Locking Out Cybersecurity Hacks of Health Data
As we step into 2016, we can hope that cybersecurity in healthcare will fare better in the year ahead than in the one we’ve left behind.
In 2015, the top five breaches alone affected a total of 108.2 million individuals. One of those breaches, the hacking of health insurer Anthem last March, impacted almost 79 million people all by itself. A breach at UCLA Health in July also made it into the top five, impacting 4.5 million patients. As in some of the other incidents, the patient data affected was unencrypted.
Cybersecurity is a chronic illness that faces healthcare, requiring an ongoing array of interventions and treatments to keep health systems safe and on their feet. Here, we’ll take a look at why hackers want in and what you can do to help keep them out.
HEALTHCARE IS A RICH TARGET
There’s a wealth of personal, medical and financial information available in healthcare databases and hackers know the industry hasn’t kept up with the latest security standards like other industries have. This is due to many factors, including the use of legacy systems, inadequate IT security budgets and lack of in-house expertise.
Unfortunately, breaches in healthcare are nothing new and they’re only going to grow. However, the dynamics of hacking may be changing. In a recent webinar hosted by the UC Berkeley School of Information, data experts discussed why the recent hack of the affair-promoting Ashley Madison dating website represents a turning point in data, privacy and security.
Three points in particular also have ramifications for healthcare:
◗ Hacker motivation is changing. Increasingly, ideologues are stepping up to the plate to make a point. That was the case with the Ashley Madison hack and is what happened at Boston Children’s Hospital in 2014, when the group Anonymous allegedly invaded the hospital’s network due to controversy over the Justina Pelletier case.
◗ Hacker techniques are less sophisticated. That is why many incidents exploit weak passwords and so-called “spear phishing” email attacks (where hackers pretend to be someone — or some organization — you know). Those techniques are easy routes to gain access to valuable information.
◗ The economics of hacking are changing. In healthcare, hackers have a variety of avenues to make a profit from the rich depository of data that’s available — including the ability to use medical information to obtain prescription drugs and sell them on the black market.
HIPAA COMPLIANCE AND CYBERSECURITY
When HIPAA was first enacted in 1996, cybersecurity wasn’t yet such an issue. That’s why the law itself isn’t stringent about IT security standards such as the encryption of sensitive data. Instead, HIPAA “strongly recommends” that encryption standards be maintained. (Encryption involves the use of mathematical formulas to scramble data so that it’s not readable without the correct key.)
Some in the healthcare world say that the HIPAA Security Rule should be updated in order to better account for the sophisticated cybersecurity attacks that healthcare is now facing. However, Jodi Daniel, J.D., MPH, former policy director of the Department of Health and Human Services (HHS) Office of the National Coordinator for Health IT, says she doesn’t see the need. “If folks do these [HIPAA-required security] risk assessments, and do them well,” she says, “then they can continually adapt their security practices, policies and technologies to reflect new risks as well as new capabilities and technologies that are available to mitigate those risks.”
The HITECH Act of 2009 encouraged the expanded use of encryption in the healthcare industry, required public disclosure of any health data breach affecting 500 or more individuals and created an exemption for those entities that encrypt their data. Since the HHS Office for Civil Rights maintains an online “Wall of Shame” listing each reported breach, organizations would be well-advised to use encryption to stay off the list. (See that list here.)
MOBILE DEVICE PERILS
As technology’s footprint expands, cybersecurity concerns are growing beyond the breach of protected health information (PHI). On July 31, the FDA took the unprecedented step of issuing a safety alert related to cybersecurity issues — specifically, concerns that the Hospira Symbiq Infusion System could be hacked to “allow an unauthorized user to control the device and change the dosage the pump delivers, which could lead to over- or under-infusion of critical patient therapies.”
The connected medical device market is growing rapidly due to advances in mobile health that are enabling patients to be connected from afar. The smart infusion pump market alone is expected to reach $3.6 billion by 2017. Such growth is largely due to the patient safety benefits that have been touted by the manufacturers and advocates of smart systems. However, if hackers can gain access to equipment directly connected to patients, that’s cause for a level of concern to which identify theft can’t hold a candle.
CYBERSECURITY IN YOUR PRACTICE
Although it would seem that cybersecurity is a problem better left to organizational leaders and IT experts, many breaches occur due to simple mistakes made by individuals within the ranks. Here are a few things you can do to optimize cybersecurity in your own practice to decrease the chances of becoming one of those unfortunates.
1. If it can be carried, lock it down. This includes laptops, tablets, smartphones and anything else that can “grow legs” in the hands of a thief. Too many breaches are due to a device that’s gone missing with unencrypted patient data on board. If you’re using a mobile device that carries sensitive information, make sure appropriate security measures are in place to protect it.
2. Beware of social engineering. Hackers often use manipulative tactics to gain your trust and lure you into giving them information. This can even include obtaining your personal information from your various social networks to gain access to things like passwords or even learn your answers to common security questions.
3. Use strong passwords. This might sound simple, but many breaches occur due to default passwords that were never changed. Create a strong string of characters and don’t use the same one across multiple accounts. When hackers gain access to one account, they’ll probably try to infiltrate others.
4. Be careful with BYOD. If you’re bringing your own device to work and using it in any way related to patient care, make sure you’re doing so in accordance with the policies of your organization. There are an array of hazards that can accompany this practice, so be sure you understand them before you log on.
5. Remember that public isn’t protected. If you think it’s a great idea to use the free Wi-Fi in your favorite coffee shop to do your charting, think again. Such networks are usually completely insecure, so connecting to them may expose your device to anyone with the know-how to link into it.
6. Keep an eye on smart patient care devices. The Hospira alert is the first of its kind, but it probably won’t be the last. With an increasingly connected world of patient care devices and more sophisticated hackers in our midst, be sure to report anything you see that may somehow seem amiss.
Cybersecurity may be a chronic illness, but like most chronic illnesses, it is treatable. By being aware of the risks and following some key strategies in your own practice, you can help to make sure you’re part of the cybersecurity “treatment plan” for your organization. For the latest in cybersecurity trends and strategies for healthcare, be sure to check out www.healthcareinfosecurity.com.
Sue Montgomery, RN, BSN, CHPN, is a freelance healthcare writer, editor and consultant specializing in end-of-life issues, digital health and bioethics.
This article is from workingnurse.com.