Posted by: Jenny Laurello
Data breach, data breach security, Data security, identity theft
Guest post by Michael Rothschild, director of field & channel marketing, SafeNet
The daily occurrence of massive data breaches have even the most seasoned C-level executives concerned about the security of their networks. Now, given the ongoing switch to electronic health records, this concern is increasingly prevalent in the healthcare space.
The security trifecta
Hacking has graduated from a hobby to a lucrative business and, as a result, major data heists occur with shocking regularity. Healthcare hackers target the industry because of the “trifecta” of data that can be used or resold for each patient. This coveted data includes the identity of the patient, their credit card or other payment information, and the health insurance information of the patient. There have been documented cases of identity theft, credit card fraud, and even the use of stolen health insurance credentials to obtain expensive medical procedures. Of the three pieces of stolen information, the third is the most significant because it alters a patient’s health record with bad information. It can result in getting denied for a job, to affecting the patient’s credit, or getting the wrong treatment if their EHR is incorrect.
Who holds the record?
Five years ago many offices, clinics and even hospitals were still writing charts, prescriptions and notes all on paper. Go to any healthcare facility today and the change is dramatic. Electronic health records are everywhere, and they’re not limited to the confines of the healthcare facility.
An EHR may be created in the field at the time of emergency responder’s first contact with a patient. The electronic record often is transmitted wirelessly to the hospital, arriving before the patient is offloaded to the accepting hospitals. The same file follows the patient through their cycle of care and becomes part of the overall EHR dossier or patient’s global record. This file can be shared and accessed by many different parties.
The volume of digital health information is constantly growing and EHRs are becoming universally accessible both inter and intra-facility. This is wholly, or in part, due to the different parties that are responsible for the patient’s care.
There is another massive change in healthcare that can potentially lead to security vulnerabilities. Hospitals have grown into medical centers or systems that extend beyond a single building. This has led to an increase to the amount of personnel that have access to a patient’s chart. There are generally no fewer than five to seven disciplines in the healthcare system that touch a patient’s chart, even during the most basic hospital visits. This may include the physician, nursing staff, lab, imaging, pharmacy, health insurance, billing, rehab, follow up/referral and more. There are more points of vulnerability than ever for health data due to the increased number of parties who access a patient’s record, an increased use of end-point devices, larger networks sizes, and the use of cloud-based applications.
How healthy is your network?
The ongoing switch to digital requires a change in the way we think about securing our environment, whether that environment is a private office or a large healthcare system. Past methodologies were predicated on securing the perimeter, also known as the “attack vector.” But with a more heterogeneous user environment that is connected with cloud-based applications from various places and devices (some of which may be third- party or unmanaged devices), it becomes far more difficult to define and protect the network perimeter. That leaves providers seeking flexible security that can protect patient data wherever it happens to be. In the event of a breach, the data can hopefully be rendered useless to the cyber criminal. In all industries including healthcare, IT pros are moving from a mindset of breach avoidance to breach acceptance.
A prescription for healthy data
There are several key steps to take in order to move on from a breach avoidance approach and start to secure what really matters.
- Encrypt data: Data is the target for all cyber criminals. The criminals may be internal or come from outside the organization. By encrypting the data you have, even if there is a breach, the captured data is useless to anyone lacking the appropriate credentials.
- Differentiate access: Ensure authorized personnel can only access the parts of the patient chart that they need to do their job. There should be few, if any, instances where someone has access to a complete chart. Access should be granular in nature and should be locked down through a strong, multi-factor authentication system which may include passwords, tokens, biometrics or other combinations.
- Lock down that wireless: Wireless networks are necessary for fast transmission of forms, image files, audio and video from virtually everywhere in a facility’s building. Several of the access points are bound to be unprotected. A quick network scan may show that the radiology department or cafeteria has a network that is not locked down or perhaps that an unauthorized network has been set up by an employee at their workstation. A careful audit of these networks and access points should take place to ensure that only authorized personnel are on the network, and that any open networks are intended to be that way. Chinese wall separation is essential for open networks because they prevent unauthorized personnel from gaining access to information that is not intended for their use.
- Ensure endpoint compliance: Every endpoint is a potential portal to the inner sanctum of your network, whether it is a Toughbook in an ambulance, a doctor’s tablet or a wireless registration console. By employing basic security standards such as password protection, remote wiping, identity tagging, and firewall/AV compliance, you significantly reduce the chances of damage occurring from rogue or compromised devices.
- Education is power: Sometimes we overlook the basics of educating our own people on how to maintain a secure and confidential environment. It’s often the case that an insider threat — authorized healthcare personnel obtaining and compromising confidential information — is accidental. Either the insider failed to follow procedure or they were not equipped or trained to follow proper safety standards. Documented data breaches have resulted from simple mistakes such as emailing confidential information to another party, leaving a device in an unsecure location, saving data to an external drive, or failing to recognize a phishing or spear phishing attack.
No silver bullet
There is no such thing as an impenetrable environment. This is particularly true when it comes to securing an ecosystem which is primarily focused on saving lives. But through a change in mindset — from securing a vector to securing the EHRs themselves using proper authentication, encryption, access control, and education — we can start to make our data healthier.
Michael Rothschild works for the data security company SafeNet. He holds advanced marketing degrees and certifications in IT and IT security for healthcare. He has been an EMT for 28 years, ER nursing assistant for 8 years and is an instructor for the American Heart Association.