Cybersecurity remains a hot issue in healthcare. A number of respected industry bodies and surveys have highlighted this as a big worry for risk managers this year and the recent Heartbleed bug highlighted the very real threat the issue represents for healthcare bodies in the US. HRMR reports.
Cybersecurity is a headache not just for IT technicians—it is also high up the agenda of front line services. Risks associated with health data topped a list of patient safety concerns released this week by ECRI Institute, an independent, non-profit organization that researches the best approaches to improving the safety, quality, and cost-effectiveness of patient care.
“It is often challenging to be able to patch all systems and devices within recommended timeframes due to the fact that these systems are used for 24/7 patient care." Greg Michaels
A particular area of concern, the body said, was the integrity of data in health information technology (IT) systems. While appropriately designed and implemented systems can support patient safety and quality of care, incorrect data can lead to patient harm.
Meanwhile, a panel at the Protected Health Information (PHI) Protection Network (PPN) conference held in April in Anaheim, CA, highlighted mobile devices, cloud computing and healthcare data transmission as the top three key threats to healthcare data security in 2014.
Keynote speaker Joanne McNabb, director of privacy education and policy for the California Department of Justice Office of the Attorney General, made the case for laptop encryption as a first course of action.
“Many of the healthcare breaches reported to the Attorney General’s office are of a type that could be prevented by the strategic use of strong encryption,” said McNabb.
Another keynote speaker, Larry Clinton, president and chief executive officer of the Internet Security Alliance (ISA), suggested that the frequent assumption that the primary threat to data security comes from individual hackers is simply wrong.
“Organized crime has figured out that the going rate for a full health record is approximately $1,300 per record,” Clinton said. “That’s a powerful incentive for malicious action.”
Bob Chaput, founder and CEO of Clearwater Compliance, a national Health Insurance Portability and Accountability Act (HIPAA) compliance leader, noted that an organization cannot effectively prioritize tasks for risk mitigation until they evaluate the lie of the land.
“There is no substitute for starting with a comprehensive risk analysis which addresses the explicit factors laid out in the HITECH Act,” he said.
Bleeding bugs
The much-publicised Heartbleed website security bug is a big worry for many. In an interview with HRMR, Greg Michaels, associate managing director for corporate investigations and risk consulting firm Kroll, emphasized that the bug poses a very serious threat for the healthcare industry and those responsible for managing the security of IT systems.
He said that Heartbleed vulnerability can be found in any type of system or device which uses OpenSSL for encrypted connections. For healthcare organizations, this may include servers, network devices, phones, email, electronic health record (EHR) systems, health information exchange (HIE) portals, insurance portals and medical devices.
In addition to this, he noted, healthcare organizations are typically managing numerous systems and devices internally as well as external systems hosted by business associates or other third parties.
“It is often challenging to be able to patch all systems and devices within recommended timeframes due to the fact that these systems are used for 24/7 patient care and not all updates are supported by vendors,” he said.
The Heartbleed vulnerability is a weakness in the way the OpenSSL code (versions 1.0.1— 1.0.1f) performs boundary checks for variables. This weakness can be exploited by an attacker to reveal confidential information, passwords and encryption keys. The vulnerability has existed for more than two years but recently its exploit code has been made public, increasing the number of people who can use the bug.
“That’s what has caused the ripple in the water,” said Michaels. “Now that it’s public, this vulnerability needs to be addressed immediately since even an inexperienced attacker can fairly easily run this code to initiate an attack.”
He said the most important step in protecting healthcare systems from this vulnerability is to work with the various stakeholders (ie, IT, clinical departments, business associates, third parties, etc) to determine what systems and devices may be vulnerable.
Systems and devices with the highest risk of being attacked (for example, externally facing systems, third party hosted systems) need to be updated immediately. Lower priority systems (for example, internally facing systems protected by the organization’s firewall) will need to have a plan in place to apply patches as soon as possible.
“For healthcare IT leaders, it will be vital to communicate the critical nature of this vulnerability to ensure these risks and solutions are documented accordingly and that system downtime can be planned,” he added.
Paying the price
A stark reminder of the importance of cybersecurity also came in the form of two recent major HIPAA enforcement actions. Two entities have paid the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) $1,975,220 collectively to resolve potential violations of the HIPAA Privacy and Security Rules.
“Covered entities and business associates must understand that mobile device security is their obligation,” said Susan McAndrew, OCR’s deputy director of health information privacy. “Our message to these organizations is simple: encryption is your best defense against these incidents.”
In a bid to help providers with HIPAA compliance, the HHS has released a new security risk assessment tool. The security risk assessment (SRA) tool is targeted at healthcare providers in small to medium sized offices.
The result of a collaborative effort by the HHS Office of the National Coordinator for Health IT (ONC) and OCR, it is designed to help practices conduct and document a risk assessment in a thorough, organized fashion at their own pace by allowing them to assess the information security risks in their organizations under the HIPAA security rules.
HIPAA requires organizations that handle PHI to regularly review the administrative, physical and technical safeguards they have in place to protect the security of the information.
By conducting these risk assessments, healthcare providers can uncover potential weaknesses in their security policies, processes and systems. Risk assessments also help providers address vulnerabilities, potentially preventing health data breaches or other adverse security events. A vigorous risk assessment process supports improved security of patient health data.
“We are pleased to have collaborated with the ONC on this project,” said McAndrew. “We believe this tool will greatly assist providers in performing a risk assessment to meet their obligations under the HIPAA security rules.”
Working together
A further initiative from the HHS came in a draft report that includes a proposed strategy and recommendations for a health IT framework, which promotes product innovation while maintaining appropriate patient protections and avoiding regulatory duplication.
The congressionally mandated report was developed by the US Food and Drug Administration (FDA) in consultation with two other federal agencies that oversee health IT: the ONC and the Federal Communications Commission (FCC).
It was developed in collaboration with health IT experts and consumer representatives and proposes to clarify oversight of health IT products based on a product’s function and the potential risk to patients who use it.
“The diverse and rapidly developing industry of health IT requires a thoughtful, flexible approach,” said HHS secretary Kathleen Sebelius. “This proposed strategy is designed to promote innovation and provide technology to consumers and healthcare providers while maintaining patient safety.”
As proposed in the draft report, posted on the ONC, FDA and FCC websites, there would be three health IT categories, based on function and level of risk, that focus on what the product does, not on the platform on which it operates (mobile medical device, PC, or cloud-based, for example). The FDA seeks public comment on the draft document.
Health IT was also on the agenda for a new multi-stakeholder partnership created to generate new knowledge on safe health IT practices. Launched by ECRI Institute Patient Safety Organization (PSO), the Partnership for Promoting Health IT Patient Safety creates a national framework to proactively identify health IT safety issues within a non-punitive learning environment to improve health IT patient safety. It is the first program of its kind to provide collaboration between health IT vendors, providers, professional societies, PSOs, policymakers, and others toward achieving health IT-enabled patient safety.
“The innovation comes because we’ve invited vendors to participate in this collaboration, so it won’t just be a patient safety organization, or a clinician, or an expert looking at these events in a vacuum,” said Ronni Solomon, executive vice president and general counsel, ECRI Institute. “We’re all going to be looking at what’s happening, why it’s happening, and what we can do to prevent it.”
Through collaboration, the partnership aims to tap into pooled expertise to study health IT-related events and hazards, identify promising solutions and best practices, and engage stakeholders in sharing the lessons learned.
“We will now be able to analyze similar issues but through different lenses and better identify the breaks in the process that may be apparent only to one stakeholder,” said Dr Karen Zimmer, medical director, ECRI Institute PSO.
“For example, a system may work well when implemented, but if a provider creates a work-around, there may be unintended consequences. We are hoping to enhance the learnings and then together come up with solutions that would address these issues,” she added.
Joanne McNabb, Cybersecurity, ECRI Institute, US, Larry Clinton, Bob Chaput, Greg Michaels
