EMR Industry.com recently conducted a Q & A session with healthcare industry executives to address the growing increase of data theft from EHR and other IT systems used in healthcare facilities, insurance companies and other organizations associated with the industry.
- Why do you think the healthcare industry has been targeted so hard with data theft as opposed to other sectors?
“The value of personal health information far exceeds the value of a credit card or social security numbers. There is enough information to create a complete identification for the purpose of forging passports, applying for credit cards or bank loans, stealing health services and blackmailing patients. In addition, medical records contain descriptive data, relatives, insurance numbers, medical diagnoses including mental health issues, addictions and contagious diseases,” says Warren Brennan, co-founder, New Health Analytics.
“Healthcare is a wide open, caring environment; lots of moving parts and very complex administration and clinical settings with tons of vendors, payers, networked clinical devices, applications, approvers, etc. Literally hospitals are chock full of electronic protected health information (EPHI),” says Feisal Nanji, executive director, Techumen.
“Healthcare is an easy target. Its security systems tend to be less mature than those of other industries, such as finance and tech. Its doctors and nurses depend on data to perform time-sensitive and life-saving work. Personal health information is 50 times more valuable on the black market than financial information. Stolen patient health records can fetch as much as $363 per record,” Santosh Varughese, co-founder and president, Cognetyx.
“Well, I think other industry sectors are also being hit by data theft, but the health care industry has been a particularly rich target. The data is valuable because it both ubiquitous and persistent, in addition to being highly personal. Persistence is important, because unlike credit cards, you can’t just cancel health records and issue new ones. The very personal nature of health records also provides an exceptional amount of detailed information that can be used to proliferate additional security breaches or make identity theft harder to detect and stop,” says Peter Glynn, chief commercial officer, Sandbox Logistics.
“That, unfortunately, is pretty simple to answer. It is a two-part answer, however, and everyone stops at the first part. Healthcare—thanks to EMRs, digitalization, mobility and other factors— finds itself with huge volumes of very valuable and marketable data. Payers and providers have large amounts of protected health information in digital formats. They are being required to share much of this data (from both a regulatory and market perspective), “says David Finn, health information technology officer, Symantec. “That is the part that is easy to understand, but the second part of that answer is really where the problem lies. It also finds itself woefully lacking in understanding the responsibility for, and the techniques of, securing that data. This is an industry where, historically, the job of information protection has fallen to the CIO and the IT department. In the age of Meaningful Use and the Affordable Care Act, security is not just an IT issue. The information, appropriate access to it, and its availability and protection are strategic to the clinical and business operations of the organization.”
- Why is the problem so difficult to solve?
“Healthcare providers have worked hard to implement EHR systems that warehouse huge amounts of data in one location. Access to that data can be required for thousands of internal and external users. Far fewer resources have been allocated to protecting the data than making it available. Providers are simply not prepared to withstand the continuous attacks from organized criminal groups with far more resources,” says Brennan.
“Care settings are by definition focused on care and not data. As a result, with so much being shared so easily by so many, it’s a challenge to keep electronic patient health information (ePHI) secure,” says Nanji.
“Where a financial-services firm might spend a third of its budget on information technology, hospitals spend only about 2% to 3%. The healthcare industry has traditionally spent a small fraction of its budget on cyber defense. Equally important, the industry has not shored up its technical systems against hackers,” says Varughese.
“One key reason is that the ever increasing demand on resources (financial and human) within the health care industry tends to get spent on healthcare rather than support functions. Legacy IT systems in the industry are complex and fragmented, making them vulnerable to attack and difficult to protect. A determined hacker often has the advantage of keeping one step ahead, unless substantial resources are applied to the problem. The demand on already stretched resources makes it a tough problem for the industry to solve. It is one of the reasons why more effective digital security tools will be needed going forward,” says Glynn.
“The data that is so valuable for nefarious purposes, and so protected by law, is at the core of the clinical processes and business processes to conduct healthcare. At a restaurant, they want your name and a credit card. At the hospital, they need all your demographic information, insurance accounts, maybe a social security number. The restaurant sends that information to a card company for payment. At a hospital or clinic it may go to or come from dozens of other organizations –payers, other providers, DME providers, reference labs and on and on,” says Finn. “We’ve seen what retailers have struggled with moving to chip cards from swipe cards. In healthcare, you are not only simply changing a technology; you have to redesign core business processes (both internal and external); rewrite policy and procedure from top to bottom and retrain everyone in the organization who collects, stores, uses, and accesses Protected Health Information (PHI). Throw in cloud-based apps, medical devices, remote care and the consumerization of technology and you have a very complex, highly dynamic environment with an increasingly dangerous threat landscape—because the ‘bad guys’ still want that data. It requires a huge effort in terms of money and people and a lot of focus—it is fundamentally a cultural change in how we think about data.”
- In your opinion, what should the industry be doing to end this problem?
“Research has shown that virtually all data breaches and HIPAA violations involve stolen or unauthorized use of credentials. There are new technologies such as ambient cognitive cyber surveillance available that can create a behavioral fingerprint for every authorized user. This fingerprint can be used to verify that the user of a credential is in fact the owner. Criminals that penetrate perimeter defenses, do so to steal credentials. When they attempt to use the stolen credential, it is almost impossible to replicate the owners’ behavior. The technology also recognizes when the owner of the credential is using it to access data in an authorized manner. The technology notifies a designated data manager in real time that the user is not the owner of the credential and access can be stopped,” says Brennan.
“Not a simple answer, but training and adequate spending on security processes and tools will make a big difference. As a percent of revenue, hospitals spend far less than banks for example,” says Nanji.
“Many organizations employ network surveillance tactics to prevent the misuse of login credentials. These involve the use of behavior analysis, a technique that the financial industry uses to detect credit card fraud. The technology relies on the proven power of cloud technology to combine artificial intelligence with machine learning algorithms. This creates and deploys “digital fingerprints” using ambient cognitive cyber surveillance to cast a net over EHRs and other hospital data sanctuaries,” says Varughese.
“In my opinion the industry needs to go beyond the firewall. Today, much of the effort is devoted to preventing breeches and keeping the bad guys out, but they are constantly evolving their tactics and effectively breeching security defenses. More effort needs to be spent on rapid detection so incursions can be stopped before a lot of damage is done. Also, we need to turn the problem around by developing systems that stop the bad guys by knowing the good guys better. The key to detecting counterfeits is not trying to understand every possible counterfeit, but to deeply understand the one original. Increases in computing power and the sophistication of machine learning algorithms allow for better modeling of legitimate user activity, which can then be used to detect and stop intruders, even if they have breeched perimeter security defenses,” says Glynn.
“Healthcare should be doing what every other regulated industry has been doing for decades. It starts with asking the right questions, which the industry has not done yet. When healthcare leaders outside of IT talk about cybersecurity today, the question is usually, ‘How do we protect ourselves and comply with all these regulations, and how do we keep from being the next headline’. The question should be, ‘How can we make good, rational decisions (business and clinical) given the risks we face’. You will always get the wrong answer if you ask the wrong question, and the results have borne that out, consistently and repeatedly. Far too often security is relegated to the IT department rather than making it a strategic function of the business,” says Finn. “The five key principles of compliance and security are these: governance, secure information access, information protection, infrastructure management and infrastructure security and protection. Don’t get me wrong, there are a lot of tools, training, and workflows as you look across these areas, but it all starts with governance, in this case, information governance. Like any other critical asset (people, capital, or inventory), information is a strategic asset that requires high-level oversight in order to be able to use it effectively for decision-making, for performance improvement, for cost management, and for risk management. Strong information governance will shift the focus from technology solutions to the people and policies that generate, use, and manage the data and information required for care and the related process. This means making information security not only a technology issue, but a business issue. You will always need security tools around the data, but the business must assess and manage risk with technical guidance not only from IT, but all stakeholders in the data.”
- Should a government initiative be created to address the issue?
“There are already government initiatives to address the personal health information security issues,” says Brennan.
“No. This requires atomistic approaches at the site level; good guidelines from the government already exist such as NIST 800-30 and NIST 800-53 and other NIST publications,” says Nanji.
“We have seen many government initiatives come and go. If the government wants to provide funding and grants for private industry research and academic initiatives, I think that would help put us on par with other governments. While long held standards from HIPAA and other compliance organizations have generally worked well, it is the innovation from research and experimentation that will ultimately lead the way,” says Varughese.
“I certainly hope that it does not come to that. Private Sector solutions are generally the best way to deal with a challenge quickly and cost effectively. However, if the problem cannot be solved effectively by industry, the continued exposure of individual health records could very well lead to greater government involvement in the issue,” says Glynn.
“Well, I don’t think anyone is looking for more rules and regulations, unfortunately the largest piece of legislation around this data and protecting it is HIPAA, and that includes the Privacy and Security Rules. They were intended to set a floor, not a standard. And many elements of the rules were addressable, which was interpreted by the industry as ‘optional’. Now it is time to set some standards, provide some actual requirements and get the industry all on the same page. As we begin to share information across critical infrastructure sectors of the economy, for example, we can’t all be talking a different language. Every other sector and the federal government have adopted the National Institute of Standards and Technology’s (NIST) Cyber Security Framework, not healthcare. How will we share data? The clinical people talk about interoperability, but it is really the same problem from the cyber perspective. You can have a lot of data across the industry, even multiple industries, but if you can’t share it in a way that becomes actionable, you’ve just moved around a bunch of data,” says Finn. “I think we have the basics in place, HIPAA probably needs a refresh around technology and then some real requirements and regular, consistent enforcement. One of the things that drive me crazy is encryption, for example. It is addressable—so not many people did it. If encryption had been required, roughly two-thirds of the breaches on the HHS Wall of Shame between 2009 and 2015 wouldn’t have been breaches. This is really a no-brainer.”
- How long do you think it will take to meaningfully reduce the hacks that seem to occur daily?
“Following the recent Yahoo breach, I began to think about the difference between this hack and personal health information hacks. Credit card companies and e-mail providers do not have to face customers as they are simply account numbers. It will be business as usual once the dust settles,” says Brennan. “Patients with hacked personal health information data are frequently employees, family, friends and others that hospital staffs have some personal contact with. They are concentrated enough in the community to bring political pressure on board members, hospital leaders and governing entities. They are also likely to express their anger once they experience damage. Unlike a credit card or e-mail account, stolen identifications cannot be turned off and the damage can continue for years.”
“A steady focused and fully funded effort would bring most hospitals in line with the financial world over two years which is very good,” says Nanji.
“This is a more difficult crystal ball initiative. I believe if healthcare organizations do take the initiative to implement some of the initiatives we describe in our responses here, including ambient cognitive cyber surveillance to protect healthcare information assets against cyber security threats, data breaches and privacy violations, we can help turn the tide and bring an end to these terrible data hacks,” says Varughese.
“The hacks are occurring because the health care system is vulnerable and the data it contains is valuable. The data will always be valuable. So new solutions are urgently needed if we are going to reduce the number of hacks taking place. The reality is that most hacks go undetected for weeks or months, and when they are detected the damage has already been done. Currently, a tremendous amount of work is being done using advanced technology to create better security solutions. Infallible defenses are not a practical objective. The creation of more nimble, adaptive defenses is, I think, a better approach. I think that over the next 2-3 years we will see the deployment many new technologies that will reduce the current number of hacks in the health care industry,” says Glynn.
“Well, that’s a trick question, in my book, but a good one. The hacks and attacks will not abate in the foreseeable future. Can we reduce the number of successful data breaches and ransomware attacks, for example? Yes, and we could do that fairly quickly with some training of end-users, with some additional tools and/or services at the organization level and with appropriate staffing and training of the security and risk management functions in healthcare. That will take board-level and senior management engagement and sponsorship,” says Finn. “I can tell you that we’ve seen success in both these areas with minimal investment. It just takes the focus and organizational will to make the change. And then you have to begin to design and implement security as a strategy driven by the business needs—that is probably a 3 to 5 year effort, but that is when you’ll see real change. No one lets their buildings go unmaintained and yet the data is just as important an asset as the facility. I’d say that it is more important: the data actually represents the patient and no one leaves patients unattended or unprotected in their hospital or clinic. Why would you not protect their information to the same degree?”
