trends. DDoS usually involves a system infected with a Trojan: malware designed to give unauthorized access to a user’s computer. DDoS trends: Change in attack motivation: This year the top motivation wasn’t hacktivism or vandalism, but ‘criminals demonstrating attack capabilities’ - something typically associated with cyber extortion attempts. Attack size continues to grow: The largest attack reported was 500 Gbps, with others reporting attacks of 450 Gbps, 425 Gbps and 337 Gbps. In 11 years of the Arbor Networks survey, the largest attack size has grown more than 60X. Complex attacks on the rise: 56 percent of respondents reported multi-vector attacks that targeted infrastructure, applications and services simultaneously, up from 42 percent last year. Ninety-three percent reported application-layer DDoS attacks. The most common service targeted by application-layer attacks is now DNS (rather than HTTP). Cloud under attack: Two years ago, 19 percent of respondents saw attacks targeting their cloud-based services. This grew to 29 percent last year and to 33 percent this year. Fifty-one percent of data center operators saw DDoS attacks saturate their Internet connectivity. There was also a sharp increase in data centers seeing outbound attacks from servers within their networks, up to 34 percent from 24 percent last year. Firewalls continue to fail during DDoS attacks: More than half of enterprise respondents reported a firewall failure as a result of a DDoS attack, up from one-third a year ago. Firewalls add to the attack surface and are prone to becoming the first victims of DDoS attacks, as their capacity to track connections is exhausted. Because they are in line, they can also add network latency. Advanced threat trends: Focus on better response: 57 percent of enterprises are looking to deploy solutions to speed the incident response processes. Among service providers, one-third reduced the time taken to discover an advanced persistent threat in their network to under one week, and 52 percent stated their discovery to containment time has dropped to under one month. Better planning: 2015 saw an increase in the proportion of enterprise respondents who had developed formal incident response plans and dedicated at least some resources to respond to such incidents, up from around two-thirds last year to 75 percent this year. Insiders in focus: The proportion of enterprise respondents seeing malicious insiders is up to 17 percent this year (12 percent last year). Nearly 40 percent of all enterprise respondents still do not have tools deployed to monitor BYOD devices on the network. The proportion reporting security incidents relating to BYOD doubled to 13 percent - up from 6 percent last year. Staffing quagmire: There’s been a significant drop in those looking to increase their internal resources to improve incident preparedness and response, down from 46 to 38 percent. Increasing reliance on outside support: Lack of internal resources has led to an increase in the use of managed services and outsourced support, with 50 percent of enterprises having contracted an external organization for incident response. This is 10 percent higher than within service providers. Within service providers, 74 percent reported seeing more demand from customers for managed services. Twitter: @HealthITNews
By Aaron Miri | 11:30 am | January 27, 2016
One of my all-time favorite Star Trek original series episodes is entitled "The Trouble with Tribbles." In this episode, Captain Kirk urgently races to a space station that's in distress. Once at the space station, he and the crew of the starship USS Enterprise encounter small furry creatures that purr and resemble something between a small cat and a cute guinea pig that are called Tribbles. Once these creatures are brought onto the Enterprise, they start immediately reproducing into litters of Tribbles and threaten to overwhelm the Enterprise and the crew. In much the same way that the cute and cuddly Tribbles start to overtake the USS Enterprise, so too have devices with ePHI overtaken and in some cases overwhelmed the hospital and healthcare technology ecosystems. The truly hard part is not simply containing the obvious devices and applications that store and transmit ePHI such as servers, computers, interface engines or electronic medical records. The real challenge are standalone devices, sometimes decades old, that unbeknownst to the users store and transmit ePHI. So where all can we look for these devices and how can we get in front of them so that they don't threaten your starship? First, it is critically important to conduct an ePHI data landscape analysis and document where and how ePhi data moves throughout your network. It is amazing how many times a network subnet or route takes a "hop" that is unaccounted for and could find its way to a device. For example, unassuming multi-function devices that users perceive to simply be photocopier / fax / printers can connect to your corporate network and can store documents on a network shared drive or email users on your behalf. Additionally, those multifunction devices can contain hard drives and copies of the print jobs or fax jobs that it has completed. One large health plan recently was penalized by the Office of Civil Rights to the tune of over one million dollars because the leased copy machines they returned contained hard drives that were unencrypted and had the ePHI information for over 300,000 individual's stored on them. Next, look for devices that do not connect to your corporate network but actually store and forward ePHI. There are a number of clinical modalities (hearing test machines, radiology systems, cardiology systems, etc.) that are considered clinical devices but connect to a standalone PC or laptop via a serial cable or some sort of connection from the instrument to the computer. An easy rule of thought is; if it has a hard drive on it then encrypt it! One of the most annoying tribbles that seems to have infiltrated organizations is the ever present 1980's style pager. Even more annoying is the fact that these pesky devices won't go away in the industry, much less that they can easily store hundreds of alpha numeric messages that surely could contain ePHI. If your organization has them, make sure that they are encrypted or better yet get rid of them for a smart clinical communication application that can take its place. There are a number of leading vendors out there that have clinical applications designed for the modern healthcare worker that take into account ePHI data storage and transmission. In the same sentence of a pager is the issue of healthcare workers texting each other patient information on their personal devices. While it's difficult to try and curtail behavior that occurs on a device completely out of the control of the organization, there must be thorough education, policy, and user attestation efforts to educate your healthcare worker population on why this must not occur. Convenience simply does not take precedence on what could be a major risk and issue for ePHI. Additionally, another legacy device that must be addressed is the standalone fax machine. Some fax machines have hard drives and can store the fax cover sheets for easy reprinting. If ePHI can be stored on those fax machines that could constitute a risk that needs to be addressed and mitigated. Another pesky tribble are automated batch and FTP jobs that "put" files onto network shares or distribution points for organizations to share information among each other. Make sure that these FTP jobs are secure and do not use network account credentials that are generic in nature or easy to guess. It's amazing how many of these jobs are setup by vendors when an application is initially installed, but are left on autopilot for years without audit. Lastly, work closely with your purchasing and finance departments to put controls into place that any electronic item coming into an organization is reviewed and has a proper ePHI risk assessment completed on it to ensure that there are appropriate ePHI controls in place. Beyond technology, it is the organizational culture that must be primed to understand the risks of ePHI proliferation and ensure all of the dimensions are addressed. Too often a tribble can quickly be introduced into an organization because it's the new cute and fuzzy creature that is admired and wanted by all. Captain Kirk ultimately saved the Enterprise by finding every single tribble and getting them off of the USS Enterprise. While that may not necessarily need to be the course of action for every tribble in your organization; you must try your absolute best to identify and remediate the risks before you suddenly realize one day that your starship has been overrun by what everyone assumed were cute and fuzzy innocent looking creatures.
By Susan Morse | 11:21 am | January 27, 2016
Company has launched an internal search and is notifying members whose information is on the missing hard drives.
By Mike Miliard | 12:44 pm | January 26, 2016
The Electronic Healthcare Network Accreditation Commission, the standards development organization and accrediting body for groups that exchange electronic health data, has signed memorandum of understanding with the National Health Information Sharing and Analysis Center to better coordinate their security initiatives.
By Gus Venditto | 11:25 am | January 26, 2016
Healthcare IT professionals need few reminders about the importance of keeping cyber-security defenses strong.
By Henry Powderly | 09:46 am | January 26, 2016
The St. Louis-based managed Medicaid company said it did not believe the information has been used inappropriately.
By Mike Miliard | 12:11 pm | January 25, 2016
Flint, Michigan-based Hurley Medical Center was targeted with a cyber attack this past week, soon after the hacktivist group Anonymous released a video promising 'justice' for the city's ongoing water crisis.