Electronic security a growing concern in healthcare
The Federal Bureau of Investigation’s (FBI) warning on the vulnerability of healthcare data systems to cyber attack isn’t the first alert to providers, but it got the attention of many who did not realize how hackers see them as a prime target.
Beginning in April, the FBI has been warning healthcare providers their cybersecurity systems are lax compared to other sectors, according to information obtained by Reuters. (The full article is available online at http://tinyurl.com/oexvwl8.) Hackers want in to healthcare data systems because personal medical records and health insurance data are far more valuable to hackers on the black market than credit card numbers. The health-related data usually contains details that can be used to access bank accounts or obtain prescriptions for controlled substances.
"The healthcare industry is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely," the FBI notice to healthcare providers says.
The threat to healthcare data is changing how some providers look at vendors they would have to trust with that data, says Mick Coady, principal and co-leader of the Health Information Privacy and Security Practice at PricewaterhouseCoopers, the financial services and consulting company in St. Louis, MO. The risk manager and security or compliance officer more often are invited to the meetings in which a vendor’s data security is discussed and assessed, he says. This invitation represents a shift from seeing data security as primarily a tech issue to seeing it more as a risk management concern, he says.
"We’re seeing that shift already in the larger institutions, and it will come to the others in time," Coady says. "As the Office of Civil Rights grows and becomes stronger, everyone is going to start looking at data security in a new light. Healthcare institutions will see more of a melding among these roles because they will realize that this is not just an IT issue, but an issue in which you have to assess the legal and liability risks on a regular basis."
Brian Lapidus, senior vice president with the fraud consulting firm Kroll in Nashville, TN, agrees that cyber security is no longer just an IT concern but is now a function of enterprise risk management. Focusing primarily on the "cyber" aspect of data security can be a mistake, he warns, because the human component is such a driver.
"It is important to look across all departments that use technology and focus on addressing exposures across the board," Lapidus says. "Go to all those departments and find out what security they’re using, what is the key data they use, where is it, who has access to it, how long does it stay in the system, and who is responsible for it."
In many cases, the person you ask will have the wrong answer or no answer at all, he says. That step leads you to opportunities for better education, but it also signals a potentially weak area that could allow a hacker in. (See the story on p. 81 for advice on improving security.)
Technology can open your system to outside threats before you realize the technology is in use, Lapidus says. Different types of devices that create Wi-Fi hot spots and similar connections can allow a hacker access to the system or at least to passwords and other information from a user. "It can be a challenge to stay current with all the ways that someone can get into your system, but unfortunately that’s what is necessary to keep your data safe," Lapidus says. "Ideally you want this approach of watching for new threats to become part of your culture so that it’s not just the concern of one person, but everyone is watching for problems."
Managing flash drives with protected healthcare information (PHI) can be a challenge, notes Joseph Wager, MS, RCP, senior risk management and patient safety specialist for the Cooperative of American Physicians in Los Angeles. PHI stored on a USB flash drive should be encrypted with an accredited Federal Information Processing Standard (Publication 140-2) cryptology, he says. That is a particular type of encryption established by the National Institute of Standards and Technology in Washington, DC. (More information is online at http://tinyurl.com/crjwbx. See Publication FIPS 140-2.)
There is good news
The good news is that many flash drive manufactures are selling compliant devices. Most secure USB flash drives use some form of the Advanced Encryption Standard (AES) encryption, either 128-bit or 256-bit, Wager says. These levels are approved by the U.S. government for encrypting secret-level and top-secret-level documents and are compliant with the Health Insurance Portability and Accountability Act (HIPAA). A standard USB flash drive can be made compatible by adding encryption software, Wager says.
"Renting a car that has a Bluetooth system may allow the copying of all your smartphone’s information: sensitive data/patient phone numbers, websites, portals. Ask the rental agency to remove or delete your personal data when returning the car," he says. "Restaurants’ and coffee shops’ free Wi-Fi also opens you up to HIPAA violations. You do not have a business associate agreement with each of them!"
- Mick Coady, Principal and Co-leader, Health Information Privacy and Security Practice, PricewaterhouseCoopers, St. Louis, MO. Telephone: (314) 565-1949. Email: firstname.lastname@example.org.
- Brian Lapidus, Senior Vice President, Kroll, Nashville, TN. Telephone: (615) 320-9800. Email: email@example.com.
- Joseph Wager, MS, RCP, Senior Risk Management and Patient Safety Specialist, Cooperative of American Physicians, Los Angeles. Telephone: (800) 252-7706.