Data Security in 2015: A Need to be Proactive
As the healthcare industry continues its push forward for more accessible data, greater interoperability, and an increased lean on mobile devices, one of the biggest questions that need to be answered is, Can patient care organizations across the U.S. properly secure the influx of data both within and outside of their walls?
Indeed, data security is as hot an issue in healthcare as it ever has been. In recent months, it has felt as if the industry has been in “reactive” rather than “proactive” mode, constantly on its heels, simply waiting for the next big Health Insurance Portability and Accountability Act (HIPAA) breach to be announced. It’s not difficult to see why. In July, the Los Angeles-based UCLA Health System was hacked, with a massive data breach affecting 4.5 million people. A few months before that, in March, Premera Blue Cross, a Mountlake Terrace, Wash.-based health insurer, acknowledged that it was victim of a cyber attack that affected some 11 million of its customers. And in February, Anthem, a large Indianapolis-based payer, suffered a massive hack of its IT systems that exposed the personal data of approximately 80 million customers.
Which organization will be next? Certainly, the issue of data breaches is high on healthcare leaders’ minds. A recent cyber security survey conducted by the Chicago- based Healthcare Information and Management Systems Society (HIMSS), found that 87 percent of respondents reported that data security/cyber security has become a higher priority in their organizations, while two- thirds noted that they had experienced a significant data security incident recently.
Mac McMillan, CEO of the Austin, Tex.- based CynergisTek consulting firm, and nationally-recognized data security expert, noted the HIMSS survey in a recent keynote address at the CHIME Lead Forum-Seattle, cosponsored by the Ann Arbor, Mich.-based College of Healthcare Information Management Executives (CHIME) and the Institute for Health Technology Transformation (iHT2—a sister organization to Healthcare Informatics under the joint umbrella of the Vendome Group, LLC). According to HCI Editor-in-Chief Mark Hagland, who covered the event, “McMillan spoke extensively about the need for the healthcare IT leaders at patient care organizations to begin to focus on proactive, automation-facilitated monitoring of the behaviors of individuals in patient care organizations, and the need to let go of the illusion that simply fulfilling federal compliance mandates will do the job.”
McMillan said in his keynote, per Hagland, “What’s really interesting to me is that this industry has absolutely embraced technology in the way that it supports care—in terms of medical and surgical procedures. We have all kinds of technology that assists us in terms of doing procedures, and yet we still don’t think of IT as a strategic asset. If we thought of it as a strategic asset, we would probably think we need to protect it better. And yet we spend less than half of what other industries spend on security.”
Worth the Cost?
Data breaches are unquestionably of high cost to provider organizations—in the past two years, healthcare organizations spent an average of more than $2 million to resolve the consequences of a data breach involving an average of almost more than 2,700 lost or stolen records, according to the Ponemon Institute’s fifth annual survey about privacy and security issues facing health- care organizations. That being said, it isn’t easy to implement the necessary controls, says Alexander Grijalva, head of information security risk management at the New York City-based NYU Langone Medical Center. “The bigger you are, the more expensive it gets to implement controls,” Grijalva notes.
The fortunate part of Langone is that it is an internationally renowned institution, known for providing excellent care, Grijalva adds. “We draw patients from all over the world who want the best care; and we also have generous benefactors who care deeply about the medical center. But most hospitals in the U.S. are losing money,” he notes. “They look at your health IT budgets and when it comes down to it, there might not be much left for security. I have a dollar, and I have to put it some- where, so some folks say they will deal with security later. Sometimes there just isn’t the focus that there needs to be,” he says.
Grijalva says that now, phishing campaigns have become much more proficient and effective. “We have moved away from the poor English grammar [attacks] to much more sophisticated campaigns, and the moment you have those credentials you can do a lot of damage with that,” he says. “In the hospital space, even with education, with the volume of emails that you get and all of the activity that you have to do in terms of responding to everything, people aren’t spending time to really see how legitimate something is.” Grijalva recalls a phishing campaign he heard about from another organization that referenced an information security project that the institution was working on and that employees were educated on. The attack used the logo of the medical center as well, he says. “No one thought anything of it at first. Nothing seemed unusual. Phishing has become very difficult to protect against. No one has really understood how to address that.”
What’s more, says Grijalva, is that healthcare is in a precarious position compared with other industries, with the recent trend being towards opening technology systems and giving more people more, unprecedented access to information. “What you see going on in healthcare overall makes security very challenging,” he says. “With healthcare, mandates are steered towards making information more accessible. So you’re not trying to limit or shield off information, but you’re aggregating more and making it more available across all aspects of workflow from hospitals to insurance carriers to health information exchanges (HIEs). In a way, it’s a reverse direction from other industries, and that makes it more difficult since the risk level is increased.” Grijalva notes that clinicians now have access to every patient record in the organization, as you cannot segregate what he or she can see in case of an emergency. “That physician needs immediate access to the information,” he says. “But it’s hard to catch when someone is looking at records he or she shouldn’t be looking at. That also makes the job of security much more difficult compared with se- curing the perimeter or trying to secure against malware,” he says.
Moving forward, Grijalva believes that the key to getting organizations at the level of preparedness they need to be is collaborating with one another. “Hospitals need to come together and say, ‘These are the issues we have, and how are you dealing with that?’ Folks can share information that way,” he says. Grijalva notes that he is a former co-chair of the Association of American Medical Colleges (AAMC) security work group for hospitals and academic medical centers, and there, they talk amongst themselves about what they are seeing and where the biggest challenges lie. “You need clinicians to buy in too,” he adds. “They are scientists and are not used to limiting access to, or restricting distribution, of scientific information. Information security can sometimes be contrary to the culture and needs of their profession. And you have to accommodate that. These are all things we have to factor in.”