Luis Louro - Fotolia
Health IT security executives have a battle on their hands. The rapid adoption of electronic health records (EHRs) and the widespread use of mobile devices among providers has increased the endpoint security threat -- and there are more vulnerabilities ahead. Now, a new surge of networked medical devices and wearable gadgets present possibilities for exposure to serious security breaches in healthcare, and many hospitals are unprepared to tackle the next endpoint challenge.
In recent years, the U.S. Department of Health and Human Services' Office for Civil Rights has severely punished healthcare entities that have been lax at securing patient data and violated HIPAA privacy and security rules. These healthcare data breaches, involving endpoints like PCs, laptops and other devices, reveal a breakdown in endpoint security and highlight the challenges of keeping patient data safe.
For example, in August 2015, Cancer Care Group, P.C., based in Indianapolis, agreed to pay $750,000 to settle potential HIPAA violations that occurred three years earlier when someone stole a laptop bag from an employee's car. The bag contained the employee's computer, which held unencrypted backup media containing the names, addresses, dates of birth, Social Security numbers, insurance information and clinical data of approximately 55,000 current and former Cancer Care patients.
Another incident in July 2015 highlighted security lapses at St. Elizabeth's Medical Center in Boston, which agreed to pay $218,400 to settle potential HIPAA violations that occurred in 2012 when workers used a Web-based document sharing application to store files containing the electronic protected health information (PHI) of at least 498 individuals. In a separate incident, another breach was uncovered when it was revealed that unsecured PHI was stored on a former employee's personal laptop and USB flash drive, affecting 595 individuals.
Such security breaches in healthcare -- along with research from companies like telecommunications vendor Alcatel-Lucent, now part of Nokia, which reported that 16 million mobile devices worldwide were infected by malware in 2014 -- have prompted health IT executives to take notice.
Healthcare data breach now presents broader risk
Because health workers can access patient data anytime and anywhere, vulnerabilities have increased and PHI is no longer managed within the four walls of a healthcare facility, said Sriram Bharadwaj, director of information services at University of California (UC) Irvine Health in Orange, Calif.
"In the old days, you accessed electronic health records from a PC at your desk. There were a very small number of laptops, and login onto the system was controlled," Bharadwaj said. "Today, that same information is available in a broader, less controlled way, and multiple devices can be used to access the same data because all of these applications are now mobile compatible."
The IS office at UC Irvine Health -- which operates a cancer center, adult and pediatric trauma center, and a stroke and cerebrovascular center -- currently manages more than 1,000 devices. These tablets, laptops and other devices are used not only by physicians, nurses and other employees, but also by medical students in residency programs.
Given the frequent rotation of people logging onto the network and the tendency to bring their own devices to work, which increases the risk of a healthcare data breach, developing the right BYOD strategy is critical, Bharadwaj said.
To better secure its network, the medical facility developed what Bharadwaj said is the first-of-its-kind solution at a health system by creating middleware that links facilities' mobile device management software with a network access control application. When users bring their own devices and attempt to connect onto the network, they must receive service activation from both the software and network access app before they can gain access to the hospital system's network.
Sriram BharadwajDirector of information services, UC Irvine Health
"All devices issued by us to our staff are encrypted," Bharadwaj said. "We have a BYOD policy for those mobile devices that we don't own, and they have to be authenticated in our environment. These outside devices have to use our recommended software and abide by our policies, but our first preference is that staffs use our own equipment."
The technologies and techniques that UC Irvine Health has deployed to strengthen its endpoint security defenses include the following:
- Full disk encryption
- Antivirus software
- Workstation timeouts
- Multifactor authentication
- Single sign on
- Data loss prevention technology
- Security information and event management
Hard stance on growing mobile presence
Another hospital intent on bolstering its endpoint security management plan is Intermountain Healthcare, a health system based in Salt Lake City that operates 22 hospitals and a broad range of clinics and services. It has approximately 1,400 primary care and secondary care physicians working at more than 185 clinics in the Intermountain Medical Group.
Karl West, Intermountain Healthcare's chief information security officer, said the acceleration of attacks on health data is unprecedented. He noted that based on the findings of an assessment conducted by an external auditor measuring maturity and compliance, Intermountain Healthcare's security posture and commitment has increased 35%.
General pain points for PHI security include the following, as noted by West:
- The shift from device identification and protection to data identification and protection
- The cost to shift an entire industry's "lagging" security posture
- The amount of time required to develop a data dictionary – in other words, an inventory of all data
- Staying ahead of the bad guys, who have high financial motivation to steal healthcare records
Securing endpoints has come with its own set of challenges at Intermountain. The system has 50,000 PCs and up to 5,000 smartphones, and by the end of 2016, West estimated 20,000 tablets will be in use. To fend off security breaches in healthcare from endpoint intrusion and theft of mobile devices, West said the system's policy is to encrypt 100% of data flowing from laptops, mobile devices, storage and servers.
"Disposal of these devices requires a secure wipe and records validating the device are data free. Asset management policy directs procedures from procurement to disposition. We also control and monitor all ports and the exfiltration of data," West said.
He also added that beyond the normal usage and movement of devices between departments, workstation categorization polices exist to control the data movement and migration across the enterprise.
But while there is confidence in Intermountain's security strategy, there is also concern that a large breach could occur in any number of ways, including via malware, phishing, privileged account compromise or insider attack.
There are other, related concerns. Under the stage 3 meaningful use rules, which go into effect in 2017, hospitals must share patient data electronically, such as via email. Intermountain has a secure, encrypted patient portal to meet this requirement. "However, if a patient requests delivery to their personal email, we worry about the risk of their choice ... and our liability if the patient account is phished," West said.
Connected medical device risks creep in
And then there are medical devices and wearables, which boost the risk of security breaches in healthcare. Many industry IT executives are still in the beginning stages of grappling with how they'll approach securing their enterprise as more connected medical devices begin feeding clinical data into EHRs and other clinical systems.
Intermountain Healthcare is making what West described as "a significant effort" to integrate and secure medical devices that are brought onto the network.
"We have created an inventory of medical devices, established risk based on data capabilities and are beginning to deploy common controls based on risk and features available," he said.
Certain medical devices -- such as pacemakers, insulin pumps, MRI and CT scanners and bedside patient monitoring systems -- are deeply integrated into clinical workflows, delivering data to clinical systems like EHRs, said Lynne Dunbrack, research vice president at IDC Health Insights in Framingham, Mass. The worry, she said comes from the possibility of malware being introduced via a compromised medical device to the network.
"There is a concern that these medical devices, which typically are not all that well secured, become a back door for hackers to get into these devices and start infiltrating the network," Dunbrack said.
Developing a sound medical device security strategy is a nascent phenomenon at healthcare facilities. According to IDC Health Insights' 2014 Cross Industry Cyber Threat Survey, which polled 94 health IT executives, only 9.6% reported that medical device security is integrated into the enterprise security infrastructure. One in 10 respondents said they haven't begun to assess the potential security threats to networked medical devices.
Back at UC Irvine Health, the number of endpoints is expanding as medical devices are being integrated onto networks and data from medical equipment is sent to EHRs.
"We manage those medical devices through our network, which has the necessary security software to manage the data in transit and at rest," Bharadwaj said.
The thought that another class of devices -- wearables -- will one day permeate healthcare networks and connect to EHRs and other clinical systems means there will be more security challenges, but UC Irvine Health's IT team hasn't begun to take on that challenge.
"We have seen the proliferation of Fitbits and other wearables, but we do not yet integrate that information into our medical records," Bharadwaj said.
Looking ahead, he predicted that wearables will become the standard in providing patient data and will ultimately present new security challenges for hospitals and wearable device manufacturers.
"The increasing use of wearables to collect patient data creates a different level of complexity in managing endpoint security, especially if the device manufacturers don't adhere to the standards that are adopted across the industry to help healthcare entities bring that data into the healthcare environment," Bharadwaj said.
Federal HIPAA audits are coming in 2016
Readers vote: Check out these endpoint security choices
Video: CIOs will double down on security