I’ve written a good deal about hype in the past year or so, and how I believe the security industry does itself a disservice by continually playing up issues to serve its own short-sighted purposes. However, it’s also been my experience that, for one reason or another, there are segments of the security market that aren’t discussed enough. One of those segments is healthcare. While retail breaches continue to dominate headlines (most notably Target), healthcare security issues continue to fly under the radar.
During the past several months, it’s been hard to escape media coverage and updates about Payment Card Industry (PCI) compliance and how retail companies such as Neiman Marcus failed to meet the standards outlined by their governing bodies. What most people probably don’t know is that PCI as an industry standard doesn’t come close to containing the teeth of the compliance standards facing the healthcare industry, most notably HIPAA (Health Insurance Portability and Accountability Act). While security is serious business in every industry, and the failure to protect customer data can always have severe consequences, no security failures are as particularly devastating and far-reaching as they are in healthcare.
On the surface it may seem as though credit card information would be the most valuable asset for a would-be hacker, but in reality, healthcare records are the Holy Grail. I recently read that credit card information is selling for approximately one dollar per account on the black market, whereas a healthcare record goes for upwards of $50. Activity from hackers backs up this assertion as well. As with any business or enterprise, if you want the real story, follow the money. According to the Ponemon Institute’s Fourth Annual Benchmark Study on Patient Privacy and Data Security:
• 90 percent of healthcare organizations have reported a data breach in the past two years.
• Attacks on healthcare systems have increased 100 percent since the first study in 2010.
• The annual cost of healthcare data breaches has been estimated as high as $5.6 billion.
• 69 percent of study respondents report that the Affordable Care Act increases risk to patient privacy and security.
Healthcare providers are faced with a set of unique challenges that are specific to their industry. They are charged with protecting patient privacy and sensitive data, while also increasing access to healthcare services. At the same time, fines related to HIPAA are on the rise, and the US Department of Health and Human Services Office for Civil Rights (OCR) is aggressively and proactively auditing healthcare organizations.
For healthcare organizations, it is critical to avoid HIPAA fines and protect funding resulting from the Health Information Technology for Economic and Clinical Health (HITECH) Act. According to Meaningful Use regulations, healthcare organizations must meet specific criteria to receive and retain incentive payments offered through the HITECH program.
So, the question becomes what should healthcare providers do to shore up their security and protect themselves from fines and damage to brand reputation? I would suggest enhancing standard periodic risk assessments with a process that produces actionable information that IT operations can use to help identify potential threats to electronic protected health information (ePHI). With a plan in place, the security professionals within a healthcare facility or network can better manage potential risks to the organization, demonstrate their readiness to patch any critical vulnerabilities and avoid the potential for large fines and penalties.
Breakthroughs in healthcare technology allow doctors from around the globe to consult in real-time, ensuring that patients are receiving the best care possible. A good example of this is the ability for a doctor at a small, remote hospital to work in tandem with a specialist from a large-market hospital like Massachusetts General to conduct a procedure that would be unfathomable even a few years ago. These innovations are improving care and saving lives.
However, once something is on a network and connected to the Internet, the threat of being hacked becomes a real possibility. Every time technology is used for the greater good, we must remember there is also a group of malicious opportunists waiting to pounce. The oversight for the protection of healthcare information is only getting tighter, and it is incumbent upon the security teams to ensure healthcare professionals have all the tools necessary to improve patient outcomes, while we worry about keeping the bad guys away. Maybe this is one instance where a little hype would do us some good.
By Mark Hatton