Medical identity theft is the fastest growing type of
identity theft. It is more lucrative from the bad guy's point of view, and it's
also very hard to detect. Detection is a
growing problem for those IT and security operations centers working within
healthcare organizations. By law, they must protect patients' and providers'
electronic records. At the same time, there's growing pressure to expand the
security architecture to accommodate more access to on-demand services. This is particularly true when it comes to
mobile devices, where a loss or theft can carry serious consequences.
Healthcare IT, in general, is typically slower to adopt
new platforms to support emerging technologies, in part because potential
disruptions in services could mean life or death. They also have a highly fluid
user base. But the proliferation of on-demand patient portals, healthcare
exchanges, fitness-related wearable technologies and health-oriented mobile
applications are pressing forward, with or without IT's blessings.
The whole issue with security portals and making sure we
have the appropriate security around them is absolutely paramount. All regulated industries struggle continually
to meet consumer demands and compliance mandates.
Medical records are under more intense scrutiny today in
part because of two recent breaches: Anthem, the largest for-profit managed
care company in the Blue Cross Blue Shield portfolio; and Premara Blue Cross,
headquartered in Washington. Between the two, almost 100 million customers are
now at risk of identity theft.
A stolen record may be worth $1 on the black market, whereas
a stolen health record may fetch $5. Why? It's got all the information on someone to
steal their identity and use it to get at a lot of other areas.
Like many other security issues, education and awareness
are key to improving the security posture of any organization. For health IT,
helping patients, caregivers and providers understand mobile device security
best practices is a good start. Consider training and requiring users on the
following safeguards to minimize risks:
Authentication.
As a policy, users should set up multi-factor authentication to access apps
holding personal health information and credentials. Make sure those who use
PINs or passwords are set up to mask the codes as they are entered to reduce
the chance of visual hacking.
Encryption.
Show mobile users how to install encryption to protect healthcare and financial
data stored on their smartphones, tablets and laptops.
Enable Remote wipe.
If the device is company-owned, consider installing technology to remotely
erase data or disable an app if you believe it is at substantial risk of a
compromise.
Block downloads.
This is a little tougher for healthcare organizations, which may need to share
files for legitimate purposes. But consider as a policy disabling non-essential
applications to narrow the risk of exposure.
Install security software. Many consumers realize the need on their desktops or
laptops but fail to install antimalware software, firewalls, VPNs or other
security basics on their mobile phones. A little encouragement can go a long
way. So does accepting security updates when a request pops up on their phones
or tablets.
Discourage public Wi-Fi use. Password-protect a facility's wireless network
and warn people to avoid accessing, receiving or transmitting private patient
data in places with unsecured Wi-Fi. Similarly, if you are in a public setting
or where there's public access, a screen shield will keep
private patient health data away from prying eyes.
Lock the device when not in use. And use automatic log-off. For many years, I used to tell my people, You are
in healthcare. You aren't working for IBM or Symantec. At the end of that
server or PC is someone's life, and that changes their
whole perspective.
