Brian Jackson - Fotolia
BOSTON -- With breaches in healthcare not slowing down anytime soon -- consider the recent UCLA health system data breach -- experts at the recent mHealth + Telehealth World Congress discussed security breaches, what healthcare organization can learn from those breaches and the value of stolen protected health information (PHI).
"There's amazing concern that with mobile apps and mobile devices [and] Internet of Things that there's less of a focus on quality control and information security development," said Edward Grogan, vice president and CIO at Calvert Health System Inc., based in Prince Frederick, Md.
Kristi Kung, senior associate at law firm Pillsbury Winthrop Shaw Pittman LLP in Washington, D.C., agreed that with more mobile health apps, more mobile devices and more devices being connected to the Internet, there's a greater threat of attack. "Just because you have a secure device does not mean that privacy's always maintained. Any time you're connected to the Internet, you're always susceptible to attackers," she said.
She added that, "the worst is not behind us" and that "the healthcare environment isn't as prepared."
Grogan and Kung shared ideas on how healthcare organizations can better prepare for mobile health (mHealth) security.
Learn from others -- especially those outside of healthcare
Grogan advised attendees at mHealth + Telehealth World to apply lessons from the Target and Heartland Payment Systems Inc. breaches.
In Target's breach, network credentials were stolen in an email malware attack on a third-party vendor that had a supplier portal to the retailer, Grogan said.
"Some of the lessons learned from that breach [are] to consider the weakest link and evaluate third-party vendor security," Grogan said. Other lessons to glean from the Target breach include making sure hospitals incorporate multifactor authentication, where a person must provide two or more credentials to get access to the information, and use network segmentation, where computer networks are split into separate networks.
Kristi KungPillsbury Winthrop Shaw Pittman LLP
Grogan said that had Target segmented the supplier network from the consumer network, most likely the breach would not have happened.
He added that containerization would also have helped in this case, in which virtual instances are allowed to share a single host operating system. Organizations can achieve greater security by isolating containers from each other.
In Heartland's case, the payment systems company suffered a data breach in 2008, during which attackers made off with digital information for 100 million credit and debit cards. Heartland also had another data breach in May 2015. In this case of the 2008 breach, preventive actions that could have been taken -- and healthcare organizations should consider -- include appointing senior leadership with security as their sole focus, security data sharing, end-to-end encryption, tokenization and chip technology, Grogan said.
A question from the audience: Stolen PHI
At the end of Grogan and Kung's presentation, an attendee asked whether there was a popular use for stolen PHI, and whether it was possible to trace it back to who stole the PHI and who subsequently bought it.
"Healthcare records are so much better than a stolen Social Security number, because a healthcare record has all that information already. You've got Social Security number, you've got financial information and then you have all the medical information about that person, too," Kung said. "You're not just talking about traditional identity theft."
Not to mention that healthcare records can fetch a sizeable amount of money on the black market. While stolen credit card information usually goes for $1 to $2, Kung said, medical records can go for $20 to $50, ranging from pieces of a patient's medical documentation to an entire record.
Chances are slim of finding out who bought stolen PHI. "As for tracking it back, I think that's very difficult to do at this point," Kung said.
Grogan and Kung also fielded a question about what the uses are for knowing someone has a broken leg, for example.
To that, Grogan's only reply was that it's simply a loss of privacy on the part of the patient.
Learn more about mHealth security:
HIPAA omnibus compliance: PHI security, mobile protection included
HIPAA compliance vulnerabilities with new mHealth technology
Physicians: Drive patient engagement with mHealth apps