Important Lessons for Health Data Privacy, Security in 2015

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://healthitsecurity.com/news/important-lessons-for-health-data-privacy-security-in-2015

Health data privacy and security issues are not going to disappear anytime
soon, and will likely continue to evolve along with technology. Covered
entities need to keep their privacy and security measures current,
especially as they integrate new systems and devices into their daily
routines.

While the Anthem and Premera data breaches were not shining moments for the
healthcare industry, several healthcare leaders state that it is important
for other providers to take those situations and learn from them.

The large-scale healthcare data breaches reported earlier this year were
definitely a wakeup call to the industry, according to Seattle Children’s
Hospital CISO Cris Ewell, Ph.D. Adversaries are now looking toward medical
data to be used in multiple avenues, such as Medicare insurance fraud or
medical identity theft, he said in an interview with HealthITSecurity.com.

“We have to take notice of that and start really paying attention to the
practices that we have related to cybercrime and just vulnerabilities in
general,” Ewell said.

Sharing data securely is becoming more important for healthcare, he added.
Whether facilities are sharing internally or externally, either to
third-party organizations or fellow providers, it’s essential to do that in
a secure way. Cloud technology is on the rise, as is the use of mobile
devices, and healthcare processes weren’t originally designed to account
for all of that, Ewell said.

“How do we ensure that we are protecting all that data and still allowing
the interaction between the clinician and the patient?” he asked.

For Seattle Children’s specifically, Ewell explained that the population
does not want to use the telephone, and would rather text and use other
communication applications. A key issue is to find ways to utilize that
technology in a secure way.

“We have some new vendors coming out, some new technologies to help with
secure texting and those type of things,” Ewell said. “But I think the
technology has to catch up with the actual interaction.”

Sanjeev Sah, Director of IS Risk & Controls at Texas Children's Hospital
said that maintaining HIPAA compliance and implementing the necessary
federal safeguards are top issues for healthcare in 2015.

“We want to ensure that we are protected from threats from a security
perspective,” Sah said. “Also, we want to make sure we are meeting our
compliance obligations when it comes to safeguarding health information,
either in due force of business or when we exchange data with other
entities for business purposes. We need to be focused on that front.”

The other key focus area needs to be on patient expectations when it comes
to their data security, Sah explained, and facilities must focus on
adhering to the HIPAA and HITECH safeguards.

“The focus in 2015 is much more about ensuring that the [health data]
compromises are not traditional in nature,” he said. “We have the ability
to detect them from a safeguard perspective and take preventative measures
before they ever take place. There’s a bit of anticipation that goes into
this.”

Key takeaways from large health data breaches

Health data security must go beyond the technical safeguards, according to
Sah, and it requires covered entities to be vigilant on numerous fronts. It
is a combination of understanding the facility’s existing gaps to better
achieve comprehensive security.

“Breaches can be highly damaging to an entity from a reputation
perspective, and is highly damaging,” Sah said. “Learning and applying
those lessons to safeguard your own environment is what I take away from
these breaches.”

Proper auditing is something that healthcare facilities of all sizes need
to adhere to, according to Aaron Kramer, Director of Information Technology
at St. Lukes/Cornwall Hospital. Facilities need to ensure that employees
who have permissions to access certain files or databases actually should
have those permissions in order to do their job properly.

“It’s difficult to plug all [security] holes,” Kramer said, adding that
smaller entities likely have limited resources when compared to larger
providers.

“A place like Anthem has a tremendous amount of resources, much more than a
community hospital,” he explained. “It’s always a challenge making sure we
can put enough resources toward securing everything that’s required.”

Ewell echoed those sentiments, adding that his facility’s practice revolves
around the assumption that a data breach will take place.

“You can certainly help mitigate it, but a very vengeful person or someone
who is directed to accessing your system, they will be able to do it,”
Ewell said. “The adversaries are that good, so with that in mind, it’s a
good reminder that [breaches] do happen.”

Another key element is for healthcare organizations to have a strong
information security program based on risk, according to Ewell. Seattle
Children’s has been “beefing up” its intelligence and monitoring program,
he said, to ensure that if a data security breach does happen, the
organization can detect it as quickly as possible.

How employee training can affect the organization

Employee training and awareness programs will have a huge effect on covered
entities, according to all three healthcare leaders. With anything from
phishing scams to sophisticated cyber attacks putting health data at risk,
it’s important for staff members to have a comprehensive idea of what type
of malicious activity to be on alert for.

“The trick is, how do we balance that with everything else that’s required
for [employees] to keep up their practices and actually what they need to
do: treat patients,” Ewell said.

Not only is employee training critical, according to Sah, employee training
at all levels is necessary. Everyone from senior level to contributors to
those affiliated with a covered entity’s partners and vendors must have an
understanding of proper health data security.

“All can fail if people are not aware,” Sah said. “And they need to be
aware in a way that when they see malicious activity or they see something
abnormal, that they have the awareness, knowledge, and know-how to take the
next step of action.”

For example, if an employee sees what they think might be a phishing email,
it’s essential to not only recognize it as malicious activity, but to then
take the next step and notify the necessary personnel. That will better
help the organization respond to the issue, Sah explained.

“A single person who is not aware can still cause a gap that can then be
leveraged to create the types of threats or attacks we’ve seen,” said Sah.
“[Employee training] is the most invaluable thing that any organization can
do.”

The future of healthcare privacy and security

One positive factor that can help healthcare improve its privacy and
security measures, according to Kramer is that more organizations are
creating C-level positions that handle those issues. It’s not just an IT
focus anymore, Kramer explained, it’s about the entire organization.

Even so, the healthcare industry as a whole is very immature when it comes
to the protection of its data, according to Ewell, and it is definitely
becoming more evident. Risk management cannot be overlooked, regardless of
an organization’s size, he explained. This could be due in large part to
the majority of physician practices being smaller and not being able to
hire individuals whose sole job is to manage risk and oversee security
issues.

“We keep making things more secure, but our adversaries are just as quick
and they are very well funded, and that’s the problem,” Ewell said. “We
just aren’t moving fast enough.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!