popyconcept - Fotolia

Ask the expert: HIPAA breaches and the tech most likely to cause them

It's safe to say HIPAA breaches should be avoided at all costs. One CISO discusses the technology most likely to cause a breach and what to do to ensure compliance.

In this Ask the Expert, David Reis, vice president of information services and CISO at Lahey Hospital & Medical Center in Burlington, Mass., discusses the top technologies most vulnerable to HIPAA breaches and how healthcare organizations can ensure breaches don't happen.

What would you say are the top three technologies that are the most at risk for violating HIPAA? And if it's imperative that a healthcare organization use them, what can they do to make sure that they don't violate HIPAA and cause a breach?

David Reis: So in no particular order I think portable medical devices, portable storage devices and, recently, remote access to systems without multifactor authentication are items most at risk for causing HIPAA breaches. Medical devices are getting smaller and smaller and being used more and more, and they store more and more patient data, and the theft of them is a really big deal. There's a lot of government policy action going on around that within the FDA [U.S. Food and Drug Administration] and around CMS. We already covered portable storage devices and their need for encryption, last [are] breaches from compromise of usernames and passwords, generally through phishing, which then allow hackers to log in through remote access to email and EHR systems accessible directly over the Internet. Using multifactor authentication goes a very long way to address this emerging threat.

Can you give me some examples of the medical devices you are referring to?

Reis: Sure, think about a portable X-ray machine, think about a portable ultrasound machine, think about a machine that does hearing tests. Those would be some examples of what I'm talking about.

Can you tell me more about the remote access concern?

Reis: Yes, think about remote access to email. We know that phishing attacks have become more sophisticated, and I think, because in healthcare we all try to be very helpful, it's easy to respond to those phishing attacks that lead to access ... from the Internet to email, and, in certain conditions, provider inboxes can have a lot of emails, some with patient data. Multifactor authentication helps provide enhanced security to systems remotely accessed, such as email or EHRs because it requires not only a username and password, but also a six-to-eight digit pin number that changes every 30 [to] 60 seconds. So falling victim to a phishing attack and then not having multifactor authentication makes it very easy for a hacker to gain access to systems that store patient data.

What about mobile devices?

Reis: Mobile devices are interesting because of how they can be used to access email, and they might have access to applications too. I think for the most part, from what I've seen, many organizations have mobile device management that requires some form of password to access the device and erases the device if a password is entered incorrectly after a few attempts. So I think mobile device management, from a security perspective, of smart devices has taken root and is one of the general areas of strength for HIPAA covered entities. However, it will require continual vigilance to make sure it does not fall behind.

Let us know what you think about the story and any tips to prevent HIPAA breaches; email Kristen Lee, news writer, or find her on Twitter @Kristen_Lee_34.

Next Steps

Tips on how to prevent a HIPAA data breach

Create a data breach response plan

In wake of UCLA health data breach, providers should be forthcoming

Dig Deeper on HIPAA (Health Insurance Portability and Accountability Act)