Health IT and Electronic Health Activate your FREE membership today |  Log-in

Community Blog

December 16, 2015  1:44 PM

Protecting health IT data at rest

Posted by: adelvecchio
data encryption, Encryption, health data security, PHI

Dr  Mathews (2)Guest post by Dr. Michael G. Mathews, president, COO, & co-founder, CynergisTek, Inc.

In prior segments of this series, I touched on the fundamentals of encryption using symmetric (shared secret), asymmetric (public-key), and combinations of the two to get a hybrid approach to keeping data confidential. I also explained the concepts of data integrity (knowing a message has not been changed) and non-repudiation (verifying the sender is authentic), as well as ways to secure data in motion. In this final segment on encryption within the healthcare setting, I turn my focus to protecting health IT data at rest.

With as many breaches as there have been in recent years, it’s not uncommon for there to be an immediate cry to “encrypt everything” without knowing exactly what that means. As mentioned in my previous segment, the first step to knowing the right solution is understanding the location and type of data in question; email is different from data living in structured databases, and those types of data are different from standalone files containing sensitive data. Likewise, the steps used to protect a mobile device (smartphone, tablet, laptop, etc.) that roams onto various networks differ from those taken for a workstation that lives on the internal managed local area network behind the perimeter firewall.

In general, given the maturity and availability of full disk encryption options, it should be considered a best practice to deploy full disk encryption for any workstations or mobile devices that have a reasonable expectation of being exposed to sensitive data. This protects those devices against any sensitive files that get saved there, any cache or temporary files from connections that handle sensitive data, as well as covering locally-stored emails that might have personally identifiable information (PII) or protected health information (PHI) in them. In addition, this addresses the safe harbor requirement that pertains to unauthorized disclosure in the event of the theft or loss of a mobile device.

Database servers with PHI/PII in them present a significant challenge to health IT. It’s easy for people to say “encrypt it all,” but it’s not practical to do so because of performance, key management and access control issues. In many cases, encrypting certain data — usually those data elements that tie the data to an individual — within a relational database construct ensures the data is protected and still accessible to those that need it, without resulting in a significant hit to performance. In response to industry feedback and meaningful use requirements, electronic health record manufacturers have added roadmaps toward ensuring data integrity within the databases by using cryptography.

A major hurdle to protecting sensitive health IT data at rest is ensuring it stays where it should and is used as it should be. While data loss prevention tools are not encryption tools, they can be used to trigger encryption and are now generally available to help ensure data at rest is used appropriately and is encrypted when put in motion. Using a combination of pattern matching and metadata cataloging, these tools inspect data as it goes from at rest to in motion and evaluates whether that specific activity should be allowed and whether the data should be encrypted prior to going in motion. This can include simple moves of data to a local machine’s storage system all the way to emails being sent with data that might be sensitive.

Encryption is one of many tools available to information security professionals to protect data both in motion and at rest. More often than not, though, “the right answer” is a combination of many of those tools, not just encryption. Finding the right combination of tools to help ensure the security of health IT data requires a strong vision of the overall information security program and a commitment by the organization to find a skilled and visionary chief information security officer.

December 15, 2015  4:15 PM

The 10 worst data breaches of 2015

Posted by: adelvecchio
Data breach, data breach security, health data breach, healthcare data, healthcare data breach

RickKamGuest post by Rick Kam, CIPP/US, president and co-founder, ID Experts

There’s no sugarcoating the fact that 2015 was a dizzying year for data breaches, and disastrous for many organizations and consumers. In the first half of the year alone, Gemalto NV found that 888 disclosed security incidents compromised nearly 246 million records worldwide.

There were certainly trends in data breaches this year, including the rising sophistication of hackers, the ever-increasing threat of massive state-sponsored attacks, and the continuing prevalence of large breaches in the healthcare industry. In fact, the average healthcare breach through mid-2015 was 200% larger than in the first half of 2014.

With those trends in mind, let’s take a look back at the 10 biggest and baddest breaches of 2015 — and then see what consumers and security professionals can do to make 2016 a safer and more secure year.

The five biggest breaches of 2015
The following incidents were the five biggest breaches of the year in the U.S., based on number of records compromised.

1. Anthem, 80 million
Health insurer Anthem Inc. revealed in February 2015 that hackers, likely from China, had accessed a database that included encrypted and unencrypted data on patients and employees. According to the Huffington Post, it was the fifth-largest breach of all time.

2. Ashley Madison, 37 million
A hacking group known as Impact Team stole private information on 37 million people who use the Ashley Madison website, which encourages users to cheat on their partners. The hackers are threatening to reveal customers’ personal data unless the website shuts down, which it has yet to do.

3. U.S. Office of Personnel Management, 21.5 million
The U.S. Office of Personnel Management suffered two unrelated breaches in 2015. The larger one affected more than 21 million current and past federal workers. Again, the breaches of the government agency are believed to have originated in China.

4. Experian, 15 million
Experian Information Solutions, Inc., the world’s largest consumer credit monitoring firm, suffered its second massive breach in 2015. The breach exposed the sensitive personal data of about 15 million T-Mobile customers who underwent credit checks by Experian. An earlier attack on an Experian subsidiary exposed the Social Security numbers of 200 million U.S. citizens.

5. Premera Blue Cross, 11 million
The records exposed in Premera’s breach may have been more sensitive than those leaked in the far larger Anthem breach, including Social Security numbers and financial information of subscribers and people who do business with the company.

The five baddest breaches of 2015
Now let’s take a look at the five baddest breaches of the year — an admittedly subjective category that highlights breaches that are especially damaging or disturbing because of factors such as who they targeted, how they were carried out, and their lasting ramifications.

1. LastPass, 7 million
Consumers should be rewarded for taking smart steps to protect their online security. That’s the troubling aspect of this breach of a leading password management company, which has further undermined consumer confidence and could lead to unsafe practices. It’s a big problem if consumers stop believing in their ability to achieve digital security and fail to take even basic precautions.

2. Planned Parenthood, 333
While “only” 333 employees were affected by the Planned Parenthood attack, the troubling aspect of this breach is that it was done not to achieve financial gain but to pursue ideological agendas and blackmail affected individuals.

3. Securus Technologies, thousands
Prison phone company Securus Technologies, Inc. had 70 million call records hacked, involving thousands of prisoners across 37 states. The ugliest part? Many of those recorded calls appear to have violated prisoners’ constitutional rights because they involved confidential conversations between prisoners and their attorneys.

4. IRS, 333,000
Hackers accessed extremely sensitive information through past tax returns, including Social Security data and financial details. The total cost to taxpayers in fraudulent claims was about $50 million before the IRS noticed the breach.

5. Harvard University, eight schools and offices
Harvard University joined a long list of other universities to suffer a data breach in 2015. Education is being hit hard, accounting for 6% of all data breaches — slightly more than the retail industry — in the first half of the year. Budgets are tight in the education sector, but breaches at the most esteemed U.S. universities are a reminder that security must be prioritized to protect students and employees.

What can we learn from the big and the bad?
Want even more bad news? These lists include only U.S. breaches. Two of the largest breaches of 2015 — 50 million records breached at a Turkish agency and 20 million at Russian dating site Topface — occurred outside the U.S.

Here are a few takeaways that all organizations — big and small — can put into practice now and in 2016:

  • Beware of all sources of attacks. The largest two breaches were state-sponsored attacks, but Gemalto found that type of attack accounted for just 2% of all the data breach incidents in the first half of 2015. The biggest culprit over those six months? Malicious outsiders, which accounted for 62% of total breaches and nearly half of all records taken.
  • Brace yourself, especially in healthcare and government. According to Gemalto, the healthcare and government sectors accounted for about two-thirds of all compromised data records in the first half of the year.
  • Encrypt. The data stolen from LastPass was heavily encrypted, a protection which may limit the damage done. At the very least, organizations should follow LastPass’ example and encrypt sensitive data.
  • Learn from mistakes. One breach is bad enough. If an organization suffers a second large attack, as did Experian, the damage to its reputation will grow exponentially.
  • Heed the warnings. According to the Seattle Times, Premera Blue Cross was warned three weeks before its data breach began that it lacked sufficient network security procedures. Ironically, the warning was issued following an audit by the U.S. Office of Personnel Management — which suffered an even larger breach. Premera argued that the vulnerabilities found in the audit may not have been exposed by the hackers. But the point remains: Take any warning seriously, and act as quickly as possible to upgrade your security measures.

December 8, 2015  11:51 AM

The human risk factor of a healthcare data breach

Posted by: adelvecchio
cybersecurity, Data breach, data breach security, healthcare data

RickKamGuest post by Rick Kam, CIPP/US, president and co-founder, ID Experts

In a recent report from the Ponemon Institute, 70% of the surveyed healthcare organizations and business associates identified employee negligence as a top threat to information security. An article published earlier this year in the Federal Times noted “Every survey of IT professionals and assessment of cybersecurity posture shows at least 50 % of breaches and leaks are directly attributable to user error or failure to practice proper cyber hygiene.”

Now, to anyone who’s been paying attention for the last decade or so, it will come as no surprise that people make mistakes that cause data breaches. To err is human, and that is not going to change. What has changed is the scope of damage resulting from those errors.

A decade ago, a lost laptop or improperly discarded paper records might expose hundreds or even thousands of people to a potential data breach. Today, with massive digitization of medical information, mobile data usage, and widespread system integration, everyday human errors can cause breaches that expose millions of people to potential harm. To cite one example, InfoWorld and CSO reported that the Anthem data breach, which involved 80 million records, was probably caused when thieves infiltrated Anthem’s system using a database administrator password captured through a phishing scheme.

Attack vectors point from people to technology
A recent blog by Napier University professor William Buchanan aptly lists the top three threats in computer security as “people, people, and people.” Buchanan’s post mentions leaving devices unattended, sharing passwords, or accidentally emailing information to the wrong people as typical security errors. Many of the breaches from cyberattacks are also traced back to users unwittingly giving outsiders access to networks.

Whether thieves get users to share personal information via phishing schemes, enter their credentials on a spoofed website, or download apps with embedded malware, tricking people is the easiest route to cybertheft. Yes, hackers can exploit system vulnerabilities once they’re inside a network, but user mistakes give them the foothold. Kevin Mitnick — a notorious hacker in the 1980s and early 1990s — famously told the BBC, “What I found to be true was that it’s easier to manipulate people rather than technology. Most of the time, organizations overlook that human element.”

Plugging the people gap
Healthcare organizations face challenges in plugging the human security gap. The biggest risk is a lack of awareness on the part of users. Even if an organization has good security processes and training, and employees faithfully follow security procedures at work, they are typically unaware that actions in their private lives can put their employer at risk. The chance comment on Facebook, using the same password on personal and work accounts, or a secretly malicious app downloaded to a personal device that is also used at work can vault criminals right past an organization’s network security. If employees are bringing their own devices to work, their failure to do an operating system update with important security patches can put employers’ networks at risk.

The second biggest challenge is visibility: employers don’t know and can’t control what websites their employees, customers, and business partners visit, what links they click on in popup windows, and or who they chat with online.

Assume that every user is exposed to multiple risks every day. According to a new report from Palo Alto Networks, more than 40% of all email attachments and nearly 50% of portable executables examined by Palo Alto’s WildFire software were found to be malicious. The report also found that the average time to “weaponize” world events — to create phishing or other schemes to capture passwords or deliver malware — is six hours. Just think, within a few hours of an earthquake in Chile or a tsunami in Japan, your well-meaning employees trying to donate to a relief fund can be spoofed into providing information that leads to a data breach.

Improving your odds
Humans can’t be error-proofed any more than technology, but there are things that can be done to help a workforce, customers, and partners keep an organization and their information secure. A recent blog by Jeff Peters of SurfWatch Labs recommended fighting social engineering with user awareness programs and using technology to limit exposure. Email coming into networks can be scanned for malicious attachments and links. Periodic security training is great, but ongoing education is also needed: How about a short, fun weekly or monthly newsletter with news of scams and tips on how to avoid them? Or a bulletin board where users can post suspected scams and get recognition for warning others?

Despite the best efforts at promoting security, people will make mistakes. Among other things, scammers will capture or even guess passwords. Vast numbers of people still use birthdates, pets or children’s names, or other personal information for passwords. A new study covered in the Financial Times found that some nuclear plants are still using factory-set passwords such as “1234” for some equipment. For this reason, some security experts are beginning to advocate doing away with passwords altogether for critical systems and moving to multi-factor authentication. TechTarget reported that at the International Association of Privacy Professionals Privacy. Security. Risk. 2015 conference, keynote speaker Brian Krebs advocated stronger authentication schemes, saying “From my perspective, an overreliance on static identifiers to authenticate people is probably the single biggest threat to consumer privacy and security.”

In the Federal Times article mentioned previously, Jeremy Grant, a senior executive at the National Institute of Standards and Technology, advocated doing away with passwords. He uses two-factor authentication on his phone — biometric identification (a thumbprint) and derived credentials from a common access card or personal identity verification card on his phone — so that there is nothing to remember and nothing that can be stolen.

No foolproof solutions
Speaking at the Privacy, Security. Risk. 2015 conference, retired RSA chairman Art Coviello said with cloud computing and other new technologies, “The attack surface has expanded so dramatically that it’s becoming unfathomable…The United States is living in the biggest and most vulnerable digital glass house on the planet.” With medical data scattered from the cloud to multiple points of care and to the personal devices of millions of healthcare workers, security failures are going to happen. You may not be able to fool all of the people all of the time, as Abraham Lincoln said, but cybercriminals can fool enough of the people enough of the time to eventually overcome virtually any defense. Unless you envision a perfectly consistent robotic healthcare workforce (oh, wait, robots could be hacked), you can’t count on your staff, users, or your business associates to be 100% secure, 100% of the time.

Ultimately, the best you can do is educate people, consistently and comprehensively monitor for security incidents — based on thorough and up-to-date risk analysis — and have plans and teams ready to respond when human error leads to human and business peril.

November 5, 2015  2:17 PM

What’s stopping the wearables revolution?

Posted by: adelvecchio
Internet of Things, mHealth, mHealth devices, wearable devices, wearables

zach-watson 50Guest post by Zach Watson, marketing operations analyst, TechnologyAdvice

Despite obscene amounts of hype, wearable technology has yet to truly turn mainstream. A Nielsen Company report from 2014 found that only about 15% of consumers use wearable technology, though roughly 70% were aware of the electronics.

So what’s the problem? If wearables are truly a revolutionary force for health and wellness change, why are so few people buying in?

It’s safe to rule out innovation. Though the term “wearables” is often thought to refer to fitness trackers, the industry has already moved on to much more sophisticated technology.

For example, Google is currently developing contact lenses that can measure the wearer’s glucose level through the fluid in their eyes. And InteraXon, Inc. developed its Muse headband, which uses EEG technology to measure brain activity during meditation so users can calculate the effectiveness of their session and improve their concentration.

Both of these devices could be described as wearables, but they measure things more sophisticated than heart rate or number of daily steps.

This type of progress rightly inspires awe and excitement, but it’s the practical application of that progress which is hindering wider adoption (and more meaningful results) from wearables.

Minimal impact on populations with chronic conditions

“In the aggregate data being gathered by millions of personal tracking devices are patterns that may reveal what in the diet, exercise regime, and environment contribute to disease,” wrote the Washington Post.

And that’s true: the promise of wearable technology to pinpoint causes of illness is immense, both for personal and public health. Consider that a whopping 45% of U.S. adults report living with at least one chronic condition — maladies which require ongoing monitoring to manage — and the potential of wearable technology crystallizes even further.

However, the majority of wearable users don’t have chronic diseases. Nearly half of all wearable owners fall into the 18-to-34 years-old demographic. In contrast, having a chronic disease is statistically correlated with advanced age and lower education, as well as less access to the internet.

So not only does the population which needs wearables the most not have them, but these patients also have less ability to operate the devices via the internet should they ever acquire the hardware.

Now, getting wearables into the hands of the chronically ill isn’t the job of device manufacturers iper se; policy makers and healthcare providers have a large opportunity to contribute to the dissemination and use of wearables as well.

To be fair, some wearables such as remote monitors are standard fare for the chronically ill, but much more could be done. And until the wearables industry begins focusing on solving these types of problems, the heaviest users will remain quantified self fanatics.

Sustained adoption and actual utility

For the moment, the question of how to use wearables for the greater good remains an academic one. A far more pressing problem — at least in the eyes of manufacturers — will be the user drop off rate.

A study by Endeavour Partners LLC found that after three to six months roughly 30% of wearable owners stop using their device. The percentage of drop offs keeps rising in direct proportion to the period of time after purchase.

This study shows that a significant portion of consumers don’t find much payoff from using wearable devices.

This raises real questions about the current utility of these devices in comparison to the hype in which they’re basking. Healthcare providers and scientists are still debating over how much of the data provided to them — through wearable devices or otherwise — is truly useful.

The same conundrum arises from patient access to patient portal software, where users can upload data at any time. For example, the number of steps a user takes per day isn’t groundbreaking material for a physician, and it looks like it may not be groundbreaking for many users either.

Developing products that become irreplaceable in the lives of each user must be the ultimate goal for each device manufacturer. Integrating devices into an existing ecosystem, like the ever-growing Internet of Things, is a good start.

That’s what Remo, a wearable that allows users to manipulate different systems in their home, does. Using gestures, a user can manipulate a range of appliances, from the television to lights and alarm clocks. If this was coupled with health tracking, it could be of huge value to consumers who have trouble moving throughout their homes.

As it stands, wearables are garnering some attention from the general population, but most people aren’t biting. That’s because the fundamental value of tracking your steps and heart rate isn’t compelling enough to pull in the casual consumer.

Now, if these devices offer more complex functions that monitor things such as stress and anxiety, then consumers are likely to take more notice. The market for wearables will continue to increase even if that doesn’t happen in the near future, but the sustained utility of advanced heart rate monitors will only appeal to select groups.

Author Bio
Zach Watson is marketing operations analyst at TechnologyAdvice. He covers marketing automation, healthcare IT, business intelligence, HR, and other emerging technology. Connect with him on LinkedIn.

October 27, 2015  11:42 AM

Danger in the cloud

Posted by: adelvecchio
Cloud, cloud security, cybersecurity, healthcare data

DougPollack headshotGuest post by Doug Pollack, CIPP/US, chief strategy officer, ID Experts

Chances are that your healthcare organization has already chosen to use cloud computing as part of its IT infrastructure, and with good reason: Cloud computing is a cost-effective way to grow IT capacity, and software services available through the cloud can make a workforce more productive. And your IT team has worked with your service providers to protect data in the cloud. All good, right? But here’s the rub: A new study from cloud security vendor Skyhigh Networks shows the average healthcare organization is using more than 10 times more cloud services than the IT organization knows about. Think about that, more than nine out of 10 services used in the course of business are unmonitored and unsecured. That amounts to one huge security hole, and cybercriminals are jumping in to exploit this new threat to healthcare information.

Foggy about the cloud
In a recent report from the Ponemon Institute, the Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data, survey respondents identified cloud usage as a primary security concern for the healthcare industry. A third of respondents rated public cloud service use as a top security threat to their organizations. Employee negligence was listed as the top threat, at 70%, and cyberattacks came in second at 40%.

In fact, the cloud security threat is likely bigger than most organizations realize. According to MedCity News, the Skyhigh study found that the average healthcare organization uses 928 different cloud services, 60 that are known to IT and 868 –about 93% — are “shadow services” that are not known or tracked by the IT, infosec, privacy, or compliance functions. While the volume of untracked cloud computing is troubling, it is not surprising. Statistics from the study reveal how much of today’s everyday communication and collaboration happens online:

  • On average, an employee uses 28 distinct cloud services, including seven collaboration services, four content-sharing services, three social media services and four file-sharing services.
  • The average organization shares documents with 826 external domains, including business partners and email providers such as Gmail.
  • Almost 28% of users have uploaded sensitive data to a file-sharing service.
  • The average organization is connected to 1,586 business partners via the cloud. A significant number of these may also be partners of partners, and hence unknown and unaccounted for. It’s best to assume that every employee of every partner is also using multiple cloud services.

The bottom line is that you can’t protect data you can’t see, and you can’t see a lot of what’s in the cloud.

Crime lurks in the cloud
It’s interesting that the Ponemon study respondents listed cloud computing behind employee negligence and cyberattacks on its list of security worries. The truth is that the three work hand-in-hand to put organizations at risk.

Virtually every security study this year has shown that cyberattacks are now the top cause of data breaches, and most are multi-stage attacks that begin with social engineering, proceed to gain network access with stolen passwords or malware, then exfiltrate sensitive information. As Dan Munro recently pointed out in Forbes, “The latest techniques for cyber theft at scale are less about breaching networks from the outside — and all about social engineering to capture privileged access from the inside. Consumer cloud services like LinkedIn, Snapchat, Zappos, Evernote… have all had significant data breaches.”

Cloud services expose employees to all kinds of social engineering. The Skyhigh report found each cloud user is tracked by an average of four analytics and advertising services, and cybercriminals are increasingly using these services to deliver “malvertising” that can lead users to spoofed sites and capture their passwords. Tracking also enables “watering hole” attacks where criminals impersonate users at a favorite site and trick other users into revealing information.

Employees may also download apps containing malware to their workstations or personal devices, giving criminals a foothold from which to attack. Even social media passwords can give criminals enough access to steal information. Skyhigh found an attack that used Twitter to exfiltrate data 140 characters at a time. While employees may not be outright negligent in these situations, most are certainly unaware their social media usage may be putting their employer’s data at risk.

Once criminals gain access to information in the cloud, stealing data is relatively easy. The Skyhigh report revealed that only 15% of cloud services supported multi-factor authentication and only around 9% encrypted data stored at rest. More than 57% of the sensitive data in the cloud is in Microsoft Office files. When breaches involving cloud data happen, not only do organizations face the normal risks, they also face potential regulatory penalties of having unsecured data. A CipherCloud data security report found that 64% of cloud security challenges stem from the areas of audit, compliance, and privacy regulations.

Safety tips for the cloud
Ironically, one of the motivations for adopting cloud computing has been to improve security. Lost devices have historically been a major cause of data breaches, and real-time access to data in the cloud eliminates the need to store large data sets on individual devices. Unfortunately, the threat balance has shifted toward cyberattacks. Cloud services provide an easy entrée for cybercriminals, and the genie is out of the bottle: Cloud services are not going away anytime soon. But there are steps an organization can take to help protect against cloud-based attacks. In Health Data Management, cloud security vendor Porticor Ltd. offered some tips for improving cloud security on the IT and compliance side:

  • Consider extending identity and access management solutions to the cloud.
  • Obtain business associate agreements from all vendors, including cloud vendors and service providers, and make sure the agreement clearly defines the associate’s compliance responsibilities.
  • Have the IT department occasionally perform penetration tests and request audits and certifications from cloud vendors. The Cloud Security Alliance offers multiple levels of security certifications for cloud-based vendors, and some of their certification levels include independent audits.

All of these steps will help improve security, but most of what happens in the cloud is in shadow services that employees and partners use and can’t be controlled or monitored. These risks can be lowered by granting users access to the minimum amount of information necessary to perform a given task. Staff and business partners should also be taught good security practices. But the siren call of the Web is strong, and since what people do in the cloud can’t be controlled, cloud-based risks have to be planned for in the same way as any other security incident or breach.

Regardless of where the data lives, if thorough data inventories and risk analyses have been done, an organization will know what protected health and personal information it holds and the risks of it being compromised. If a solid incident response plan is in place, an organization should be prepared for a cloud-based attack.

In the end, both risk and protection depend on people.

October 15, 2015  1:55 PM

Medical identity theft: Why healthcare data can be breached

Posted by: adelvecchio
Data breach, data breach security, Data security, health data security

RickKamGuest post by Rick Kam, CIPP/US, president and co-founder, ID Experts

Passengers on the London Underground are told to “mind the gap,” a warning to watch for the space between the train door and station platform. Healthcare organizations need to mind their own privacy and security gaps when it comes to protecting sensitive medical information.

According to the latest Gemalto NV Breach Level Index, the healthcare sector had the most data breaches in the first half of 2015, accounting for 21% of total incidents across all industries. Healthcare also had the largest number of records breached, at 84.4 million records, or 34%. The nature of these gaps has changed over the years — for instance, criminal attacks are now the leading cause of data breaches in healthcare, according to Ponemon Institute’s Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data. Data breaches, particularly those caused by a criminal element, have caused medical identity theft to nearly double in five years.

The link between data Breaches and medical identity theft
According to the Wall Street Journal, medical identity theft is on the rise because of the surge in electronic health records and healthcare data breaches. But it’s more than the digitization of health records. Medical data is everywhere, due to a plethora of devices, from tablet computers to medical implants and even Fitbits and Apple watches that are recording health data and transmitting it over the Internet.

As noted in Forbes, healthcare data breaches are also on the rise because financial services and retail sectors have developed better strategies for protecting their data. This includes the use of EMV cards that use a chip instead of a magnetic stripe. As a result, many hackers are turning to the more vulnerable healthcare industry.

In addition, medical information is simply more profitable on the black market. The Dark Web offers cybercriminals multiple global marketplaces in which to sell stolen personal information, including healthcare records. According to the FBI, healthcare records can fetch as much as $60 to $70, as opposed to about $5 for credit cards.

This is all converging to create a perfect storm for getting this data. It’s more available, it’s worth more, and healthcare organizations aren’t as good at protecting the data because they haven’t had to be.

As Shantanu Agrawal, M.D. director of the Center for Program Integrity at the Centers for Medicare and Medicaid Services, told the Wall Street Journal, “Data breaches are increasing and becoming more common.”

Smart, strategic data protection
To protect patients against the harms of medical identity theft, the healthcare sector must step up its data protection measures. While there is no such thing as zero risk in today’s connected, digitized world, health plans, hospitals and other entities that hold medical information can mount a strategic defense against cybercriminals.

For instance, in an interview earlier this year, Dwayne Melancon, chief technology officer of Tripwire, recommended following the example of financial institutions that classify and segregate their data. “You…have to have good segregation of data,” he said, “where you make sure that only a select group of people can access sensitive data, that there are lots of controls around it.”

Melancon also cautioned healthcare organizations to spend their security dollars wisely. “A dollar spent on security doesn’t mean it’s worth spending,” he said. He added that security spending should be part of a risk framework, and not done to “just add window dressing.”

In other words, healthcare organizations must mind the gap.

October 8, 2015  12:42 PM

Security of healthcare data in motion

Posted by: adelvecchio
cybersecurity, data encryption, data in motion, data privacy and security, healthcare data

Dr  Mathews (2)Guest post by Dr. Michael G. Mathews, president, COO, & co-founder, CynergisTek, Inc.

In previous articles, I covered the fundamentals of encryption using symmetric (shared secret), asymmetric (public-key), and mixing the two to create a hybrid approach to keeping data confidential. I also covered the concepts of data integrity (knowing a message has not been changed) and non-repudiation (verifying the sender is authentic). This installment focuses on the security of healthcare data in motion. The final segment in this series will focus on the security of healthcare data at rest.

At the risk of sounding like a broken record (as it seems all things security start with this), it is critical to understand the application data flow for the data being protected. Knowing the type of data being moved and where it originates and is destined, as well as if there are intermediate stops/routings along the way, helps inform what type of protection makes the best sense for the data. For example, an application that is moving data from point A to point B within the internal network might simply be an exercise in proper network architecture design to segment the traffic as best as possible from those who don’t need access to it. Since network segmentation as a mitigating control falls outside the realm of encryption, I’ll reserve that topic for a future article.

Any data leaving the internal network and going beyond the perimeter firewall certainly deserves a critical eye from a data confidentiality perspective to include non-traditional health IT applications such as Voice over Internet Protocol (VoIP). In the case of VoIP, depending on how calls are routed, the data portion of the call might live on the internal network or it might leave the internal network to a hosted private branch exchange. In the latter case, any conversations that include protected health information would be exposed to the Internet –potentially creating an unauthorized disclosure — without mitigating controls in place. In general, where it’s possible to enable data confidentiality, there’s rarely a reason not to do so.

One of the prominent options available for protecting the confidentiality of healthcare data is transport layer security or TLS — which, together with its predecessor secure sockets layer (SSL), are often collectively referred to as SSL. TLS takes a hybrid cryptography approach in that it uses asymmetric (public-key) cryptography to establish a secure initial communication channel in which it then negotiates a session key (symmetric) for further communications.

The benefit of using SSL/TLS is that, for discussion’s sake, it works at the application layer. This means that by the time the traffic hits the network, it’s encrypted. One detriment is that unless the application in question is written to support SSL/TLS, it’s not something that can be added after the fact, though there are workarounds that use SSL tunneling to make non-SSL/TLS-aware applications work with SSL/TLS. In recent years SSL/TLS have started to become more ubiquitous in applications, making accessibility to this route of protecting data much more favorable. Though it hasn’t been without its setbacks, with Heartbleed being the most widespread and serious.

The other widespread route is IP security or IPsec. In contrast to SSL/TLS, IPsec works at the network layer and, as such, it can be used to secure the confidentiality of any application, including those that don’t have security or privacy as integral features. Readers will most likely associate IPsec with site-to-site virtual private network (VPN) connections and even some implementations of end user VPN connectivity. IPsec depends on what are called security associations to establish the rules of the connection and the rules must match on each side of the connection to be successfully negotiated. Like SSL/TLS, IPsec also uses a hybrid approach to cryptography with initial key exchange either using a shared secret or a protocol-based key exchange to generate session keys for the communication to be protected.

September 23, 2015  1:07 PM

Patient safety and cloud-based MDM: A healthcare innovation

Posted by: adelvecchio
master data management, master patient index, MPI

Michael Morton - 5x7 @300dpi headshotGuest post by Michael Morton, CTO at Dell Boomi

Several healthcare issues are competing for attention, including the furor over how it is paid for; the increasing concern over patient privacy; fears related to the spread of specific diseases such as Ebola, MERS, and H7N9 bird flu; and the rise of antibiotic-resistant superbugs. With all this to consider, it’s easy to overlook a growing challenge that may be putting patients at risk every time they register at a new healthcare facility.

When a physician sends a patient to a specialist for treatment, the patient generally takes it for granted that they’ll receive the right tests and treatments for their ailment. After all, anything else could be catastrophic. But what if that patient has the same first name, last name and birthdate as several other members in their healthcare organization? Not likely, you say? In 2011, the Harris County Texas Hospital District database listed the medical records of nearly 2,500 people named Maria Garcia, 231 of them had the same birth date. In total, 69,807 people in that district shared a first and last name and date of birth. This can cause not only confusion; it’s an opportunity for improper care and treatment.

Many healthcare organizations rely on a combination of a healthcare-specific master patient index (MPI) and master data management (MDM) systems to cleanse their records and eliminate duplicates and errors. An MPI is a unique identifier, such as a medical record number, assigned to each patient. MDM technology, typically implemented as a software program and a set of processes (data stewardship), is commonly employed at healthcare organizations to maintain a single “golden” record across their various software systems, such as customer relationship management, enterprise resource management and human resources. Until recently, MDM was a limited, on-premises solution that lived behind the corporate — or healthcare organization –firewall. Such systems struggle in hybrid IT environments and including cloud-based data requires a complex, expensive and time-consuming development effort.

But as patient care increasingly takes place across multiple healthcare organizations without a single, standardized MPI system — and as the amount of data that each organization accumulates continues to skyrocket — reliance on disparate MPIs and on-premises MDM to manage the records simply isn’t sustainable. As it stands, according to a report published by the Bipartisan Policy Center, the patient matching error rate stands at 8% and can range up to 20%. And according to the Health IT Buzz Blog, published by the Office of the National Coordinator for Health Information Technology, an office of the U.S. Department of Health and Human Services, “One of the largest unresolved issues in the safe and secure electronic exchange of health information is the need for a nationwide patient data matching strategy ensuring the accurate, timely, and efficient matching of patients with their healthcare data across different systems and settings of care.”

Enter cloud-based MDM, which enables master data management to take place beyond the firewall, connecting any combination of on-premises and cloud-based data sources, including third party suppliers such as Hoover’s Inc. and Dun & Bradstreet, Inc., to establish and maintain golden records across multiple systems in near-real time. With cloud-based MDM and proper data stewardship — even in the absence of a national MPI — healthcare organizations have the potential to pull data from a vast number of sources, including other healthcare organizations and commercial vendors, to help ensure they properly identify each patient.

No one should have to suffer from a misdiagnosis or the wrong treatment simply because a healthcare organization hasn’t accurately identified the patient. Yet this problem will persist until we can break down the silos surrounding MPI, ensure a single, golden record for each patient, and share this information across the nation in real or near-real time. Cloud-based MDM is the most practical, most cost-effective and least disruptive way to accomplish this in the short term.

About the Author:
Michael Morton is the chief technology officer of Dell Boomi, where he is responsible for product innovation.

September 17, 2015  1:11 PM

Unlock the value of unstructured patient data

Posted by: adelvecchio
EHR, EHR data, Patient data, unstructured data

John Smithwick-RoundingWell headshotGuest post by John Smithwick, CEO of RoundingWell

Once upon a time, a visit to the doctor started with, “Tell me where it hurts” and ended with, “Take two of these and call me in the morning.” Getting patients diagnosed correctly and treated appropriately depends on providers gathering both quantitative data, which is typically structured, and qualitative data, which is typically unstructured. When comparing both types of data, it’s more challenging to manage and derive value from unstructured patient data.

Quantifiable, measureable data such as lab results, blood sugar levels and cholesterol are considered structured data. This type of data is objective and can be entered discretely into EHRs via predefined fields. Since the data is structured, software systems are able to understand the meaning of the data, interpret and report on it. Structured data can be put to use by clinicians at the point of care to aid their decision making.

Qualitative data — such as symptoms like pain, discomfort and fatigue — is considered unstructured data. This type of data is subjective to the patient and is often gleaned through conversations based on what the clinician asks and what the patient discloses.

If a patient encounter was like an academic exam, gathering structured data such as vitals would be the fill-in-the-blank portion of the test. Gathering unstructured patient data would be the essay portion. While it might seem like a simple exchange of niceties, these communications provide a lot of information to a clinician, such as whether a patient is experiencing depression, or that she’s experiencing shortness of breath upon standing.

Correct diagnoses and appropriate treatments are dependent on managing both structured and unstructured patient data. Managing structured and unstructured data also greatly influences the outcomes a healthcare organization is able to deliver. As the amount of reimbursements tied to outcomes increases, delivering outcomes becomes more important.
Managing structured data is usually handled well. It’s in the management of unstructured data where problems arise. There are two primary problems with unstructured data.

  • The first problem is process related. Unstructured data is not gathered consistently or systematically. A clinician only knows about symptoms if he asks the patient, which doesn’t always happen, or if the patient discloses the information, which, again, doesn’t always happen. When symptoms are overlooked or patients withhold information, clinicians can’t make the right diagnosis or give the best treatment.
  • The second problem is technical. Unstructured data is most often recorded in EHRs in free text fields or note fields. Data stored in this way is very difficult for software systems to interpret, understand and analyze.

The ballooning amount of data available is another issue. In 2012, worldwide digital healthcare data was estimated to be 500 petabytes. That’s an astounding number, and it’s only growing: the data is expected to reach 25,000 petabytes in 2020. It can be a daunting challenge for healthcare organizations to gain value from this mountain of data. And guess what? Industry consensus is that approximately 80% of all healthcare data is unstructured data.

So, what if technology could not only ensure patients were diagnosed correctly, but also automate the process? Cloud-based care management and patient engagement software are providing new ways for healthcare organizations to unlock the value of unstructured patient data. How? In essence, by creating “structured symptoms” — gathering patient-reported symptoms and discretely capturing them in a way the data can be analyzed.

These platforms systematically assess patients for symptoms and signs that patients might not get asked about by a provider and that they might not self disclose because they don’t think it’s important or they forget to mention it. Care management software then stores patient symptom info in a structured way, allowing this previously unstructured data to be analyzed and made actionable.

For example, consider the use of alerts which signal clinicians that a patient needs attention. Instead of discovering issues at a late stage, after a disease has had time to progress, clinicians are alerted early to leading indicators of a decline in a patient’s health status. In this way, delivery of care becomes less like fighting fires and more like preventing fires.

What’s the bottom line? Whether it’s gathered via care management software, EHR or patient-specific physician insights, all data should be structured and be ready for interpretation and analysis. This is especially critical in value-based models. For any risk-bearing entity, getting this complete picture is absolutely critical to give patients the right treatment at the right time, to improve outcomes and prevent adverse health events.

About John Smithwick:
John Smithwick is the CEO of RoundingWell. He co-founded RoundingWell in 2011 following four years at Nashville’s Healthways, where he led the design effort for its Web-based disease and lifestyle management product offerings. Prior to his work at Healthways, he worked in product management at Microsoft in Redmond, Wash. and in technology strategy consulting with Accenture in Boston, Mass. A graduate of the University of Richmond, he holds a master’s of business administration from the University of Pennsylvania’s Wharton School of Business.

September 10, 2015  11:49 AM

Five healthcare security strategies to adopt now

Posted by: adelvecchio
cybersecurity, Data breach, data breach security, Risk assessment

myers_lysaGuest post by Lysa Myers, security researcher, ESET

As the number of cyberattacks against healthcare organizations grows, I’m often asked whether there is any one policy or behavior that is to blame for this situation. My answer is emphatically no; security is an area of concern that many people are just starting to become aware of, much less understand and implement good security controls for. As a result, many organizations and their staff don’t have a realistic sense of what good security is and what they need to protect.

Here are five tips for organizations to more easily and effectively implement healthcare security strategies.

Security must be viewed like a puzzle

If attackers get any one piece of the puzzle, they should not be able to figure out the whole picture. For example, if user credentials are stolen through phishing or a lost or stolen device, there should be another factor of authentication in place so the attackers are stopped from logging in. If an attacker does manage to log in, there should be network segregation and limited privilege such that he cannot pivot into more sensitive areas of the company, or into sensitive databases.

There is no such thing as a “warning sign” of a breach

If there is a sign that you’ve been breached, it’s already too late — the attacker has already gotten into your system. Some people cite the presence of vulnerabilities as a sign of danger, but in truth, all systems have vulnerabilities. That would be similar to saying, “a common attribute for breaches is that the affected companies all have staff who consume oxygen.” It’s not the vulnerabilities that cause attacks, it’s the absence of good security.

To err is human

The most educated humans still make mistakes. Even security gurus can accidentally double click when they’re not supposed to. That said, those who are not educated about what secure behavior entails will certainly make more mistakes, or they may deliberately circumvent security controls. While attackers don’t need to go through humans to get into improperly secured systems, it can be the easiest way. Security education is something that should be provided early and often.

Legacy machines can cause big problems

Perhaps one of the more surprising aspects for healthcare organizations is how many machines in their offices run outdated (and very soon-to-be unsupported) Windows versions. Many hospitals have medical devices that still run Windows XP, which leaves a gaping hole from a healthcare security perspective. While this is occasionally unavoidable, it should be limited wherever possible and extra security measures should be taken with those machines until they can be updated.

Risk assessment should be ongoing

With tight security budgets, legacy systems and the need for users to have access that’s both fast and secure, it’s important for healthcare organizations to be extra vigilant about planning security controls. The best way to do this is to perform ongoing risk assessments to be updated as new assets come online, or as processes change, rather than updating them periodically. If you’ve never done a risk assessment and want to know how to begin, the National Institute of Standards and Technology published a guide for conducting risk assessments.

In future installments, I’ll expand on some of these strategies to help healthcare organizations improve their security posture.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: