Jun 28, 2019 9:15:55 AM
Preventing Security Breaches in Healthcare

What if an emergency room doctor doesn’t have access to a patient’s medical records?

Worse, what if that patient is alone and unconscious?

Without health records, the doctors could miss out on critical facts that would completely change the course of treatment - like a life-threatening medicine allergy. Doctors need to have accurate information 24/7 from the moment the patient arrives.

And healthcare isn’t just confined to the walls of a hospital anymore. The patient’s journey from admission to discharge - known as the perioperative loop - now includes laboratories, pharmacies, other healthcare delivery organizations (HDOs) and other entities.

All of them need real-time access to up-to-date patient information.

That’s the beauty of electronic health record (EHR) systems. EHR systems let us share clinical data with patients and other players in the perioperative loop.

EHRs help us provide seamless care and better patient outcomes. But this vast digital ecosystem is increasingly at risk of a data breach - and as the perioperative loop continues to expand, healthcare data security is lagging dangerously behind.

As someone working the front-lines, I know you’ll agree that the healthcare industry is overdue for an intervention.

Contents:

  1. State of Healthcare Security
  2. 5 Pillars of Digital Healthcare Security
  3. Consequences of Healthcare Data Breaches
  4. Preventing Healthcare Data Breaches

1. State of Healthcare Data Security

Healthcare is in the midst of an exciting transformation.

EHR systems are making it possible for hospitals and other organizations to share and collaborate in real time. Big data is empowering HDOs to proactively respond to emerging patient needs. And connected medical devices are pushing the boundaries of care well beyond the hospital room.

These trends helping to are driving better, faster care and more positive patient outcomes.

But they’re also exposing just how far we’ve fallen behind when it comes to setting standards to secure the systems behind them.

Why Your HDO is a Soft Target

Handling Protected Health Information (PHI) is one of the single biggest challenges facing healthcare organizations today.

Just picture all the dozens of workstations, mobile devices and medical devices storing and transmitting data under your roof right now - not to mention all the data you’ve got in the cloud.

Your organization has a legal duty to keep every one of your patients’ record safe and secure. That means securing not only your network, but each and every device that lives within it.

And as a healthcare IT professional, you already know that HDOs are woefully behind when it comes to achieving this.

i. Lack of Healthcare Security Professionals

Healthcare security operations are frequently understaffed. It’s not unusual to find a single, heroic sysadmin shouldering the work of 20 people.

Ironically, part of this lapse in securing electronic records has to do with the push to implement them. Since the enactment of the Affordable Care Act in 2009, much of the focus in healthcare IT has been on rolling out EHR systems to take advantage of promised funding. IT security took a back seat in many organizations as a result.

Now, almost ten years later, hospitals are still having to scale back or hold off on other initiatives due to lack of available personnel.

ii. Lack of Investment in Security

Why the lack of security professionals? In most cases, the answer is money.

It’s no secret that many HDOs in this country (and hospitals in particular) face significant financial pressure. Competing priorities make it hard to increase the spend on intangibles like digital security.

Despite breach after publicized breach, 80% of HDOs spend less than 6% of their overall IT budget on security - and 50% spend a pitiful 3% or less.

iii. Black Market for Protected Health Information (PHI)

Meanwhile, cyberattacks are becoming increasingly sophisticated all the time. Hacking is now the business of state-sponsored attackers and organized criminals.

EHRs include all kinds of valuable data on just about everyone. This includes not only medical histories, but personal information like social insurance numbers and financial details like credit card information.

In other words, it’s everything a criminal needs to commit identity theft, tax fraud, insurance fraud, and many other lucrative misdeeds.

It’s a data breach waiting to happen. And it does happen - disturbingly often.

 

2. Five Pillars of Digital Healthcare Security

Beyond the hospital walls, the perioperative loop can seem like a tangled web of people, devices and data.

Digital security experts frame it differently: data crossing the bridges between five pillars, including hospitals and other care providers. Security veteran Mark Thompson identifies these pillars in his Playbook for Driving Digital Healthcare Security:

  1. EHR Systems
  2. Connected Medical Devices
  3. Health Payors
  4. Government Regulators
  5. Hospitals and Other Providers

Along with your HDO, these touch points are the key to understanding the flow of data through the healthcare system.

i. EHR Systems

Doctors do their best work with a wealth of information in front of them.

This is why more and more practitioners (over 67% at last count) are collecting, storing and exchanging patient data in digital format.

Since the HITECH Act was enacted in 2009, HDOs have been mandated to use EHR systems for five key outcomes:

  1. Improving the quality, safety, efficiency of healthcare
  2. Better engaging patients and families in their health
  3. Improving care coordination
  4. Improving overall population and public health
  5. Ensuring adequate privacy and patient data security protection

That fifth piece - privacy and healthcare-related data security - is at the core of everything we hope to achieve. EHRs can only be used to improve care if the information is accurate, and it can only be accurate if it’s secure.

ii. Connected Medical Devices

Whether stationary, bedside or portable, connected medical devices have already helped to improve outcomes for thousands of patients.

Today, there are over 190,000 connected medical devices in the United States alone. Hospitals average between 10 to 15 connected devices per bed.

And it’s not only medical device manufacturers making waves in the Internet of Medical Things (IoMT) market. Consumer titans like Apple also have their sights set on entering the $7 trillion healthcare market.

But the growing number of medical IoT devices in the perioperative loop means greater challenges securing them. Compromised devices have already been misused to infiltrate secure hospital networks. By 2020, it’s projected that over a quarter of attacks on HDOs will use IoMT.

There’s also the threat of device takeover - cyberattacks in which control of devices are hijacked. It sounds like the stuff of a cyberpunk film, but medjacking is a real threat. In fact, a full 38% of HDOs know of at least one incident where a patient received inappropriate treatment because of an insecure medical device.

Learn how build trusted and secure medical devices fit for the IoMT in this eBook.

iii. Health Payers

In addition to organizations that deliver care, our healthcare system includes numerous payers: Medicare and Medicaid, the Veterans Health Administration (VHA), and countless commercial insurance providers.

Health payers share in the flow of personal health information to and from HDOs. This interoperability allows patients to receive faster reimbursement and helps to reduce lapses in coverage.

Like HDOs, private and public payers are also increasingly targeted by healthcare breaches. There have been over 20 breaches reported by health plan providers in the first half of 2019 alone.

iv. Government Regulators

Multiple levels of government harvest EHRs and health-related data. Some of this is ancillary to other government functions, while other data is collected to study and improve the healthcare system in various ways:

  • State and local governments provide care directly through public hospitals, representing about 14% of inpatient care overall. The federal government provides care for 6.5 million patients each year through the Veterans Administration.
  • Numerous states collect data from payers for All-Payer Claims Databases (APCD) which facilitate the sharing of EHRs.
  • All levels of government conduct public health surveillance to support disease control and prevention initiatives.
  • Various government agencies provide access to anonymized health data to facilitate research and inform public health policy.
  • Unrelated activities, such as medical tax deductions reported to the Internal Revenue Service, also involve the collection PHI.

Of course, the government is also responsible for regulating how HDOs and other entities handle PHI and EHR. The Health Insurance Portability and Accountability Act (HIPAA) mandates security for all personally identifiable information (PII) whether at rest and in transmission.

Since 2016, the scope of the Act includes IoMT and healthcare-related apps.

 

3. Consequences of Healthcare Data Breaches

The reality is that more and more HDOs fall victim to cybercrime every year, exposing millions of patients and compromising critical care systems.

Last year, there were over 503 healthcare data breaches affecting over 15 million patient records. Within the same period, 82% of hospital IT departments saw significant security events.

And that was just in 2018.

There will be a day when it happens to your organization. You can’t know when or from where the attack will come. All you can do is take steps to prevent a data breach when it does.

When a major breach does happen, the fallout begins before you’ve even picked up the pieces.

Your employer’s name is trending on Twitter. Your CEO’s face is on page one. Behind the scenes, you and your colleagues have pulled an all-nighter trying to get things things back in order.

But that’s only scratching the surface.

i. Risk to Patient Lives

In a worst case scenario, a data breach can become a matter of life and death.

That’s what happened when 16 hospitals were hit by a strain of the WannaCry ransomware in the United Kingdom. The infection spread quickly across critical hospital infrastructure, including EHR systems and equipment like MRI and ultrasound machines.

It took two weeks for the hospitals to resume regular operation. In that time:

  • Ambulances had to take detours to other hospitals.
  • 19,000 appointments had to be cancelled.
  • Surgeries were cancelled within minutes of starting.

ii. Financial Hit

The healthcare sector pays the biggest financial toll of any industry for breaches: $408 per compromised medical record. On average, cyberattacks on HDOs cost an staggering $1.4 million in recovery efforts.

Not surprisingly, hospitals are hit the hardest by these incidents, with a single breach having the potential to cost hospitals as much as $7 million in fines, litigation and reputation damage.

iii. Legal Fallout

The moment an unencrypted patient record hits the black market (at a going rate of $50 per record, chances are that it will), your organization is liable for regulatory fines and class action lawsuits.

The biggest incident so far - the Anthem breach in 2015 - cost the company $140 million in legal and regulatory costs alone.

This is what’s at stake in securing your HDO: million lost in revenue and legal payouts, hours of lost time, and the risk of harm to your most vulnerable patients.

With so much to cover, it’s hard to know where to begin.

 

4. Preventing Healthcare Data Breaches

There’s a common misconception all throughout the healthcare sector that makes securing the perioperative loop even more difficult.

It’s about the difference between compliance and security.

Aren’t compliance and security one and the same? In short: flat-out no.

Compliance refers to the regulatory requirements that you and your colleagues must meet to stay in accordance with the law. It’s the regulations you’ll find in the HIPAA Security Rule, HITECH and any state-specific legislation.

Security, on the other hand, is the specific measures you’re taking to protect your network, your data and your devices.

You can be 100% HIPAA compliant and still be vulnerable to a security breach.

You’ll have to go beyond the bare minimum required by the law to prevent a breach. But the security measures will help you stay compliant - especially as the FDA continues to strengthen regulations on IoMT and other emerging technology.

The following steps are essential implementing a comprehensive digital security strategy in any HDO:

  1. Digital security risk assessment
  2. Staff training
  3. Medical device onboarding
  4. Secure networks
  5. Encryption
  6. Digital identity management
  7. Incident response plan

i. Identify Your Potential Risk Factors

Risk assessment isn’t a breakthrough. It’s been mandated by HIPAA since 2003. Chances are, you closed the book on that particular requirement long ago.

But a lot has changed since then.

It doesn’t matter if your last risk assessment was last year or last month. Something in your organization is different. New people, new software, new devices, new infrastructure.

Preventing healthcare breaches requires constant vigilance.

ii. Turn Your Staff Into Security Buffs

Face it. Not everyone who works in healthcare is as big a data geek as you are.

A lack of awareness among your colleagues, including care providers like doctors, is always going to be one of your biggest vulnerabilities.

58% of healthcare breach attempts involve inside actors, but these breaches aren’t always malicious. Falling for phishing or ransomware attacks, using unpatched software or carrying unencrypted storage devices can all result in an innocent (but no less serious) breach.

HIPAA already requires that every HDO offer security awareness training for all its staff, up to and including the C-Suite. But many organizations, especially those with high turnover, fall short.

This step is key to all of you other security efforts. Once your colleagues are engaged and aware of potential risks, you can focus more attention on external threats.

iii. Onboard Every Medical Device Securely

Security in healthcare is different from security in other industries.

It’s personal. Lives are on the line.

So, medical devices should have ironclad security from the ground up. But if you’ve ever onboarded new devices, you know that isn’t always the case.

Medical device manufacturers (MDM) do bear some responsibility for protecting patients - and there are technologies out there to make OEM device security foolproof. But it’s not just the manufacturers on the hook for security.

Your security team needs to be the gatekeeper. No new devices can enter your ecosystem unless you are confident that it will not put your patients at risk.

At minimum, your onboarding process should ensure that IoMT devices utilize:

  • Code signing to ensure that it installs only properly-verified firmware and patches
  • Unique digital certificates for every device
  • Private key storage for hardware-based cryptographic operations whenever possible
  • Organization-specific root of trust (RoT)
  • Complete device lifecycle management capability to keep devices secure in the long term

iv. Lock Down Your Wireless Network

Network security is your HDO’s first line of defence against potential cyberattacks.

Most security experts recommend segmenting your networks into separate sub-networks for various applications: one for your patients and visitors, another for HDO personnel, and another for medical devices and other applications that provide patient access.

This measure greatly simplifies the task of monitoring the activity on your networks and allows you to prioritize different sub-networks for security purposes.

v. Encrypt All Data and Hardware, Always

HIPAA doesn’t mandate the use of encryption for electronic health records.

But it should.

Cryptography is one of the most important security tools at your disposal. Encryption effectively protects PHI in storage and in transmission.

So effective, in fact, that you aren’t required to report a breach of encrypted records. Even if data is breached, an attacker cannot abuse it and the risk to patients is minimal.

Servers, endpoints, mobile and medical devices all benefit from a layer of encryption.

vi. Secure Every Digital Identity

Quick: how many entities are living on your network right now?

With so many people and devices accessing PHI, it’s essential to keep track of who’s who. The most secure way to do this is through public key infrastructure (PKI).

PKI is the gold standard for managing digital identities in an HDO. It’s a complicated system behind-the-scenes, but you don’t need to know all the math to recognize its value.

Digital certificates allow various entities (devices, computers and code) to safely and securely send communicate across your network. They ensure that only the intended recipients can send and receive critical health information.

Certificates also allow IoMT platforms and applications to validate the integrity of data and programming sent to and from each device - which is vital in preventing device takeover or medjacking attacks.

Back to the question. How many entities are living on your network? Who are they? Can you verify and trust their digital identities?

If you’re not sure, there are tools out there that can help. For over fifteen years, Keyfactor has been empowering healthcare organizations with the tools, technology and support they need to master every digital identity. Keyfactor™ Command simplifies the identification, cataloging, monitoring, issuance and revocation of digital certificates across multiple platforms. Our platform is used by hospitals, pharmaceutical companies, device manufacturers and government agencies. Keyfactor technology and workflows are uniquely designed and implemented to address the specific certificate environment and requirements of your organization.

vii. Have a Solid Incident Response Plan

Cyberattacks never come with advance notice. There’s no way to tell when an attack will occur, where it’ll come from, or the extend of the havoc it’ll wreck on your IT.

Major data breaches are chaotic, especially in the early stages. One of the biggest challenges you’ll face in the aftermath is deciding what to do first.

Who needs to be notified? What should you do first? What resources are out there to help?

This is where your incident response plan comes in. It’s not enough to train staff to prevent a breach. They’ll also need guidance when it comes to a response.

Remember: 82% of hospital IT departments have reported a significant security event within the past year. It’s not a matter of if you’ll be breached, but when.

Get your playbook for driving digital security in healthcare, download our latest eBook.

DOWNLOAD EBOOK