Today we hear from Mark Beckmeyer, Binary Fountain’s Director of IT Security. Mark has accumulated more than 30 years of healthcare IT security experience, with the vast majority of those spent interacting with the C-Level of healthcare providers and payers around the nation. Mark’s expertise in conducting healthcare security risk and gap assessments and related services affords him an incisive and practical perspective on the ways that healthcare entities can evaluate, implement, and maintain their security compliance programs. Mark holds a D.Sc. (Doctor of Science) is in Cybersecurity from Capitol Technology University and an M.A. in Security Management from George Washington University. He offers this overview of security concerns.
Healthcare is a Primary Target of Malicious Activity
Many of healthcare’s evolutions have been progressing at breakneck speed, but until recently its embrace of security lagged behind. Pre-HIPAA, you could stand at a nursing station in just about any hospital or clinic and see patient forms and files everywhere – in paper folders, not digital ones. Walk into a patient’s room and there would nearly always be a clipboard filled with medical notes and observations, and not much security to stop an inquisitive visitor from peeking. Information that’s protected by law today was supposed to be private, but there was not a requirement to protect and secure Protected Health Information (PHI).
Healthcare data has also been a primary target of malicious activity, putting PHI more at risk. There are several reasons for this. One is the centralization and the sheer quantity of patient and provider data. Another is history: for example, the banking industry was light years ahead of healthcare IT in strengthening security, so the value of stolen credit card numbers became less attractive in comparison. Financial and credit accounts can be closed and new accounts created. A person’s health information can’t simply be cancelled and reopened.
Medical Records Are More Valuable than Financial Records
The illicit market pays more for stolen health information, because it can be used for deeper identity theft, and for filing lucrative fraudulent medical insurance claims. By some estimates, stolen medical records are more valuable on the dark market than financial records – around 20 times more valuable!
Healthcare Data Breaches Continue to Increase
Although word is that stolen data currently fetches lower prices, because there’s so much of it on the market, there seems to be no letup in the onslaught of hacking attempts or theft of data-storing devices. Anthem, Inc., the nation’s second-largest health insurer, reported a massive breach involving some 80 million records at the beginning of 2015. The annual reports of health providers and insurers alike warn investors about the risks of cybercrime. Others report that containing or preventing threats is very costly, and remediation may not always be successful, which leads to loss of public trust and an exodus of customers.
Up to 90% of Breaches Result from Inside Threats
According to experts, it’s more than a little likely that a data security breach results from an inside weakness or attack. By some estimates, internal threats are a factor in up to 90% of all breaches. Indeed, it’s rare for an external threat to be successful without internal flaws or negligence. A prime example of an external threat exploiting an internal flaw is a hack or introduction of malicious software into an unpatched system. Other examples involve the unauthorized external access of PHI and other sensitive information due to one or more internal security vulnerabilities, like inadequate or non-existent risk management, security policies and procedures, and workforce security awareness training. This lack of security has also resulted in situations where employee mishaps can create a nightmare for healthcare organizations – for example, there have been cases where individuals have lost laptops containing large amounts of PHI.
HIPAA mandates significant criminal and civil penalties for violations. Still, healthcare organizations were slow to implement adequate security controls. This less-than-urgent attitude was due to vagueness in HIPAA’s security provisions, perceived weakness in the government’s enforcement capabilities, budget constraints, inability to calculate ROI on security expenditures, and a reluctance to grasp the risk posed by the breach of patient healthcare records.
As more of life moved online, public sensitivity to individual privacy rights evolved, and threats of legal action over privacy violations began to rise. The regulatory environment tightened gradually, with the passage of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) and the HIPAA Omnibus Rule of 2013 (Omnibus Rule) to supplement and strengthen HIPAA’s original security provisions.
Protect Your Enterprise
Where can you start when it comes to healthcare IT security? From a high level, C-level executives need to keep on top of innovations in security technology, adopt and implement practical IT safeguards, and train, remind and enforce privacy and data protection policies with employees. In upcoming posts we’ll explore these measures in more detail, and discuss ways that healthcare organizations can address the technology, cultural and program challenges of data security.
Do you have a healthcare information security concern or question? Let us know what’s on your mind, and look for answers to your concerns in future posts from Mark.
About the Author
Director, IT Security