More than 5,000 vascular or thoracic patients seen between 2012 and 2015 at Sentara hospitals in Virginia. That’s what Norfolk, Virginia-based Sentara Healthcare discovered in November of 2016 within one of its third-party vendors.
Information stolen was believed to be patients’ names, medical record numbers, dates of birth, Social Security numbers, procedure information, demographic information and medications.
They had been hacked. If there’s ever pain to be felt by a healthcare provider, Sentara felt it, particularly in an age of regulated compliance for sensitive patient data.
Such incidents stand as a looming security problem for all within reach of healthcare data.
Forrester Research came out with five key predictions for 2017 with the omen that “cybersecurity risks intensify.” According to Forrester, “healthcare breaches will become as large and common as retail breaches, and the 2015 breach of Anthem that affected as many as 80 million patients will become commonplace in the future.”
While regulations and compliance risk has momentum, the challenge of cybersecurity risk continues. For healthcare and healthcare data security managers – both physical and digital – it’s game on.
Regulations, Risk and Asset Protection
While regulations prevail to safeguard privacy of medical records and data, plenty of security risks remain. Technology constantly runs the risk of security breach.
“Regulations are changing in healthcare, but also the technological threats are evolving and becoming more sophisticated,” says Michael Ebert, Cyber Leader for Healthcare and Life Sciences for KPMG. “Our survey in August 2015 found that 81 percent of healthcare organizations acknowledged getting hacked, but we suggest that all healthcare organizations should operate under the premise that their information has been compromised. They need to assess where their security profile stands and what needs to be done to improve it.”
Data compromise is often preceded by theft and asset intrusion.
“The most vital thing you can know is that theft is the number one cause of HIPAA breaches year after year,” says Art Salazar, Director of Data Centers and Compliance for Green House Data in Cheyenne, Wyoming. “Digital and physical security are important, but theft can come from anywhere, even internal sources. A laptop left in the back of a car can be snatched, and just like that, you’ve lost a few hundred records. You need digital methods to secure and locate every single device that accesses digital health information. You also need a clean and clear audit trail. Start documenting and training on process yesterday. Security will become even more difficult as healthcare has become a known target for hackers in particular. 2016 saw several hospitals out of commission due to ransomware, which is a type of computer infection that can shut down all of your critical IT systems until you pay the attacker, usually with a digital currency.”
Security managers and compliance officers can take proactive steps to improve their records security and data privacy while maintaining records privacy.
For starters, Ebert advises organizations assess where they stand by conducting larger cyber maturity assessments, technical security testing and dry runs, about what to do in the event of a breach and that runs from mapping out how to respond to the public, patients and regulators and what needs to be done technologically.
And technologically, a robust technological framework stands as a sentinel to the privacy of sensitive records and medical data.
“A strong records retention program and privacy program are two essentials,” says Bryon K. Miller, CISO and Head of Security and Compliance Practice at Whitehat Virtual Technologies, a virtualization managed services provider and consulting services firm based in Austin, Texas. “But again, these two programs are ultimately borne from a foundational framework of controls the organization follows to protection information assets. It is essential that security managers and compliance officers seek independent analysis of controls in place and respond appropriately to remediation requirements after each independent assessment.”
Miller emphasizes training. “Training, training, and more training,” he says. “New hires need to be trained within 30 days of being hired. All employees need to receive annual security awareness training. And, role-based training needs to be provided to those with specialized functions that support records retention compliance, privacy compliance, and overall HIPAA compliance.”
To be remiss in training, combined with a weak security framework has consequences that are far reaching and go beyond data landing in the wrong hands; it can be a matter of life and death.
“The medical profession needs to protect security and privacy, but even more than that, it needs to save lives,” says Dr. John Michener, chief scientist of Casaba Security in Redmond, WA. “Security may not get in the way of life saving treatment. Doctors and nurses must be able to access medical information in a timely fashion, so security in medical systems must fail in a manner that allows medical treatment to proceed.”
One way of ensuring continuity is to focus on access and authentication. This comes down to smart and intelligent control and good security management. “So we want good authentication and authorization systems to control access to medical information, but we must have good accountability regardless – who accessed what, when, and where,” adds Michener. “An insurance claims clerk does not need emergency access – a trauma doctor does. Solid audit records, ‘eventing’ and associated monitoring of unexpected access – numbers, trap accounts – are all critical. In event of a compromise, the institution needs to know what information may have been compromised – access to a patient’s medical information from a treatment room terminal while that patient was being treated is unlikely to be suspicious.”
If an act appears to be out of order, it often is. Michener cautions that access to a patient’s medical information by an out of state medical insurance provider or party is likely to be suspicious.
“Organizations are required to protect medical information and restrict access to only authorized users, who typically play a limited number of roles, allowing the utilization of role based access control,” Michener says. “But in all cases, excellent monitoring of access is needed for accountability as well as notification requirements in event of breach.”
Regulations, Technology and an Attentive Workforce
What are the most important things that enterprise security managers, leaders and IT professionals need to focus on important and relevant compliance measures in record-keeping and privacy. Focus on what matters most and where it matters most is a best practice. Know the regulations.
“It’s important that privacy, security and compliance leaders have a deep understanding of relevant regulations, including their full scope and intent,” says Kate Borten, president of The Marblehead Group, in Marblehead, Massachusetts, and member of the Visual Privacy Advisory Council. “These people are the subject matter experts whom their organizations rely on for direction. While these leaders may be pulled into the details, they should develop and maintain an overview of the full scope of their privacy and compliance mission and their program solutions. Part of staying on course is to constantly review priorities, assuring that time and budget are spent on the efforts that help reduce the biggest risks.”
Borten also says it’s also important for the organization’s leadership to acknowledge that while the subject-matter experts lead the programs, everyone has a role and responsibilities in assuring compliance and privacy. But everyone must in sync – with each other, and with emerging technology.
“Maintaining compliance in the years ahead is expected to become more challenging,” says Jeremiah Talamantes, president of Red Team Security – an IT security consultancy in Saint Paul, Minnesota. “This is particularly notable when it comes to compliance requirements catching up with emerging technology. The impact of telemedicine and IoT medical devices, for example, will continue to outpace compliance security and privacy making risk management arduous.”
Technology is a key ingredient for a strong and effective security strategy in an era of regulated compliance. But so is a culture of vigilance and caution.
“Maintaining a culture of compliance is key to improving any organization’s privacy and security efforts,” says Lindsay Petrosky, an Attorney focusing on Data Privacy and Security at Jackson Kelly PLLC in Charleston, West Virginia.
In summary, enterprise security managers can’t operate in a vacuum. They must effectively collaborate with others: IT managers, organizational leadership, physical security managers, employees, legal staff and many others. Everyone needs to be aware of regulations and compliance measures. Everyone must also be part of an overarching security plant to insure security and compliance; all must help create a culture of security and compliance and strive to include the latest and most effective technology to achieve such an end. And it must be a daily effort.
“Security managers should review their policies and procedures to ensure that they are consistent with their organization’s actual day-to-day operations,” says Lindsay Petrosky.
Petrosky adds that such review should confirm that policies and procedures comply with the organization’s obligations under federal and state law.
“The best way to improve data privacy and security,” she advises, “is to have members of the workforce who are aware of their personal obligations to maintain the integrity and privacy of the information they handle on a day-to-day basis.”
A Regulatory Overview
Know your regulations. Know which once are relevant. But the manifesto of healthcare regulations and HIPPA can be complex and overwhelming. So, where do we begin?
James Moore is the Chief Operations Officer of iView Systems in Ontario, Canada. He has provided a concise overview of the components of HIPAA are designed to reduce administrative costs and overheads by adopting and enforcing the use of standardized, electronic transmission/collection and storage of administrative, sensitive patient and financial information.
What does the Health Insurance Portability and Accountability Act (HIPAA) invoke?
Tightly controlled access to sensitive patient information
Requirement for firm audit trails for proof of access, proper information handling and disclosure
Long-term secure archival of insurance and related information
Ensuring complete privacy and confidentiality of all patient information
Sensitive patient data control and access; including authenticated and validated user access to private information
Patient data integrity validation
Tracking of patient data exchange, with the capability to provide a firm audit trail of the sender, recipient, date and time, and associated content is established
Ensuring reliability and consistency of security throughout - encrypted transport, handling, storage and data destruction.
Moore adds that these requirements correlate with a battery of other regulations: Associated state and federal requirements, those invoked by the Freedom of Information and Protection of Privacy Acts, Personal Information Protection Acts (FIPPA/PIPA), and the Occupational Safety and Health Administration (OSHA) and equivalent for the Public and Private Sectors.