Protect your network! HIPAA isn’t enough
September 2, 2014 in Medical Technology
At first glance, a look at the numbers from HIMSS Analytics’ database would seem to offer some encouraging news about U.S. healthcare providers’ privacy and security preparedness.
A survey of healthcare organizations nationwide finds that basic security technologies are pretty well-ensconced at most hospitals. Single sign-on authentication may still has some ground to make up – installed at 48.9 percent of providers, compared to 46.9 percent who don’t have it – but it’s gained a considerable foothold since 2009, when barely more than one quarter of facilities (26.3 percent) were making use of it.
[See also: Breach alert: Hackers swipe data of 4.5M]
As for other protections, such as firewalls and spam/spyware filters, majorities of hospitals have them in place: 89.3 percent and 85.2 percent, respectively.
Even encryption – which has long been underused in healthcare for such a relatively simple safeguard that’s so commonplace in other industries – shows impressive, some might say surprising, uptake: 78.1 percent of hospitals use it, versus 20.5 percent who don’t.
[See also: Privacy and security experts will share best practices Sept. 8-9]
That’s as it should be, says Lisa Gallagher, vice president of technology solutions at HIMSS. Encryption, after all, “is really not that difficult to implement. So it should be implemented, and we’ve said that for years.”
“It’s a lot more user-friendly and seamless than before,” adds Lee Kim, HIMSS’ director of privacy and security. “As a result, it’s being deployed more by providers. That’s a positive trend.”
So that’s the good news. The bad? The breaches keep piling up, and the the threats are multiplying, harder to get a handle on with every passing day.
As of June 30, more than 1,000 breaches affecting more than 500 patients each – a total of nearly 32,000,000 people! – have been reported to the Department of Health Human Services.
Some 7.1 million patient records were breached in 2013, according to the most recent annual Redspin Breach Report, published this past February – a 137.7 percent increase since 2012.
Worse, the threat seems only to be getting more multi-tentacled. Once thought merely to be a problem of snooping employees or hapless business associates, an increasing number of breaches nowadays are coming from hackers and other cybercriminals, as they wise up to the monetary value of electronic patient records.
Just after this story went to press for the September 2014 print issue, news broke of the massive attack aimed at 206-hospital Community Health Systems — the second-largest HIPAA breach ever reported — in which Chinese hackers, over the course of several months, “used highly sophisticated malware and technology” to gain access to 4.5 million patient records.
Hackers took advantage of the infamous OpenSSL “Heartbleed” vulnerability. It’s been a widely-publicized potential threat, with no shortage of tools to detect and protect against it; the fact that it was exploited in this case left many security experts shaking their heads.
Writing in the New England Journal of Medicine recently, Eric Perakslis, executive director of Harvard Medical School’s Center for Biomedical Informatics, pointed out that 72 percent of cyberattacks have been aimed at hospitals, group practices and other providers organizations.
Healthcare “is being aggressively and specifically targeted,” he wrote.
Perakslis makes the cast that an “active learning approach” – including real-time surveillance of emerging threats – is the right way to better prioritize protection strategies and prevention tactics.
“My biggest concern is that there are just so many more threats against our space,” says Kim. “Hackers have been in the news, and all the various breeds of malware that have been cranked out, programs that can build customized malware to a specific target … the worry is that there are so many sources of threat intelligence that need to be scooped up from various sources.”
Since “we can’t just hermetically seal our information systems and computers and smartphones from the bad things that are trying to infiltrate them,” she says, the best we can do is know as much as we can about what we’re up against.
[See also: Massive data breach: Time for sports analogies?]
Not that it’s easy, of course. It’s “very, very trying” for healthcare organizations to vacuum up all the threat intelligence that’s out there, “the best and freshest and most comprehensive,” she says. “There is just so much out there. There needs to be a more systematic, easier way to do this.”
Kim says providers are moving toward more of a “holistic, community-oriented approach” to threat intelligence. But still, constance vigilance at one’s own organization, intimate knowledge of one’s own network, is critical.
Article source: http://www.healthcareitnews.com/news/you-need-be-your-toes