Most cybersecurity experts predict that data security threats against the healthcare industry will only continue to increase and evolve in 2017 as widespread malicious and criminal hacking poses an increased risk to protected health information (PHI) and healthcare organizations’ information systems.
According to data from the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) breach portal, also referred to as the “wall of shame,” the number of hacking/IT incidents at healthcare providers skyrocketed last year. In 2014, there were 18 reported data breach incidents classified as “hacking/IT incidents” at healthcare provider organizations, as reported to HHS. In 2015, there were 30 reported “hacking/IT incidents” that caused a data breach at healthcare provider organizations. Last year, that number jumped to 95, or more than triple the number of hacking incidents at healthcare provider organizations. Additionally, when looking at all data breaches reported to HHS by healthcare providers, there were 251 data breaches last year.
Facing an increasingly hostile cyber threat landscape, the leaders of healthcare delivery organizations are under pressure to protect their health data and information systems and many are turning to technology solutions to strengthen their IT security.
During a webinar sponsored by HIMSS Analytics (a division of the Chicago-based Health Information and Management Systems Society) exploring health IT security trends, HIMSS Analytics researchers presented data from a survey of healthcare executive leaders, including CTOs, CIOs, CISOs, IT/Security VP/directors, patient care heads and patient access heads, about their organizations’ use of biometric technology and the potential opportunity for biometric technology for the purposes of data security.
“Security in healthcare today is a huge topic and there are a lot of issues that organizations have to deal with in terms of providing patient protection, providing data protection and securing sites, such as securing their own facility and as well as other sites such as off-site storage, and there’s no one true answer,” Brendan Fitzgerald, director of research, HIMSS Analytics, said. “From the healthcare industry standpoint, I think security solutions, collectively, can be used in tandem to help thwart an attack and can only increase the efforts made by security groups within organizations to help strengthen security. Biometrics are not a silver bullet, but used collectively with other organizational tools around security can begin to make it more difficult for hackers to have access.”
To provide an outline of the threat landscape, Matt Schuchardt, director of product development and innovation, HIMSS Analytics, cited data from HIMSS Analytics Logic and the HHS breach portal indicating that the number of reported security breaches at healthcare providers increased 167 percent in the last year. “More than 20 million Americans had their healthcare information exposed due to malicious hacking attacks just in 2016, and the volume and the depth of those attacks is significantly larger than what’s happened in previous years,” he said.
From a threat perspective, where the activity is happening has changed significantly in the last few years, as the network server is the new target, he said. “There was minimal network breaches in previous years, a lot of stuff around laptops, personal devices and some small number via the EMR, but the primary target today is the network itself. And we need to think about that with regard to biometrics, how do you secure that network in ways that make it easy to access the data but difficult to breach for unauthorized guests,” he said.
Taking a look at projections for data breaches at healthcare providers in the next two years, and the numbers are quite stark. “We’re looking at 45 million peoples’ records impacted in the next two years alone, so certainly the time to do something about this, is now,” Schuchardt said.
According to the data Schuchardt presented, there is a disturbing trend of repeated health system exploits. Since 2011, 31 different health systems in the U.S. have reported being breached multiple times by hackers. These 70 breaches impacted the privacy of 9 million patients. Additionally, almost half, (45 percent) of those 70 breaches were in 2016 alone, he said.
Hacks from 2010 to 2015 impacted 614,060 patients, an average of 122,812 per year. All in, the number of patients impacted by hacking in 2016 was 6,075 percent above the previous five years, he said. “The threat is real, it is growing and it is targeting your organizations in a variety of locations and with a variety of modalities. You need to think about how do you make the data available so patients and providers can access the information wherever care is happening, but keep the nefarious people away from it and its real challenge and it’s something we need to figure out relatively quickly,” he said.
Currently, the use of biometric solutions—fingerprints, hand geometry, retina or iris scans—for data security purposes is limited, but is beginning to pick up momentum across the healthcare space, Fitzgerald said.
Of the respondents to the survey, about half (47 percent) report that their organizations are currently using biometrics in different areas of hospital operations and not necessarily for security. Certain areas within healthcare organizations have been using biometric technology for some time, such as fingerprint biometric solutions for medication dispensing and employee identification, and that still seems to be the primary areas where biometric solutions are used. Sixty-two percent of the survey respondents reported using biometrics for medication dispensing and management, while 43 percent use the technology for employee identification.
According to Fitzgerald, the concept of biometrics is quickly moving away from being considered a convenience for end users to being a necessary security tool. The survey found that 28 percent of healthcare organizations are using biometrics for two-factor (multi-factor) authentication and 23 percent are using it for enterprise single sign-on. Additionally, 21 percent use biometrics for patient identification, 19 percent for facility access, 19 percent for application specific sign-on and 9 percent for data center protection.
“Two-factor authentication identification is an area where provider organizations may focus as a combination of security requirements, such as token and biometric, would strengthen accessibility to facilities, restricted areas, patient data and personal health information,” he said.
“One area that’s picking up speed than in the past is the area of employee identification and it’s less about tracking employees and more about making sure that you have the right employee at the right place and at the right time, so that can mean preventing access or allowing access to certain areas, such as data centers, any particular departments or wings in the hospital, and all that goes hand-in-hand with employee identification,” he said.
While fingerprint biometric solutions are the most widely used, HIMSS Analytics researchers found that palm print biometrics are being increasingly used for patient identification and organizations have reported that it has “helped reduce patient fraud in some cases and certainly helps to identify patients to their specific patient record,” Fitzgerald said.
Looking ahead, about one-third of survey respondents who do not currently use biometric solutions within their organizations have plans to do so, and while this represents modest future plans, there is a high ceiling for growth, Fitzgerald said.
For instance, larger organizations have more interest in using biometrics in the future, as over half of the organizations with plans to use the technology fall into the category of facilities with 251 to 500 beds or greater than 501 beds. However, Fitzgerald noted that data security is a universal issue across the healthcare market and interest from smaller facilities of less than 50 beds up to 200 beds registered at about 40 percent of those with plans to use biometric solutions.
When asked which areas their organizations plan to deploy biometric solutions, 62 percent of executive leaders who responded to the survey cited enterprise single sign-on and 50 percent cited employee identification. This indicates that organizations are looking to make the use of technology more efficient and hassle-free as possible for employees while also keeping the security of technology in mind, Fitzgerald said.
“The enterprise single sign-on is what most healthcare organizations are looking to use biometrics for in the future. Think of all the different types of data breaches that occur that can impact an institution, whether it’s a misplaced or stolen laptop or access to a particular area or access to a computer on the floor, so the enterprise single sign-on and incorporating that with either a token or some sort of multi-factor identification can certainly help bolster the level of security that’s really needed across the healthcare sector now,” he said.
The use of biometric technology for patient identification can help provide patients greater assurance about the security of their healthcare records, Fitzgerald noted. Additionally, 37 percent of respondents cited two-factor identification as an area where they plan to deploy biometric solutions and 25 percent cited facility access, while 12 percent cited data center protection.
“There are some challenges that go along with working with biometrics which may dissuade some organizations from actually looking at this technology on a serious level, such as workflow challenges in terms of identity management and clinical workflow,” he noted.
During the webinar, Fitzgerald also presented HIMSS Analytics data on healthcare IT application demand projections in 2017 to forecast where the market is headed. With regard to biometric technology adoption, Fitzgerald projects increasing interest from healthcare providers and growth could be as high as 10 percent in the next two years. “This is one of the technologies where negative events will cause the actual adoption to increase, but looking at the overall adoption of biometric security as a standalone application in hospitals in the U.S., the adoption curve has been slow,” he said. “But we do see some hospitals making investments in biometric security in the year or next 24 months.”
Addressing the slow adoption curve at healthcare organizations, Fitzgerald noted there are technical and cultural challenges to implementing biometric technology solutions. “This is a complicated system to implement, it requires sensors and connections into your data, and you also need to have readers and iris scanners, and you also need people comply with it. I think there’s some friction in terms of use. The technology has improved in terms of ease of use and improving the readability of the fingerprint, so that it’s readable when someone is wearing a glove, for instance, but the slowness and early phases of this has to do with the technological challenges of deploying one of these solutions and the social engineering required for compliance.”
He concluded, “The technology is more mature, the deployment of it is easier and the rewards are still very high.”
