Raising Cyber Security Awareness in Healthcare Professionals

Healthcare professionals should rightly be focused on providing quality healthcare services to patients. Does that mean that the industry should ignore a non-related technical topic, such as cyber security? Hardly, if the data breach history captured by the U.S. Department of Health and Human Services (HHS) is any indication. Data breaches are rampant and increasing in size and frequency.

A large percentage of the reported breaches can be traced back to human error. Physical security controls break down because a door is left open. Technical controls break down because a user ID or password is posted via a sticky note on a computer monitor or because account credentials are shared and the task at hand absolutely positively need to be done right now.

Professionals working in the healthcare industry possess a zeal for protecting the health of their patients and improving how that support is provided. No legitimate employee wants to intentionally do something to adversely impact the health of a patient.

Health IT is about promoting the use of IT to support the healthcare mission. Health IT is all about providing high-quality care more efficiently, faster and cost effectively by using software and hardware technologies that have transformed countless other industries. However, these technologies cannot be deployed without considering the potential new cyber risks introduced to an organization.

An obvious manifestation of healthcare IT is the continuing transition from paper-based records to digital health records. But it does not end there, as wireless technologies have enabled medical devices to become extended diagnostic and reporting nodes on an increasingly networked IT infrastructure that shares patient medical records, billing records, financial records and burgeoning software applications—all accessing databases housed in common server structures.

How can this extended enterprise be protected? One approach can be extracted from the "Stop. Think. Connect" campaign administered by the U.S. Department of Homeland Security (DHS). The intent is not to make everyone a cyber security expert or to unduly raise fear, uncertainty and doubt—the intent is to bring some sense of awareness of cyber security to the general population. The goal of this campaign is to make someone think—even for half a second—before they take action online.

Do you have a secure connection to the server where you are about to input your credit card information? Are you authorized to access the data records you are about to request? Should you post personal information online for anyone to see? Simply hesitating to consider your actions before blindly clicking on that link can help prevent obvious human errors from occurring.

The board of directors of a healthcare organization has a myriad of concerns—providing sound patient care, maintaining financial viability and leveraging IT to enhance their operations. Just like healthcare professionals run their departments, the IT infrastructure should utilize cyber security experts cognizant of the constantly evolving threats and mitigating the resultant risks to the organization. As there is never enough budget or staff to throw at a non- mission essential, yet critical, area such as cyber security—how can the board cope?

Raise the cyber security awareness of the overall organization with role-appropriate cognizance of the consequences of individual actions and how easily one click on an inappropriate link can compromise an entire network—ultimately leading to the compromise of personal health records.

What is one effective way to overcome this challenge? Establish a cyber security awareness program.

Creating and operating a cyber security awareness program does not mean transforming staff into cyber engineers able to reverse engineer malware samples. Instead, the intent, like the DHS  "Stop. Think. Connect."  campaign, is to have individuals realize that they play key roles in protecting the digital health of patients—just as they play direct roles in protecting the physical health of patients. 

Health Care Data Breach Watch: October 2015

BLUE CROSS AND BLUE SHIELD OF NORTH CAROLINA (BCBSNC) – 2,337 MEMBERS

In two separate incidents, Blue Cross and Blue Shield of North Carolina members’ information was disclosed by printing errors.  In the first, members’ invoice information – including names, addresses, internal BCBSNC account numbers, group numbers, coverage dates, and due premium amounts – was printed on the backs of other members’ invoices by mistake.  In the second, members received payment letters that included other members’ information, such as “health plan purchased, effective date, health insurance marketplace identification number, payment amount, telephone number and payment identification number”.

AFFINITY HEALTH PLAN – 721 MEMBERS

A similar incident affected Affinity Health Plan. Affinity sent appointment reminders to 721 members in August, telling them to make an appointment “to complete a Child Health Plus renewal application”. Owing to a printing error, the reverse of the letters contained different patient information, including other children’s names, unique Affinity member identification numbers, and addresses. No medical or health information was disclosed.

BARRINGTON ORTHOPEDIC SPECIALISTS – 1,009 PATIENTS

A laptop and EMG machine were stolen from a vehicle belonging to Barrington Orthopedic Specialists between August 14 and 18, potentially exposing the names, dates of birth, and EMG results and reports pertaining to 1,009 patients.

SENTARA HEART HOSPITAL – 1,040 PATIENTS

Two encrypted hard drives containing backups of electronic patient notes – including patient names, unique medical record numbers, dates of birth, procedure dates, diagnoses, procedures, surgeon and staff names, allergies, notes, and medications relating to procedures performed – were stolen.

OU HEALTH/ENVISION RX – 540 HEALTH PLAN MEMBERS

Thanks to another mailing error, 540 health plan members received letters containing other members’ claim information, including “first and last name, date of service, name of drug and dosage, cost of prescription, member [copy], and Plan paid amount. The information did not include the other member’s demographic, financial information or Social Security Numbers.”

EMERGENCE HEALTH NETWORK – 11,100 PATIENTS

In August, Emergence Heath Network – the local mental health authority for El Paso County – discovered a data breach dating back to 2012, potentially compromising patients’ first and last names, their addresses, dates of birth, Social Security numbers and case numbers, and information relating to the services they used. No medical records were held on the affected server.

UNIVERSITY OF OKLAHOMA COLLEGE OF MEDICINE DEPARTMENT OF UROLOGY – 9,300 PATIENTS

A laptop that “may have included limited patient information […] such as patient name, diagnosis and treatment codes and dates (most between 1996-2006), date of birth or age, a brief description of a urologic medical treatment or procedure, medical record number, and the treating physician’s name” was stolen from a former employee of the University of Oklahoma Department of Urology in August.

CAREPLUS HEALTH PLANS – APPROXIMATELY 1,400 PATIENTS

WTSP reports that an “error while processing statements might have led to a breach of personal information for clients of CarePlus Health Plans.” Approximately 1,400 members’ names, addresses, and CarePlus identification numbers were sent to other recipients when a “machine was programmed to insert two premium statements per envelope — instead of just one”, resulting in “some statements being sent to the wrong member.”

HUMANA – 2,800 MEMBERS

Wisconsin health insurance company Humana has reported the theft of an encrypted laptop containing information pertaining to approximately 2,800 Medicare Advantage members along with hard-copy files – which included the names, dates of birth, and clinic names of about 250 of those members – from an employee’s vehicle.

NEW YORK CITY HEALTH AND HOSPITALS CORPORATION (HHC) – WOODHULL MEDICAL AND MENTAL HEALTH CENTER – 1,581 PATIENTS

A laptop containing 1,581 patients’ “medical record number, test results and narrative physician summary” was stolen from a patient examination room at the Woodhull Medical and Mental Health Center.

NEPHROPATHOLOGY ASSOCIATES – 1,260 PATIENTS

Information including patients’ “first and last name, patient age at the time of treatment, Nephropath accession number, referring physician, and pathology diagnosis” was “inadvertently transmitted […] to a vendor via unsecured e-mail.” The vendor was informed and instructed to destroy the information.

NORTH CAROLINA DEPARTMENT OF HEALTH AND HUMAN SERVICES – 1,615 PATIENTS

A North Carolina DHHS employee inadvertently sent an unencrypted email to the Granville County Health Department. “Attached to the email was a spreadsheet containing information relating to individual Medicaid recipients. The information in the email included the individual’s first and last name, Medicaid identification number (MID), provider name and provider ID number, and other information related to Medicaid services.”

BAPTIST HEALTH AND ARKANSAS HEALTH GROUP – 6,500

Two former employees of Baptist Health and Arkansas Health Group downloaded patient information without permission, which they took to their new practice, Bray Family Health. They then used the information to contact patients about Bray Family Health. Information included “patient names, addresses, telephone numbers, dates of birth, gender, race, ethnicity, rendering provider, referring provider, and the date that patients were last seen by one of our health care providers”.

JOHNS HOPKINS MEDICINE – 571 PATIENTS; 267 RESEARCH SUBJECTS

An unencrypted laptop containing “limited information about 571 patients with cancer seen at The Johns Hopkins Hospital between 2006 and 2014 and about 267 people who participated in a research study on a rare genetic disorder between 2008 and 2015” was stolen from a Johns Hopkins physician at an airport. Patient data “was limited to the patient names, the dates seen at The Johns Hopkins Hospital, the names of patients’ physicians, one- to three-word diagnoses and medical record numbers—but not their contents—of the patients with cancer. For study participants, the information included patient names, study identification numbers and, for subsets, dates of birth, addresses, referring physicians’ names and comments on the disorder stated in technical terms.”

ASPIRE HOME CARE AND HOSPICE – 4,278 PATIENTS

Aspire Home Care and Hospice (formerly Indian Territory Home Health and Hospice) suffered a cyber attack in late July/early August resulting in the compromise of 4,278 patients’ protected health care information, “such as patients’ names, dates of birth, addresses, telephone numbers, Social Security numbers, insurance information, prescription information, patient identification/medical record numbers and certain medical/clinical information.”

Sutter Health Incident Illustrates Email Risks

Sutter Health's revelation that a former employee inappropriately sent patient information to a personal email account in violation of the organization's policy is yet another reminder of the privacy risks posed by email communication.

In a Sept. 11 statement, the California healthcare delivery system says the billing documents for 2,582 patients that were inappropriately emailed included names, dates of birth, insurance identification numbers, dates of services and billing codes. For one patient, compromised information also included a driver's license number. For another, the a driver's license number and Social Security number were included.

Sutter Health includes 24 hospitals, 27 ambulatory care facilities and a network of more than 5,000 physicians in Northern California. Previously, the organization reported three other breaches, including a 2011 breach involving the theft of an unencrypted desktop computer containing information on 4.1 million patients.

The organization says it discovered the email-related incident during a review of the former employee's email activity and computer access. Sutter launched an investigation on Aug. 27 after the organization learned of possible "improper conduct" by the former employee, who worked at Sutter Physician Services, which handles billing for Sutter Health's physician medical foundations.

Most of the patients whose data was involved in the April 26, 2013, incident reside in the greater Sacramento region and are patients of Sacramento-based Sutter Medical Foundation, Sutter Health says. The California healthcare provider says it has no evidence that any of the patient information was misused or disclosed to others. But it's offering affected patients are being offered free credit monitoring services for one year.

Taking Precautions

Sending any confidential information to a personal email account is strictly prohibited. Sutter Health now has sophisticated software that helps block confidential information from leaving the organization unless appropriate safeguards are in place to securely send the information. Employees are also required to annually acknowledge and sign Sutter Health's confidentiality agreement, which states that the employees agree to abide by and protect Sutter Health's confidential data.  You must work hard at protecting patient information, including implementing new technologies to enhance protection. I cannot provide specific details of those technologies - that's among your safety efforts.

Common Problem

Unfortunately, privacy breaches involving unsecured email - as well as text messages - are a common problem in the healthcare arena, security experts say.  My experience is that doctors and medical practice employees send PHI through unsecure e-mail all the time.

Besides implementing encrypted email communication healthcare entities can take other steps to safeguard patient information. For example, they can use data loss prevention programs that scan emails and documents containing sensitive data, such as Social Security numbers, before they're transmitted, security experts say. Depending on the technology, the sensitive data can either be blocked from transmission or automatically encrypted.

When doctors have privileges in multiple hospitals, it is easy to use free webmail for communications wherever they are. Even if you have a secure e-mail server in your practice that allows for secure messaging within your organization, sending a message to someone else using webmail is not secure. 

Employees and clinicians need to be educated on the secure methods for sending communication involving PHI.

More Guidance Needed?

At a recent annual HIPAA security conference hosted by OCR and the National Institute of Standards and Technology, OCR officials acknowledged that incidents involving unsecure email are likely underreported to the agency.  We are seeing a lot of different problems with the transmission of electronic PHI, OCR director said during a question-and-answer session with attendees.

While communication between healthcare providers that involves the sharing of PHI should be secured using encryption or other safeguards, patients can request that their doctors electronically send them their records without using encryption or other secure methods, as long the individuals are made aware of the risks.

Mega-Mergers: The Security and Privacy Concerns

Mergers and acquisitions, such as two pending mega-deals in the health insurance sector, pose security and privacy risks that need to be addressed before the transactions are completed, during the integration process and over the long haul.

In recent weeks, Anthem Inc. announced plans to buy rival Cigna for $48 billion, and Aetna unveiled a proposed $37 billion purchase of Humana.

Interoperability of systems, consolidation or merging of databases, differing architectures, disparate platforms, consolidation of accounts and accesses conversion of users are among the potential hurdles these companies face.  For organizations this large, there is nothing trivial about integrating their networks, systems or controls. The biggest issues are always disparate systems, controls and interoperability and the privacy and security issues those challenges can create.

The transition period after two companies merge presents new risks. Because of the tremendous concerns about data security and cybersecurity breaches, integration of overall security is a particular challenge. It is easier to attack a hybrid, half-integrated company than two separate companies.

Anthem's proposed acquisition of Cigna comes at a time where Anthem is under a lot of pressure with respect to its information security and the acquisition of another large insurer represents a lot more to add to its plate.  It will need to integrate its information security processes into a host of new systems, with each new, potentially unfamiliar system bringing new risks if not properly integrated.  When mergers and acquisition are completed, a big challenge is picking and choosing whose information security program will dominate after the transaction is completed.

Often times, the information security program of the larger entity takes over the smaller. In good situations, each entity learns from the other and the overall information security is improved, after a painful integration process. But sometimes the reverse happens, and good information security practices are abandoned because they are not practiced by the larger entity.

While that best-of-breed-themed approach might work well in some mergers and acquisitions, typically things don't end up going that smoothly.  There are two kinds of challenges - inconsistencies in practices, either involving data security or privacy, and then operational implications of these inconsistencies, where one of the entities tries to apply its process or practices to the differing practices or operations of the other. These challenges are exacerbated when there hasn't been a lot of due diligence on privacy/data security issues.

When you start connecting one huge network with another one, and start sharing data without proper planning, there are new vulnerabilities and risks that emerge.  If the companies involved in the latest wave of healthcare sector mergers and acquisitions get the regulatory and shareholder approval needed to complete their transactions, they need to keep a few security tips in mind.  The biggest tip is common sense: Don't undo anything that is currently in place to ensure continuity until what's new is in place and backed up.

Attacks on Insurers: Lessons Learned

The latest revelation of a cyber-attack on a health insurer - this time Excellus BlueCross BlueShield - illustrates why it's so important for healthcare organizations to frequently scrutinize systems for intrusions.  The Excellus breach, which potentially exposed information on 10.5 million individuals, was discovered on Aug. 5 but apparently dates back to December 2013. Earlier, insurers Anthem Inc., Premera Blue Cross and CareFirst Blue Cross Blue Shield also reported massive breaches that went undetected for extended periods. The four breaches combined potentially exposed information on more than 100 million individuals.  The frequency of breaches in the healthcare industry shows that cybercriminals are targeting the sector.

Primary Motives

So, what's the likely motivation for the string of attacks on health insurers?

Insurance records are rich in personal health information, making them exploitable for insurance fraud and prescription fraud.  There is more sensitive information being leaked, which in turn provides attacker an added incentive into selling that information. The disclosure of Social Security numbers and other data points such as income, employment status and birth dates allow criminals to create numerous fraudulent credit card accounts, causing the victim additional fallout that can continue for many years to come.

One theory that some experts offer is that over the past 12 to 18 months, attackers operating from China have been hacking multiple sources to build databases of information relating to U.S. residents, potentially for espionage purposes. But others caution that attributing the source of any cyber-attack is tricky.

Excellus Breach

The attack on Excellus was discovered on Aug. 5 after the health insurer, which is based in Rochester, N.Y., hired cybersecurity firm Mandiant to conduct a forensic assessment of the company's IT systems in the wake of multiple health insurers belatedly discovering that their systems had been breached and member data stolen, according to a company spokesman. Forensic experts have determined that the cyber-attack on Excellus began in December 2013, the spokesman says.

Although the affected data was encrypted, the hackers gained access to administrative controls, making the encryption moot, the company spokesman says.

While health plans, especially those affiliated with Blue Cross Blue Shield, appear to be a huge target for hackers, other segments of the healthcare sector are also in the bullseye. For instance, in July, healthcare provider UCLA Health revealed that a cyberattack on parts of its network compromised personal information of 4.5 million patients. UCLA Health says it appears that the attackers may have had network access as early as September 2014.

Healthcare providers are just the latest targets in the information battle with malicious adversaries. Financial service and defense contractors have been battling these adversaries for years. The lessons learned that can be applied to health insurers is to evaluate the value of the information being stored and focus the most stringent security controls around that data. For health insurers that is the personal information of clients.

First and foremost, make certain you are handling the basic blocking and tackling - for example, employee security training, access control and configuration management - before you try to do anything more sophisticated. Many breaches come through phishing, an exploited vulnerability or username/password theft.

Treating Health Information Security as 'Essential'

One of the most important lessons emerging from the recent string of major cyberattacks in the healthcare sector is the need for executives to treat information security as an essential component of business operations.  Healthcare is becoming a bigger target for hackers because hospitals, health insurers and others are rich sources of data.

In recent months, hackers have launched major attacks on a number of healthcare entities. Those include UCLA Health, which on July 17 reported a hacker attack that affected 4.5 million individuals; Anthem, which was hit by a hacker breach affecting nearly 80 million individuals; as well as Premera Blue Cross and CareFirst Blue Cross Blue Shield.

Healthcare organization are being targeted because they have not only treatment information, but you have high levels of personally identifiable information - not just Social Security numbers, but other information that can be used to answer security questions and better pretend to be the victim/consumer.

Another reason hackers are targeting healthcare is that most organizations in the sector have less mature security programs than those in other sectors, such as financial services.

One of the biggest mistakes that healthcare organizations are making is taking too narrow a view of information security, seeing it as only an infrastructure issue. The reality in this evolving electronic information economy is that information technology and information security have become a fundamental component of the day-to-day business. Because of this misunderstanding of information technology and information security, the right mentality and resources are not being applied.

So the change that needs to occur is seeing information security as an essential part of the business operations. And healthcare ... will begin to see that patients will demand better information security, and regulators will begin to punish those institutions that haven't done a good job.

Ultimately, senior executives must develop a better understanding of the importance of information security. Once that happens, then you can start delving into some of the details of what a sound information security program requires, and healthcare can start making some of the fundamental changes we've been seeing in other markets.

Healthcare Resources - Keeping Security Strategy Healthy

As the healthcare industry constantly evolves, every component of operational support must evolve as well. Security is one critical area that must strive to keep pace with industry changes, stay current with regulatory compliance mandates and utilize data to stay ahead of the curve. When intelligence is culled, analyzed and viewed as a source of continuous improvement, proactive security programs are the result.

What trends and data do healthcare security professionals need to assess?

Trade Associations: The International Association for Healthcare Security & Safety (IAHSS) and ASIS are key drivers in establishing protocol to assess measure and implement healthcare security strategy; and provide information and resources.

National Resources: Workplace violence in healthcare is a growing concern. According to the Bureau of Labor Statistics, nearly 60 percent of all nonfatal assaults and violent acts in the workplace occurred in the healthcare and social assistance industry. The Occupational Safety and Health Administration (OSHA) offers Workplace Violence Safety and Health Topics Page with information that can help security professionals effectively evaluate their workplace.

Regulatory Agencies: An effective healthcare security program must be in-tune with and apply the direction of a variety of accrediting bodies including OSHA, The Joint Commission, CMS, DNV, and NFPA, as well as state and local regulators.

Local Data: Analysis of what is happening in the community is essential. Crime statistics, population trends, community events, and anticipated weather events can help the facility’s security team be more prepared.

On-site Trends: Ongoing review of security trends can aid in the evolution of security strategy and security officer deployment that is predictive, rather than reactive. Frequent incidents in particular area of a hospital could be addressed with a change in procedure or staffing.

Security Best Practices: In addition to industry benchmarks, information and best practices shared among peers creates additional opportunities for continuous improvement and success.

A data-driven approach to security must be comprehensive and cognizant of the evolving nature of the industry and the facility. Review and then ask yourself… what additional information do I need to continue to move my security program forward?

Social Engineering in HealthCare

The weakest link in an information security program is people. Hackers have known this for a long time and have refined the art of social engineering. By convincing someone to do something that isn’t in their best interest, malicious individuals are able to launch devastating attacks on organizations.

One method in which the hackers prey on their victims is through phishing. This attack vector utilizes electronic communication that appears to be trustworthy. Through this vehicle, hackers attempt to obtain sensitive information about their victims such as credentials, credit card information, and even more coveted protected health information.

The healthcare industry has always been about helping people; however, when it comes to privacy and security, being too helpful isn’t always a good thing. Partners Healthcare realized this when a group of their employees fell victim to phishing emails. Hackers were able to convince some of Partners’ employees to engage with them through an email on November 25, 2014 allowing the hackers to gain access to the employees’ email accounts. This eventually led to the compromise of approximately 3,300 patient records.

In another unfortunate example, Texas-based Seton Healthcare Family, a part of Ascension Health System, became a victim of a compromise of protected health information on 39,000 patients when an employee opened an email that turned out to be a phishing scam. This wasn’t the first time Seton Healthcare had been breached; in 2013 the health system reported the theft of an unencrypted laptop. Since 2007, they had two additional breaches: one again involving a stolen laptop affecting 10,300 patients and a breach by a third-party vendor involving more than 500 patients where member cards were sent out to the wrong members.

St. Vincent Medical Group fell victim to a phishing attack targeting employees. A statement posted on their website indicated that they discovered an employee’s email account had been compromised around December 3, 2014. As of March 12, 2015, they uncovered the compromised email account that contained personal health information on approximately 760 patients.

With the ease of phishing and the high returns that can be achieved by using this technique, security professionals fear that these types of threats will increase in 2015. With health data becoming more valuable to hackers on the black market and the belief that the healthcare industry is not ‘up to par’ with security as other industries, the healthcare industry will continue to see an increase in attacks. 

Protecting Patient Records in an App-Happy Healthcare World

Medical identity theft is the fastest growing type of identity theft. It is more lucrative from the bad guy's point of view, and it's also very hard to detect.  Detection is a growing problem for those IT and security operations centers working within healthcare organizations. By law, they must protect patients' and providers' electronic records. At the same time, there's growing pressure to expand the security architecture to accommodate more access to on-demand services.  This is particularly true when it comes to mobile devices, where a loss or theft can carry serious consequences.

Healthcare IT, in general, is typically slower to adopt new platforms to support emerging technologies, in part because potential disruptions in services could mean life or death. They also have a highly fluid user base. But the proliferation of on-demand patient portals, healthcare exchanges, fitness-related wearable technologies and health-oriented mobile applications are pressing forward, with or without IT's blessings.

The whole issue with security portals and making sure we have the appropriate security around them is absolutely paramount.  All regulated industries struggle continually to meet consumer demands and compliance mandates.

Medical records are under more intense scrutiny today in part because of two recent breaches: Anthem, the largest for-profit managed care company in the Blue Cross Blue Shield portfolio; and Premara Blue Cross, headquartered in Washington. Between the two, almost 100 million customers are now at risk of identity theft.

A stolen record may be worth $1 on the black market, whereas a stolen health record may fetch $5. Why?  It's got all the information on someone to steal their identity and use it to get at a lot of other areas.

Like many other security issues, education and awareness are key to improving the security posture of any organization. For health IT, helping patients, caregivers and providers understand mobile device security best practices is a good start. Consider training and requiring users on the following safeguards to minimize risks:

Authentication. As a policy, users should set up multi-factor authentication to access apps holding personal health information and credentials. Make sure those who use PINs or passwords are set up to mask the codes as they are entered to reduce the chance of visual hacking.

Encryption. Show mobile users how to install encryption to protect healthcare and financial data stored on their smartphones, tablets and laptops.

Enable Remote wipe. If the device is company-owned, consider installing technology to remotely erase data or disable an app if you believe it is at substantial risk of a compromise.

Block downloads. This is a little tougher for healthcare organizations, which may need to share files for legitimate purposes. But consider as a policy disabling non-essential applications to narrow the risk of exposure.

Install security software. Many consumers realize the need on their desktops or laptops but fail to install antimalware software, firewalls, VPNs or other security basics on their mobile phones. A little encouragement can go a long way. So does accepting security updates when a request pops up on their phones or tablets.

Discourage public Wi-Fi use.  Password-protect a facility's wireless network and warn people to avoid accessing, receiving or transmitting private patient data in places with unsecured Wi-Fi. Similarly, if you are in a public setting or where there's public access, a screen shield will keep private patient health data away from prying eyes.

Lock the device when not in use. And use automatic log-off.   For many years, I used to tell my people, You are in healthcare. You aren't working for IBM or Symantec. At the end of that server or PC is someone's life, and that changes their whole perspective.

Raising Cyber Security Awareness for Healthcare Professionals

A large percentage of the reported breaches can be traced back to human error. Physical security controls break down because a door is left open. Technical controls break down because a user ID or password is posted via a sticky note on a computer monitor or because account credentials are shared and the task at hand absolutely positively need to be done right now.

Professionals working in the healthcare industry possess a zeal for protecting the health of their patients and improving how that support is provided. No legitimate employee wants to intentionally do something to adversely impact the health of a patient.

Health IT is about promoting the use of IT to support the healthcare mission. Health IT is all about providing high-quality care more efficiently, faster and cost effectively by using software and hardware technologies that have transformed countless other industries. However, these technologies cannot be deployed without considering the potential new cyber risks introduced to an organization.

An obvious manifestation of healthcare IT is the continuing transition from paper-based records to digital health records. But it does not end there, as wireless technologies have enabled medical devices to become extended diagnostic and reporting nodes on an increasingly networked IT infrastructure that shares patient medical records, billing records, financial records and burgeoning software applications—all accessing databases housed in common server structures.

How can this extended enterprise be protected? One approach can be extracted from the "Stop. Think. Connect" campaign administered by the U.S. Department of Homeland Security (DHS). The intent is not to make everyone a cyber security expert or to unduly raise fear, uncertainty and doubt—the intent is to bring some sense of awareness of cyber security to the general population. The goal of this campaign is to make someone think—even for half a second—before they take action online.

Do you have a secure connection to the server where you are about to input your credit card information? Are you authorized to access the data records you are about to request? Should you post personal information online for anyone to see? Simply hesitating to consider your actions before blindly clicking on that link can help prevent obvious human errors from occurring.

The board of directors of a healthcare organization has a myriad of concerns—providing sound patient care, maintaining financial viability and leveraging IT to enhance their operations. Just like healthcare professionals run their departments, the IT infrastructure should utilize cyber security experts cognizant of the constantly evolving threats and mitigating the resultant risks to the organization. As there is never enough budget or staff to throw at a non- mission essential, yet critical, area such as cyber security—how can the board cope?

Raise the cyber security awareness of the overall organization with role-appropriate cognizance of the consequences of individual actions and how easily one click on an inappropriate link can compromise an entire network—ultimately leading to the compromise of personal health records.

What is one effective way to overcome this challenge? Establish a cyber security awareness program.

Creating and operating a cyber security awareness program to have individuals realize that they play key roles in protecting the digital health of patients—just as they play direct roles in protecting the physical health of patients. 

What will it take to prioritize security in HealthCare?

With security breaches dominating news headlines daily, those responsible for securing our systems, networks, and devices are struggling to keep pace with the evolving threat landscape. Perhaps some of the most concerning potential breach data comes from the healthcare industry where we entrust our most personal information—social security number, birth date, medical history—as well as our immediate family members’ sensitive information to medical care providers. Further, medical devices rely on secure IT networks to function properly and deliver continuous, critical care to patients with heart conditions, diabetes, and other ailments. In the event of a security breach, the malfunction of devices could have potentially life-threatening consequences.

So what can we do to create a more secure environment for protected health information and equip healthcare IT staff with the security skills they need to fulfill this task?

First, we must start with a level of awareness. Calling attention to the alarming number of data breaches in today’s healthcare industry certainly helps the cause. According to Redspin’s Breach Report 2013 – Protected Health Information (PHI), the number of PHI breaches were up 138 percent from 2012, with 199 incidents reported to the U.S. Department of Health and Human Services (HHS), impacting over 7 million patient records. HHS even has a “wall of shame” webpage for the world to see lists of U.S. healthcare organizations that have had a security breach of protected health information affecting more than 500 individuals.

Part of the problem with security awareness lies in current processes, which don’t take into account how to mitigate fraud or medical identity theft.  If a patient’s healthcare record is compromised by someone who stole the identity to receive care and consequently had false information entered into that patient’s electronic health record, there’s no process in place that allows medical providers to go in and fix the record because it’s considered a legal document. Right now, we’re still at the awareness level for security and what has to be done is to help hospitals and other healthcare organizations recognize when an instance of medical identity theft has occurred so they can improve processes to protect patients.

Medical records are more susceptible to identity theft because the online systems for medical records and the networks on which they operate are not as locked down and sophisticated as other industries. We must also realize that healthcare is one of the last industries to move data from paper to online systems. Many physicians still use paper records for their patients. And others are only beginning the process of transitioning patient records to digital systems.

When it comes to educating healthcare IT staff, they need the resources, experience, and continuous drive to ensure they possess the latest knowledge and skills required to secure protected health information.  Many stressed the lack of security even at the basic awareness level in their organizations.

Let’s face it, making security a priority for the healthcare industry won’t happen overnight. It will require a concerted effort that begins with security awareness, followed by education and training of healthcare IT staff, and finally adoption and acceptance from the healthcare industry to create a secure digital environment for protected health information.

Healthcare Security

Following recent healthcare data breach, data security is back in the national spotlight. Healthcare data breaches not only create financial vulnerabilities for companies and consumers, but they can also pose serious medical threats due to tampered medical histories of affected patients.

While healthcare data breaches have not received as much media attention as the hacks against the national retailers, healthcare breaches could potentially have much greater personal affect than hacks perpetrated in other industries.

What Makes Healthcare Data so Vulnerable?

Although data breaches in any industry pose great threats, healthcare data breaches have the potential to inflict greater financial and personal consequences on clients and companies. Here are some of the main concerns when it comes to healthcare breaches.

1. Health companies face unique challenges in transferring health records securely.

Many healthcare companies are still inexperienced in upholding and maintaining the secure transfers of their Electronic Health Records (EHRs), and subsequently their records may be more vulnerable. While these healthcare companies may have the necessary technology to create secure records, others are still inexperienced in the necessary security practices to withstand trained hackers.

2. Healthcare companies need to refocus their infrastructure to protect against breaches.

Many healthcare companies are still learning how to protect and prevent against data breaches. Unlike credit card companies and banks that have established measures of quickly recognizing fraudulent activity and putting a stop to it, healthcare companies can take months to notice errors—if they notice them at all.

“Cybercriminals tend to think of healthcare organizations as soft targets. Historically, they haven’t invested much in IT, and security specifically.  Knowing that healthcare companies are seen as easier targets should give these companies the necessary motivation to improve their security practices.

3. The consequences of healthcare breaches are much more severe.

While the consequences of identity theft can be expensive and frightening, the impact of healthcare data breaches are often more expensive and may even have the potential to be lethal. In addition to the financial threat, many hackers of healthcare records are tampering with these medical records in order to make a higher profit (mostly through the reselling of prescription drugs). While the consequences of hacks related to accessing and selling drugs seem obvious, there is also potential for these hacks to lead to life-threatening changes on medical records (including past surgeries, allergies, and drug interactions) posing a great threat to your medical care in an emergency.

What Can Healthcare Providers Do?

Healthcare companies have sometimes neglected to deploy even the most basic enterprise security measures. Without proper security checkpoints, these companies make themselves more vulnerable to hacks and potentially put their clients’ most important data (social security numbers, medical records, credit card information) at great risk. However, in order to avoid these attacks in the future, healthcare organizations must take this opportunity to begin prioritizing better security practices and improve the face of healthcare security from here on out.

The Human Factor and Healthcare Privacy and Security

An organization can have all the necessary healthcare privacy and security measures in place, but without comprehensive employee training, the facility could still fall victim to a data breach or violate HIPAA regulations.  That is just one of several issues the healthcare industry is facing in 2015.  The human factor is critical for any healthcare organization, and a lack of knowledge about HIPAA could be harmful.

Accessing healthcare information is also a critical aspect of securing that data because organizations must ensure that the users who are accessing the information are authorized to do so.  Covered entities have to define what information needs to be accessed by what users. They also want to define what processes need to be in place to ensure that the appropriate level of access is granted to the users.

Essentially, healthcare organizations need to take a look at what information they actually have, how that information is stored, and for what purposes it needs to be used for. Once those three elements are in place, facilities can then define what their provisioning processes should be based upon users’ need and the duty they need to perform.

You have to keep in mind that all the users that have access to that data have a role or responsibility, and are using that information for a specific purpose.  So it’s up to those users to make sure that they follow the necessary processes, procedures and policies in place for the disclosure of that information.

Additionally, that access has to be in accordance with all regulatory requirements, such as the HIPAA Privacy Rule and Security Rule. Finding that balance is a challenge that healthcare organizations of all sizes are working to overcome.

It’s a lot easier for practices, covered entities, and hospitals to grant access to all employees and feel like they will only use the information that they’re supposed to,” he said. “However, that’s not always the case.

This is where comprehensive training and education will come into play. Employees need to be aware of what the Privacy and Security Rules are about and then what their obligations as staff members are. From there, covered entities need to teach employees how to tie those obligations back to existing practices within their particular organization.

Another key tool to strengthening the human factor in healthcare privacy and security is conducting regular audits and reviews of what employees are actually able to access. For example, an individual who works in the billing office doesn’t necessarily need to have access to clinical information, such as a patient’s medical record. Comparatively, a nurse will need access to clinical information, but will likely not need to see a patient’s demographic information or their financial data.

You have to understand what information you have in your system and how grantable your system can be in order to determine what level of access is appropriate for your employees, recalling the “minimum necessary” required in HIPAA. “Granting all access to everybody would not be in compliance, and would not be standard with the security requirements.”

Ways To Strengthen Healthcare Security

Real safeguards and policy implementations, however, speak louder than any number of crisis meetings. Securing any healthcare organization -- from a solo practice to multi-location hospital systems -- takes measured planning, technical expertise, and business knowledge. It's the only way security professionals can balance their quest for impenetrable devices and software against medical users' demand for easy, accessible data and tools.

New regulations tied to the Affordable Care Act are now in effect regarding protected health information and electronic health records, which only underscores the need for data security to ensure privacy among patients.  Healthcare providers recognize that data security is of vital importance to their business.

Healthcare organizations are particularly vulnerable. They house personal health, payment information, and intellectual property -- all lucrative targets for hackers. But most employees want to heal people, not become technologists, and might view technology protections as healthcare speed bumps. As providers, payers, employees, patients, and partners become increasingly intertwined through shared data, transparency, and analytics, the opportunities for loss, error, or theft grow exponentially.

Healthcare had the highest percentage of incidents from theft or loss, the study found, suggesting room for improvement.  But employees don't deserve all the blame. Outsiders -- such as business associates, contractors, and suppliers -- accounted for 68% of the top 10 miscellaneous errors.

Education and regular checks and balances decrease the frequency of incidents. Technologies such as data-loss-prevention software monitor emails and faxes, while mandating that IT alone disposes of equipment helps ensure fewer data-laden devices end up marked for recycling, eBay, or the trash.

Policies are critical to ensuring that an organization's security message permeates departments and shifts. It is one reason a growing number of healthcare organizations are hiring chief security officers (CSOs) or chief information security officers (CISOs) to oversee and govern all areas of protection.  

These technology professionals play an important role; security knowledge is vital, but they also require business expertise in healthcare.

Preventing Social Media Blunders In Healthcare Settings

Many healthcare organizations are looking for innovative ways to use social media to improve patient care and communications. But first, they must take some essential steps to address the risks involved. 

Here are three steps to take to minimize social media risks - and avoid the publicity that comes with missteps.

1. Define types of information never be posted to social media sites.

One problem that I've heard over and over is that those who inappropriately posted information, images, comments, etc., to social media sites did not think the information was patient information, or that it was not protected by HIPAA.

Take the case from the first example above. The doctor posting the images and unflattering remarks to Facebook and Instagram was a physician from that hospital who was asked to be present but was not the attending physician. He was also an acquaintance of the patient. There was speculation that he felt the images were not protected health information since he was taking them as a friend and not as the primary physician.

All personnel must clearly understand the types of information that is considered to be PHI. They must understand that PHI remains PHI even if the employees think they can use it in other ways as friends or family. They must also realize that protections for PHI are still required even if the patients or insureds have posted similar information or images online themselves.

Suggested Actions:

• Clearly define and document the PHI collected, stored, processed or otherwise accessed within your organization;
• Explain to employees that the PHI must never be posted to social media sites without the clear and documented consent of the associated individuals, following the policies and procedures that you create;
• Provide real-life examples to reinforce understanding.

2. Establish clear and comprehensive policies

Given the exponential growth in social media use, and the increasing numbers of breaches resulting from inappropriate posts to social media sites, every covered entity and business associate needs to have a documented social media policy, with supporting procedures. The policies and procedures need to include clear direction on what is appropriate and inappropriate to post to social media sites.

Suggested Actions:

• Meet with key stakeholders to determine the actions that are acceptable and not acceptable, based upon associated risks, with regard to posting information and images to social media sites;
• Be sure to clearly indicate that even when employees are away from work or using their own personally owned computing devices, PHI must never be inappropriately posted online;
• Give an individual or team responsibility for monitoring social media policy compliance.

3. Provide training and ongoing awareness communications.

In many, perhaps most, of the incidents involving inappropriate posting of patient information on social media sites, those doing the posting stated they didn't think they had done anything against their organization's policies - or that they didn't have any social media policies. Most organizations do not provide regular training on their policies, or the training they provide is ineffective. And they don't send regular reminders to keep employees aware. Providing effective social media training and ongoing awareness reminders is an essential step toward preventing social media breaches.

Suggested Actions:

• Create social media training to support your policies and procedures. Or, use existing training that aligns with your policies. I've found classroom training or online live webinar training works best because these approaches allow for interaction and questions.
• Create and use case studies for interactive discussion to see how learners would react to different types of situations involving social media.
• Send ongoing awareness communications to remind personnel of appropriate uses of social media and policies on posting PHI or other types of personal information.