Healthcare Data Security: Battles are Being Lost, But the War Can Still be Won

No matter who you are, chances are you don’t like to accept defeat. I’m a big sports fan, and during the last two weekends of the NFL playoffs, I witnessed various levels of complaints, accusations, and scapegoating from multiple teams. The common denominator from those doing the finger pointing? You guessed it, the losing teams.

But over the years, I have seen countless examples of an athlete or a team getting knocked down time after time only to finally break through and claim victory. Oftentimes, losing strengthens your resolve to come back stronger. However, the fact is that no one likes to lose, and the idea of accepting any sort of small defeat is simply gut-wrenching to people with any kind of competitive bone in their body.

So while healthcare IT security professionals might not want to hear this, I’m going to say it anyway: sometimes, accepting defeat is okay in the moment, because as the old saying goes, you want to win the war more than the battles inside that war. And right now, the industry is clearly losing the battles when it comes to data breaches.

The numbers aren’t pretty: according to an Identity Theft Resource report, of the 761 reported major data breaches in 2014, 322 of them (42.3 percent) came from the healthcare industry. The total number of records exposed totaled more than 83 million, with approximately 8.25 million coming from healthcare, approximately 9.9 percent of the total records breached, the report found. Further, according to last year’s Ponemon Institute’s Fourth Annual Benchmark Study on Patient Privacy & Data Security, 90 percent of respondents had at least one data breach over the past two years, while 38 percent have had more than five data breaches in the same time period. The average economic impact of a data breach over the past two years for the healthcare organizations represented in the study was $2 million.

Yes, there is a big problem when it comes to protecting patient data, but as Reid Stephan, director, IT security, at the Boise, Idaho-based St. Luke's Health System, recently put it to me, healthcare organizations need to develop an “assumption of compromise.” By that he means that breaches are going to happen, especially now when prevention tactics are not yet mature and the healthcare industry is a relatively new target. In fact, Stephan said that because of the low-hanging fruit due to the lack of security investment in security capabilities and controls, the number of healthcare breaches might get higher before they get lower. Simply put, the industry is behind other sectors such as banking and finance when it comes to sophisticated defense strategies.

But that doesn’t mean that all hope is lost by any means—the war against cybercrime can still be won. At St. Luke’s—an organization that has not had a breach of patient data—gaps are closed so the organization can better defend, even if complete defense is impossible. According to Stephan, all endpoint devices are encrypted, and mobile devices must follow St. Luke’s baseline check, or everything on it will be wiped off. There are also ways to narrow the window for hackers, even if you cannot shut the window entirely.

For this to work, though, you must develop that assumption of compromise where accepting defeat for now is tolerable. “The reality is that a skilled, determined hacker will find a way in,” he said. “It’s not a matter of if, but when. So at that point you have to make sure that you have good controls in place to detect and mitigate what they do when they’re in.” Stephan noted that if you’re going to share digital records and push for interoperability, attacks are “just the reality of doing business.”

In all aspects of life, defeats today can lead to victories tomorrow. Just recently, at Boston Children’s Hospital, a laptop was stolen from one of the hospital's physicians, who was presenting at a conference in Buenos Aires. The laptop contained an email containing the PHI of 2,159 patients including names, dates of birth, diagnoses, procedures, and dates of surgery. The hospital reached a settlement agreement with the Massachusetts Attorney General's office over the breach. The fine to Boston Children's was $40,000, which includes a $30,000 civil penalty and a payment of $10,000 to a fund administered by the AG’s Office for educational programs concerning the protection of personal information and protected health information (PHI).

In a statement, AG Martha Coakley said, “Today’s settlement will put in place and enforce important technological and physical security measures at Boston Children’s Hospital to help prevent a breach like this from happening again.” As such, this is an example of learning from your mistakes and losing a battle inside the larger war. Indeed, as part of the settlement, Boston Children's will install technology to track all portable devices such as laptops, as well as encrypt and physically secure them. They'll also institute employee training programs. Hopefully these tactics and strategies will lead to a better line of defense at Boston’s Children’s.

Data security is gaining momentum outside of St. Luke’s and Boston Children’s walls as well. HCI Senior Editor Gabe Perna recently blogged about President Barack Obama’s dedication to data security, and more details on that are apparently forthcoming. We’ll see what the President has to say, but it’s comforting to know that he has a plan. Healthcare organizations should also have a plan, because the war against cybercrime is from over.