ESET North America
The Health Insurance Portability and Accountability Act (HIPAA) became law 20 years ago this summer. You would think that by now everyone would have figured out all of the ways HIPAA could impact their organizations. Sadly, the word from the front line is that numerous HIPAA liabilities remain overlooked. The best excuse is the exploitation of computerized data has evolved far faster than any of the well-meaning persons who created the legislation two decades ago ever envisioned. That exploitation – for social, criminal, and medical purposes – has led to at least three HIPAA concerns being overlooked.
1. Social exploitation of computer technology
First, consider the social exploitation of computer technology; it’s what gives us the ability to share our opinions with the rest of the world. Did you enjoy your meal at the new Thai restaurant downtown? Let your friends know on Twitter or rate the restaurant on Yelp. People appreciate knowing what others think, and that includes opinions about healthcare providers. Unfortunately, not every healthcare interaction is a happy one. According to a recent NPR report about a study by Pro Publica, one California health provider was “repeatedly, often brutally, panned” in some 3,000 Yelp reviews, garnering an overall rating of 1.8 out of five stars.1
Being slammed in a public forum is bad enough, but a healthcare provider can actually make things worse if they respond inappropriately. How? By exposing patient data in the course of rebutting a negative review. For example, if someone posts a review claiming your hospital discharged him/her too soon and you respond with an explanation that includes details of that person’s condition, you have probably violated HIPAA. Not only that, you have risked further upsetting someone who was already inclined to see you in a bad light. You may even be construed as attacking their right to free speech; there have been incidents of patients taking down negative reviews because it was the only way to remove comments from providers that included PHI.
At this point you might be saying, “We would never do that.” But are you sure? Do all of your employees understand the rules of social media engagement? And if your answer is “Yes, we had a training session on that last year,” then I respectfully suggest it’s time to have another one, particularly since this potential liability has recently received media attention. And speaking of media, make sure the marketing and PR people are clear about not exposing PHI when publishing patient testimonials.
2. Ransomware
The second overlooked HIPAA liability I want to address comes to us courtesy of the criminal exploitation of computerized data – specifically ransomware. There has been some debate recently about whether or not a ransomware attack is a HIPAA violation. In my opinion, if you’re a covered entity and someone has encrypted PHI on your systems so that you can’t get to it without paying a ransom, you have suffered a reportable breach – one that could lead to an investigation.
To be clear, if ransomware encrypts your PHI, that has checked the boxes on all four key terms: the unauthorized access, acquisition, use, and disclosure of PHI. The criminals employed unauthorized access to PHI to encrypt it. They definitely acquired the PHI and, unless you have backups you can recover from, they have taken the data away from you. They have used the PHI for their purposes – in this case, that’s extorting money from a person or organization.
As for disclosure, do not be misled by this idea that, “They didn’t look at it, they only encrypted it.” How do you know? Are you sure they didn’t exfiltrate a clean copy of the data before they encrypted it? Besides, we all know that if you lose a laptop with unencrypted PHI on it, “I’m sure nobody has looked at it” does not get you far.
3. Threat to personalized data
The third overlooked HIPAA liability comes from underestimating the challenge of productively exploiting computerized health data without adequately protecting it from unauthorized exposure. In some ways, I blame myself for this. I really should have shouted louder and longer about the seriousness of the criminal threat to personal data. And I should have articulated more clearly the reality that protecting electronic health information is harder than protecting other data, such as financial or transactional data.
The art of secure systems is sharing just the right information with just the right people, and that is a lot harder to do when there are so many of the right people. Consider banking. I need to see my checking account and, at certain times, so does my bank. I may sometimes access funds remotely via an ATM. Compare that to the number of people who need to access my medical record for my annual checkup, never mind an unscheduled visit to the emergency room with serious stomach pains.
The reality is, HIPAA was conceived in a simpler time. The privacy and security provisions were too long in coming and, when they arrived, they were mistaken for a set of goals to achieve, rather than a baseline upon which to build a comprehensive healthcare IT security strategy. That means you can be HIPAA compliant and still be breached. Or you can think you’re compliant, but under the harsh light of a post-breach investigation, it becomes clear that the way you addressed some of those “addressable” technical safeguards doesn’t hold up. You did a risk analysis, but you underestimated the risk.
What do these three overlooked liabilities tell us? You need to be sure your risk analysis is current; not just to ensure your security program passes an audit or post-breach scrutiny, but because it will improve your chances of deflecting attacks. You need to make sure you have comprehensive and regularly tested back-up and recovery systems in place. Not only are these the cornerstone of information systems security, they mean that if someone encrypts some of your data you can get it back without paying money (which doesn’t always work). You also need clearly defined social engagement policies, and strategies need to be in place, understood, and enforced.
Reference:
Healthcare IoT will deliver great benefits
The challenge will be mastering IoT security.
By Mahesh Kalva, Chief Technology Officer and Science & Engineering Head, Health & Life Sciences, Lockheed Martin Information Services & Global Solutions
The Internet of Things (IoT) as it relates to healthcare will have one primary purpose: harnessing data from multiple devices and sensors that reveal what’s really going on with patients. Endpoints will range from familiar medical monitoring systems to new devices like nanosensors embedded in patients to watch for the earliest indicators of specific conditions. Such unprecedented capabilities for predictive diagnosis hold great promise for advancing healthcare – and also pose unprecedented security challenges.
Think about how much effort is currently put into securing health information. Now, picture efforts to aggregate greatly multiplied volumes of health data from virtually unlimited locations. Current security measures may not possess the ability needed to process the influx of information. As with all advances in health IT, reaping the benefits of IoT will require balancing the need for data sharing with healthcare’s stringent need for data security and privacy.
The following are four focus areas to consider while developing a strategy to ensure the safety of IoT data:
- Architecture. Healthcare IoT security measures must be built into technology architecture, along with clinical knowledge of the context of the data. In addition to technical experts, the IoT development team must include clinicians who understand the role and sensitivity of the various data elements. This clinical knowledge must drive the IoT security hierarchy. Moreover, security measures must be incorporated at the onset of development, because tacking security measures onto the end application will not work due to the vast data network of unlimited endpoints.
- Collector authenticity. Healthcare IoT security must also ensure the authenticity of every data collector. Providers will ask their patients to engage in actively monitoring their heart rate, blood pressure, steps per day, and much more.
- Interoperability. Providers will want unimpeded data sharing to support meaningful aggregation, ultimately improving care delivery and outcomes. Healthcare IoT’s complex networking – and even more complex healthcare system – will require ways of seamless interoperability via Fast Healthcare Interoperability Resources (FHIR) protocol. Additionally, new techniques will be needed for data encryption, penetration testing, and end-device security that greatly exceed the requirements of today’s more contained healthcare network architectures.
- Data governance. IT professionals will need to leverage the advantages of cloud computing for their healthcare IoT applications. If a device’s hard drive dies within a cloud platform, these applications must be able to identify whether sensitive data is compromised and remove any personal information to keep it from falling into the wrong hands.
While it’s clear that there is a tremendous amount of work ahead, the gains will far outweigh the efforts expended. IoT brings a chance to promote not only precision medicine, but predictive medicine.
Imagine a patient advancing in age – who received a pacemaker implant two years ago – has a heart attack at 2:30 a.m. What if the pacemaker were in constant communication with a system that summons an ambulance when a heart attack is about to happen, and wakes the patient up in advance of the episode?
That’s a realistic example of the medical advances we can and should realize with healthcare IoT. Success in building the new security measures required for such applications will be key to reducing the cost of reactive care, eliminating avoidable hospitalizations and readmissions, and realizing the overall improvement in outcomes that healthcare organizations all want.