How far will they protect healthcare data from insiders, outsiders?
Somehow, and for some reason, healthcare organizations represent an attractive target for cyber attackers hell-bent on demonstrating their hacking cleverness and creativity.
No organization is too large to fail. Witness January’s intrusion into health insurer Anthem’s information technology systems, where “hacksters” reportedly gained access to 80 million company records.
Apparently, the allure to poke through seemingly impenetrable firewalls and generate revenue from the illegally accessed and collected data outpaces regulations, sophisticated software products, and staff self-control there to stop it.
Redspin, which provides “penetration testing and healthcare IT security assessment services,” released its 2014 Breach Report: Protected Health Information (PHI) in late February that outlined and analyzed healthcare data breaches from 2009 through 2014. During that five-year period, which stopped short of Anthem’s IT intrusion, “more than 40 million Americans suffered a breach of their personal health information,” Redspin reported.Apparently, the allure to poke through seemingly impenetrable firewalls and generate revenue from the illegally accessed and collected data outpaces regulations, sophisticated software products, and staff self-control there to stop it.
Last year alone, healthcare organizations reported 164 PHI breaches to the Department of Health and Human Services Office of Civil Rights, which involved nearly 9 million patient records and represented a 25 percent increase over 2013 statistics, according to Redspin. In fact, “more than 50 percent of the 2014 totals were caused by hacking attacks, including a 4.5 million patient record breach” at a Tennessee hospital group, the report stated.
Almost concurrent with Redspin’s study, Lockheed Martin commissioned its own cybersecurity survey that found a majority of IT leaders, including healthcare organization professionals, by and large feel “ill-equipped to handle escalating cyber threats.” In fact, Lockheed Martin found that on average about a third of business and government IT respondents “relied on their intuition or logical deduction rather than data or intelligence” to assess their security levels and justify their beliefs, according to the study.
Further, more than half of Lockheed Martin’s survey respondents felt that “malicious insiders” and more than one-third felt that “negligent insiders” represented the greatest perceived cyber threats revealing “the most significant network vulnerability facing their organization.”
Wasn’t the Health Insurance Portability and Accountability Act of 1996 and its privacy rule, along with the 2009 Health Information Technology for Economic and Clinical Health Act (HITECH), supposed to deflect and repel this?
Some activists argue that HIPAA and HITECH focus more on getting patients to give their consent for healthcare organizations to share their information in a secure environment rather than on the security measures themselves, making the issue more of a matter of trust in the system than on the systems in place.
How much help have HIPAA and HITECH really provided for healthcare organizations against hacksters and hacktivists? Or is it unfair to point a finger at federal regulations alone?
In this first installment of a multi-part series on the state of healthcare data security measures, Health Management Technology focuses on the effects of HIPAA and HITECH on the process of preventing and protecting from IT breaches.
Healthcare IT’s ‘breachathon’
Looking back at the proliferation of healthcare organization data breaches within the last 18 months raises questions about probable causes. Reviews are mixed on whether to attribute the breaches to the inability of HIPAA and HITECH to protect against them, the inability of healthcare organizations to defend against them by implementing necessary software improvements, or the inability of controlling human behaviors – such as the loss or theft of computer devices, unauthorized access to data, improper disposal of records, or hacking – or even some combination of the above.
Lysa Myers, Security Researcher, ESET North America, refrains from blaming federal regulations exclusively.
“I don’t believe they’ve failed as much as they are poorly understood and implemented by many health IT organizations. Security is not simple, and it’s hard for folks who are technically inclined,” Myers tells HMT. “Combine this with budgetary constraints, and the situation can start to look dire for healthcare IT. But two of the most important aspects of good security are fairly inexpensive: risk assessment and employee training.”
Rob Sadowski, Director of Technology Solutions at RSA, the security division of EMC, emphasizes the importance of knowing who’s walking through the open door as much as who’s leaving the door open.
“First, we need to distinguish between ‘accidental’ internal breaches [that] result from unintentional mishandling of [personal health information] by employees during the course of normal business, and breaches [that] are the direct result of malicious external parties’ purposeful intrusion into networks with the goal of stealing PHI,” he insists. “The former continues to rise largely because of the increased digitization of patient data and proliferation of IT in provider and payer business processes, while the latter continues to rise primarily because criminals have started to find ways to profit – directly or indirectly – from this valuable, sensitive data. Further, the sophistication of attackers going after valuable data – including PHI – has increased, while most organizations’ defenses have not kept up with this evolution of the threat.”
More than anything else, the increase in data breaches can be traced directly to the increase in the amount of data, according to Asaf Cidon, CEO and Co-Founder, Sookasa.
“The increasing popularity of mobile devices that are connected to cloud services is creating an exponential proliferation of data to many more devices than ever before,” Cidon observes. “HIPAA and HITECH are helping to bring some of the most egregious offenses to light, but they are ineffective in preventing data proliferation. In part, that’s because they’re overly focused on outdated ways of working.”
Cidon argues that consumer habits – including those of healthcare professionals – are rapidly outpacing the regulations that keep them in check.
“Time and again, we hear from healthcare professionals who are struggling with how to interpret HIPAA and HITECH,” he notes. “This vagueness does everyone a disservice, because it leads organizations to continue to rely on outdated, legacy systems – from firewalls to fax machines – [that] are restrictive, inefficient, and frankly, not all that secure anymore. What’s more, these workflows drive employees to turn to other productivity tools, from personal devices to cloud programs, out of desperation to do their work quickly and effectively. These tools have a place in the healthcare setting because they can help cut costs, deliver efficiencies and even streamline care coordination. But the data on them has to be adequately secured.”
As the media focus on the more than 400 “large” data breaches – classified as those surpassing 500 individuals – that have affected tens of millions of patients, there have been thousands more “small” breaches reported to the federal government during the same 18-month period, according to David Holtzman, J.D., CIPP, Vice President, Compliance, CynergisTek.
“The vast majority of these breaches are the preventable disclosures that occur when healthcare organizations allow health information to be maintained on a laptop, smartphone, or other device without employing technology that encrypts data at rest,” Holtzman notes. “But the most destructive incidents have resulted from cybercriminals infiltrating information systems of health plans through ‘spearfishing’ attacks. These attacks are all the more damaging because the information system administrators lack the capacity to detect the unauthorized access by outsiders over an extended period
Like Myers, Holtzman hesitates from pointing to the inability of federal regulations to stem the tide.
“The responsibility for protecting information assets falls squarely on the healthcare organization and its leadership,” he notes. “To say that HIPAA [and] HITECH are to blame would be misplaced. However, to say that HHS has failed to ensure that the Security Rule has remained relevant or that its focus on compliance has been misplaced would be fair. Healthcare is going to have to adopt a real security framework, invest in appropriate technical controls and experienced personnel if they are to meet the challenges of today and, more importantly, tomorrow.”
Art Gross, CEO, HIPAA Secure Now! and Breach Secure Now! points to several motivational causes that can erupt into problems.
“On the one hand you have healthcare organizations that have ignored HIPAA and HITECH regulations altogether,” Gross says. “They feel that there is no need to comply because there is so little enforcement of HIPAA. Or they think they are too small and fly under the radar to be a target for government enforcement. Even if organizations are concerned with HIPAA compliance, many have not implemented the proper security measures. The key here is that HIPAA compliance does not equal data security. “An organization can be compliant yet have very weak security measures to protect against data breaches. And keeping track of patient data stored on servers, desktops, laptops, mobile devices, or on cloud-based systems, and ensuring that all devices are properly secured, becomes much more difficult.”
But Gross acknowledges that employees can “make mistakes like losing smartphones or laptops, or they access more patient information than they should be viewing.” Regulations, however, should address this, he says.
“While HIPAA regulations guide organizations in terms of protecting patient information, they lack details on how to go about it,” he continues. “For example, we see in almost 90 percent of all HIPAA security risk assessments that there is a lack of system activity monitoring, which means that organizations are not watching what employees are accessing. Even if an organization is determined to be compliant and perform system activity reviews, if they only do random spot checks, this would do virtually nothing to truly stop employees from unauthorized access.”
Gross recommends that healthcare organizations at minimum should keep an inventory.
“Identify where patient information is stored, accessed, or transmitted,” he says. “Most people think of EHR as their only source of patient records, but patient information can be in a Word document or Excel spreadsheets, in emails or text messages.”
They also should assess security risks. “A security risk assessment looks at how patient information is currently protected,” he continues. “This would include frequency of data backups, employee termination procedures, file encryption on portable devices, etc.”
They also should evaluate common threats to patient information. “Besides physical threats like lost or stolen laptops, or the threat of employees stealing patient records, practices should also be protecting information in the case of fire or flood, or sending emails to the wrong patient,” he says.
Gross also insists that they recommend additional security: “In addition to encrypting files stored on all laptops and portable devices, policies should be in place to limit who can take laptops out of the office, or ensure that they’re safely locked in a secured cabinet.”
Avoiding the blame game
Healthcare organizations and professionals may be too quick to blame federal regulations for the problems they encounter, which may be misplaced.
“I wouldn’t say that HIPAA and HITECH are meant to protect healthcare organizations,” Myers says. “I would say that they are meant to help inform healthcare organizations about the risks out there and to give them guidance for how to secure the data in their care. It is the responsibility of healthcare organizations to act on this information.”
“Healthcare organizations that have been successful in preventing or protecting against data breaches have applied the Security Rule’s standards to continually evaluate and respond to the changing landscape of threats and vulnerabilities,” he notes. “The HIPAA Privacy and Security Rules establish national standards so that protected health information may be not be used or disclosed by a covered entity or business associate without the authorization of the patient unless permitted or required, as well as setting standards to safeguard the confidentiality, integrity and availability of electronic PHI.
“The HITECH Act’s Breach Notification standards establish first-of-their-kind federal laws requiring organizations to take action to notify consumers when their unsecured personally identifiable information is disclosed,” Holtzman continues. “The problem is too many see the Security Rule as all they need to do, or misinterpret its requirements as a real security framework. At best, the rule, which was a product of compromise, would have been graded as a C- in 2003 when it was finalized, and today it would fare worse as technology has evolved, the threat has evolved, and more importantly healthcare’s use of information has evolved, and the requirements in the rules have not.”
Healthcare organizations should not view federal regulations as a crutch, according to Sadowski.
“Organizations must ensure that compliance with these guidelines becomes a continuous, ‘business-as-usual’ process – something few do,” he says. “Further, the threat landscape often evolves much faster than regulations do, requiring organizations to constantly assess their risks and take proactive steps to address them, regardless of requirements from a particular framework or standard. Comparatively, the willingness of HHS to impose fines for HIPAA violations makes them more effective than security regulators in many other industry sectors.”
Cidon concurs that HIPAA and HITECH have become almost ritualistic without depth.
“There’s too much focus on checking the box for HIPAA and HITECH compliance, and not enough on robust, end-to-end security,” he argues. “To actually prevent or protect against HIPAA breaches, healthcare organizations need to implement security policies that protect data across their servers, cloud services, and mobile devices. For HIPAA and HITECH to be effective, the guidance around them needs to be more tactical.”
Gross notes that blaming HIPAA for data breaches might not be fair.
“If organizations truly complied with HIPAA and performed annual security risk assessments, implemented security policies and procedures, and provided security training for their employees, most breaches would be prevented,” he says. “The reality is that HIPAA-compliant organizations are in the minority. Whether you blame HIPAA or the lack of HIPAA enforcement, there has not been a big push to ensure that patient information is properly protected. So it shouldn’t be a shock to anyone when millions of patient records have been breached.”
Ongoing HIPAA, HITECH hurdles
What are some of the lingering challenges that healthcare organizations continue to face with HIPAA and HITECH compliance? Five data security experts share their insights.
“The biggest thing I see is the failure to perform security risk assessments. In order to protect something, you must know what it is you are protecting and have some understanding about what you’re protecting it against.”
Lysa Myers, Security Researcher, ESET North America
“Surveys have shown a consistent lack of investment in the human and technology resources required to adequately safeguard information systems. Less than half of healthcare organizations have an information security officer. And, the average healthcare organization puts only 3 percent of their IT budget to information security. Further, a high percentage of organizations still do not perform regular enterprise-wide risk assessment to identify threats and vulnerabilities to their information systems.
“Privacy and security are first and foremost a mindset; they either are or aren’t part of the organizations culture and core values. When they are, the investment in controls, technology and people happen.”
David Holtzman, J.D., CIPP, Vice President, Compliance, CynergisTek
“The good news is that these regulations have been out for some time and are now reasonably well understood, including best practices for achieving compliance. The challenges that remain are maintaining continuous compliance as time goes by. The rate of technology and business change for many care organizations makes this a daunting task, as does the lack of resource and dedicated security skills in most organizations that are rightfully more concerned with positive care outcomes for their patients.”
Rob Sadowski, Director of Technology Solutions at RSA, the security division of EMC
“The questions HIPAA and HITECH compliance raise around new technologies are only going to lead to more confusion as medical records become increasingly electronic and reimbursement, fee-for-service, and other pressure ratchets up. HHS is going to have to provide better guidance around what constitutes adequate levels of protection for ePHI, like end-to-end, easy-to-use encryption, if it’s going to have any hope of delivering quality care and protecting patients.”
Asaf Cidon, CEO and co-founder, Sookasa
“One of the trends we’re seeing is how HIPAA compliance is affecting physician super groups and physician hospital organizations (PHOs). These are multi-specialty practices band together to centralize operations and billing, share administrative functions and ultimately lower overhead.
“PHOs or super groups could be made up of a lot of smaller practices that struggle with resources to comply with HIPAA. Employing expensive compliance consultants could be cost prohibitive at the individual practice level. … Putting trends aside, HIPAA needs to move beyond guidelines; it needs to be stronger, it needs to be clearer and it needs to be enforced. Only then will we see a big push to secure patient information. Until then, millions more records will be breached.”
Art Gross, CEO, HIPAA Secure Now! & Breach Secure Now!