popyconcept - Fotolia
In this Ask the Expert, David Reis, vice president of information services and CISO at Lahey Hospital & Medical Center in Burlington, Mass., discusses the top technologies most vulnerable to HIPAA breaches and how healthcare organizations can ensure breaches don't happen.
What would you say are the top three technologies that are the most at risk for violating HIPAA? And if it's imperative that a healthcare organization use them, what can they do to make sure that they don't violate HIPAA and cause a breach?
David Reis: So in no particular order I think portable medical devices, portable storage devices and, recently, remote access to systems without multifactor authentication are items most at risk for causing HIPAA breaches. Medical devices are getting smaller and smaller and being used more and more, and they store more and more patient data, and the theft of them is a really big deal. There's a lot of government policy action going on around that within the FDA [U.S. Food and Drug Administration] and around CMS. We already covered portable storage devices and their need for encryption, last [are] breaches from compromise of usernames and passwords, generally through phishing, which then allow hackers to log in through remote access to email and EHR systems accessible directly over the Internet. Using multifactor authentication goes a very long way to address this emerging threat.
Can you give me some examples of the medical devices you are referring to?
Reis: Sure, think about a portable X-ray machine, think about a portable ultrasound machine, think about a machine that does hearing tests. Those would be some examples of what I'm talking about.
Can you tell me more about the remote access concern?
Reis: Yes, think about remote access to email. We know that phishing attacks have become more sophisticated, and I think, because in healthcare we all try to be very helpful, it's easy to respond to those phishing attacks that lead to access ... from the Internet to email, and, in certain conditions, provider inboxes can have a lot of emails, some with patient data. Multifactor authentication helps provide enhanced security to systems remotely accessed, such as email or EHRs because it requires not only a username and password, but also a six-to-eight digit pin number that changes every 30 [to] 60 seconds. So falling victim to a phishing attack and then not having multifactor authentication makes it very easy for a hacker to gain access to systems that store patient data.
What about mobile devices?
Reis: Mobile devices are interesting because of how they can be used to access email, and they might have access to applications too. I think for the most part, from what I've seen, many organizations have mobile device management that requires some form of password to access the device and erases the device if a password is entered incorrectly after a few attempts. So I think mobile device management, from a security perspective, of smart devices has taken root and is one of the general areas of strength for HIPAA covered entities. However, it will require continual vigilance to make sure it does not fall behind.
Tips on how to prevent a HIPAA data breach
Create a data breach response plan
In wake of UCLA health data breach, providers should be forthcoming
Dig Deeper on HIPAA (Health Insurance Portability and Accountability Act)
Related Q&A from Kristen Lee
Two experts agree: AI will become essential to healthcare. AI can help providers step away from the EHR and enable precision medicine. Continue Reading
Vendors demonstrate that interoperability is possible when it comes to patient medication information. This makes CIOs hopeful for the future. Continue Reading
Healthcare should be getting ready for the cloud. At least, that's what one health IT expert thinks. Read his thoughts on cloud computing healthcare ... Continue Reading