A while back, an event I attended featured a speaker who revealed to the audience but a few of the crazy passwords he’s recovered or uncovered during his work in IT. The audience laughed uproariously at the illogical silliness. Examples include: “password,” “Password,” “Username,” “12345,” “123456,” “123456789,” “abc123,” “000000,” “Login,” and “qwerty.”
They’re all real.
Compounded by the fact that healthcare professionals frequently transmit private information via email and physically store sensitive data on laptops and other mobile devices that they may leave unsecured in their cars or take home, perhaps no amount of security can trump irresponsibility, negligence – or just plain stupidity.
As healthcare information technology executives and professionals scramble to improve electronic security measures, the “X factor” remains how they might influence and modify human behaviors that can penetrate the supposedly formidable fortress walls of current computer security measures.
How might healthcare IT experts pinpoint probable causes for these lapses? What can they reasonably do about the overall problem? How might technology influence behavioral modification and change corporate culture?
Beacon on the hilt
Despite the adoption, implementation, and enforcement of federal or state regulations designed to fortify – if not virtually guarantee – data security, the number of cyber attacks, data breaches, and hacking incidents against healthcare organizations continues to multiply. Some point to the failure of regulations or their enforcement; others to software deficiencies and questionable employee behaviors with mobile device access.
Hemant Pathak, Microsoft’s Assistant General Counsel for U.S. Commercial Enterprise and Health & Life Sciences Business Units, argues that healthcare organizations make an alluring and attractive target for serious and recreational hackers alike.
“A lot of highly publicized data breaches [happening] lately shows how tempting a target healthcare data is for hackers today,” Pathak says. “We are seeing a new category of threat emerging in the industry, and everyone has a part to play. First of all, health organizations need to go beyond the requirements of baseline privacy and security regulations like HIPAA, and focus on a comprehensive security model for their IT infrastructure and data management. Even with state-of-the-art IT such as cloud services, there is still a need to focus on employee education to help keep data safe. This includes education about phishing, resetting default passwords, and employees properly configuring servers.
“The sheer increase in cyber attacks over the last couple of years should put healthcare organizations on high alert over risks that could result in a data breach and implement meaningful steps to help significantly reduce the risk of a breach occurrence,” he adds.
David Ting, Founder and CTO, Imprivata, concurs that the “increasing value of medical information” may be one of the key motivators driving cyber attack growth against healthcare organizations.
“Patient health records and insurance information can be used to submit fraudulent claims or other nefarious activity, such as diverting prescription painkillers or other medication,” he says. “In fact, some experts place the value of patient health data as 50 times higher than their credit card information.”
The transitory nature of clinical professionals and other healthcare workers, and the variable access points to data, may be another key contributing factor, according to Ting.
“Care providers are highly mobile, constantly moving from one patient room to another, and then from the hospital to the clinic to their home office,” Ting says. “They need access to their EMR, other applications, and patient information at the point of care, and they need to be able to communicate and transact with this data to deliver timely, efficient, and quality patient care. But IT is charged with safeguarding systems and information to meet compliance requirements and protect patient privacy. This creates a dichotomy between the security that regulations and patients demand and the convenience and efficiency providers need to deliver quality care.”
And therein lies the problem, Ting says. “Often, layers of security designed to protect [patient health information] and thwart cyber attacks create barriers for providers to efficiently access information that impede clinical workflow and detract from patient care,” he continues. “In many cases, providers will find workarounds to these barriers, and IT is put in an unenviable situation – not only are providers dissatisfied with their technology experience, the security measures that led to the dissatisfaction are rendered virtually ineffective. Healthcare organizations must ask: At the critical junctures where highly sensitive patient information is accessed, how do you facilitate secure, efficient access and increase productivity while enforcing security and maintaining an audit trail?”
David S. Holtzman, J.D., CIPP, Vice President, Compliance, CynergisTek, says he believes that amid the hundreds of cybersecurity incidents there are likely many, many more that have gone undiscovered or unreported.
“The root causes of these breaches are as varied as the facts of each incident,” Holtzman says. “Whether the blame lies in feckless regulatory requirements that have not held the healthcare industry to standards that safeguard data properly, poor decisions in purchasing, keeping effective up-to-date technical solutions, or the failure of users to understand how their behaviors can undermine the best system defenses, these are all symptoms of the broader challenge we face in the healthcare industry sector. The HIPAA rules and state information security laws were never intended to be a shield to protect against cyber criminals, but were instead the bare minimum to protect healthcare data. While the efforts in the healthcare sector to protect our information systems have lagged, the perceived value of an individual’s health information has increased relative to the value of stolen credit card data. All of these can be seen as reasons why hackers have increased the number of attacks and have ultimately been more successful in gaining access to information systems containing healthcare data. There is no doubt that regulations provide a focal point for organizations to base their decisions on, and in that regard the existing healthcare security rule is simply not adequate to meet the cybersecurity needs of the industry today, and certainly not going forward.”
Like Holtzman, Greg Girard, Director of Product, HealthCare, Calgary Scientific, points to a confluence of probable causes that must be combated through education.
“Regulations are not clear or prescriptive enough for sites to understand what is necessary to implement. The clear lack of guidelines and best practices leaves many sites trying to figure out how to protect their data. Certainly employee behavior can have a big impact on the protection of data and devices,” Girard states. “This is a continuous education that is required, to remind staff of the regulations and steps to ensure that data and devices are always protected.”
But Girard contends that vendors must lead the charge. “Software vendors have a huge part to play in data protection,” he says. “Vendors need to understand the regulations and the best practices for implementing the steps to ensure that they can help make implementation easy and secure for their customers. Software should be designed to fit into the site’s current IT infrastructure, including username/passwords. The software should not transfer or store any data on the mobile devices.”
No paper tiger
Others characterize federal or state regulations as a convenient scapegoat. “I don’t see the growing number of attacks directly related to the current regulations or lack thereof,” says Randy Carpenter, Senior Vice President of Strategic Services, Stoltenberg Consulting. “While healthcare has traditionally lagged behind other industries in modernizing applications, infrastructure, and associated networks, there have been improvements in these areas over the last few years. Furthermore, security awareness is growing not only within the healthcare organizations themselves, but [it] also now elicits regular inquiries from the organizational board of directors. This increased awareness positively impacted the level of investment and attention on securing the organization and patient data. Even so, there are still many healthcare organizations that lack a comprehensive information security program. The smaller the organization, the less likely it is to have an effective, multi-layered information security approach unless it has outsourced these mission-critical services to an experienced industry vendor.”
Lysa Myers, Security Researcher, ESET, suggests healthcare organizations recognize and understand the big picture.
“I don’t believe we can pin the current state of insecurity on any one policy or behavior,” she says. “Many companies and many employees do not adequately understand what good security is or why it’s important. And even more don’t have a good sense of the things that they need to protect. This is why things like risk assessments and security education are important: Know what it is you’re protecting, and how to protect it.”
Software deficiencies combined with employee behaviors may be the obvious culprits, according to Jim Hunter, Director of Pulse and Security, CareTech Solutions.
“Employees are under pressure to keep up with growing patient workloads and pay attention to additional regulations, such as patient quality measures,” he says. “For example, under patient quality guidelines, a practice needs to review patients who have not had an office visit in a given timeframe. Because of software deficiencies, there is no secure electronic tool to create that list of patients and safely transfer the data to the front-office staff so they can begin calling those people. To solve the problem and meet the requirements, staff often place protected health information on a spreadsheet and email it to the staff person or hand them a thumb drive with this sensitive information. Needless to say, this scenario is a serious lapse in security.”
Karly Rowe, Director of Strategy, Experian Health, warns healthcare organizations to stop looking for that silver bullet to prevent cyber attacks.
“[Data security] requires healthcare organizations to adopt a multi-layered protection strategy,” she says. “This includes protecting the perimeter with firewalls and other technologies, educating internal employees on security best practices when using devices or handling sensitive information, protecting access points where employees, patients, or the public are accessing data, requiring vendors to have tight security and appropriate tools/conduct assessments periodically of your vendors, and establishing and deploying security policies continuously through a dedicated team. Regulations will help drive change, as will the fear of being attacked. However, this problem is new to healthcare since the adoption of electronic records. Regulations and policy will eventually catch up, similar to what happened in financial services as banks moved services online.
And the fight for data protection will continue, which is why electronic walls must be fortified, Rowe insists.
“It’s important for healthcare organizations to recognize that the job and need to protect their data never ends,” she says. “Once a solution is put in place to prevent a type of attack, hackers will soon find another way in and create a new attack. The multi-layered protection strategy needs to be continuously evolving as the fraud landscape continues to evolve. Right now, the barriers are low, which makes healthcare an easy target for hackers.”
