A series of highly publicized data breaches at U.S. health care organizations have led to multimillion-dollar settlements, public mistrust and the possibility of increased government oversight — and have elevated the need to protect patient information from basement cubicles to C-suite offices.
Health & Human Services’ Office of Civil Rights, the federal agency charged with enforcing the privacy rule of the 1996 Health Information Portability and Accountability Act, estimates that personal health data of 30 million Americans has been compromised since 2009. The OCR lists nearly 1,000 data breaches, each involving more than 500 individuals, on a section of its website known as the “Wall of Shame.”
Health care privacy attorneys predict that hospitals face “a new era of enforcement,” and that heightened public scrutiny and more cyberattacks are likely, according to an April 2014 FBI alert, because of the “mandatory transition from paper to electronic health records, lax cybersecurity standards, and a higher financial payout for medical records in the black market.”
Chantal Worzala, American Hospital Association director of policy, says hospitals, like all economic sector information systems connecting to the Internet, are vulnerable to cyber threats. “We are focused on raising awareness to make sure folks are incorporating cybersecurity into their risk management programs,” she says.
HIPAA and the Health Information Technology for Economic and Clinical Health Act, or HITECH, mandate that hospitals protect patient information privacy and security and, if breaches do occur, require response plans and notifications to patients.
President Obama in February 2013 issued an executive order to improve cybersecurity and reduce threats and attacks on America’s critical infrastructure, which includes hospitals. In 2014, the Food and Drug Administration issued guidance to medical device manufacturers to improve security and avert cyber intrusions that could cause equipment malfunction and patient harm.
Lisa Gallagher, vice president of technology solutions for the Healthcare Information and Management Systems Society, says cyber attackers, most of whom have not been publicly identified, range from politically motivated “hacktivists” to criminals seeking data to file false tax returns, commit insurance fraud, or access credit cards and bank accounts. In at least one case, agents of foreign countries were seeking proprietary information about drugs and devices. She says criminals and hackers employ a variety of weapons to exploit vulnerabilities. Phishing schemes — in which hackers trick staff to click onto what appears to be a legitimate email — have ensnared hospitals. Hospitals have been attacked by hackers using malware, keystroke logger viruses, vendor cybersecurity failures and employee data theft.
Who is vulnerable?
Gallagher points out that a highly publicized data breach affecting 4.5 million patients of Brentwood, Tenn.-based Community Health Systems, was traced to China. “We’re still trying to figure out the primary motives for some of the players,” she says. “China and Russia have been identified as nation state actors. But some people are wondering if organizations like al-Qaida could be gearing up to attack the infrastructure of hospitals, which are very critical to our country. We have a complex threat profile.”
Some hackers are seeking hospital executive credentials, says Rick Kam, president of cybersecurity firm ID Experts in Portland, Ore. “Eighty percent of us use the same passwords routinely, not only on personal accounts with their checking balances, but also work accounts. And the correct password can help bad actors gain access to critical information. Some of us have access to secure systems and payment accounts and hackers are trying to find those executives and steal that access information.”
AHA Assistant General Counsel Lawrence Holmes says the association believes everyone should take cybersecurity seriously and incorporate it into a larger risk management program. “Every organization, no matter what size, can do a great deal to reduce their risk and prevent attacks from happening,” Holmes advises, while cautioning hospitals not to focus exclusively on patient information protection.
“There are different threats out there,” he says, recalling that the hacktivists who cyber attacked Boston Children’s Hospital were making a political statement. “Thinking about the HIPAA privacy and security rules is important, but not the whole picture,” Holmes says. “Any of your systems that are connected to the Internet can potentially allow a source of invasion into your organization.”
Russ Branzell, chief executive officer of the College of Healthcare Information Management Executives based in Ann Arbor, Mich., says hospitals are “extremely at risk” for cyberattacks. “Without a doubt, this area has not received the full level of attention in health care that other industries have accorded information security. We weren’t a target until five years ago and now we are a potent target.”
Hospital chief information security officers sometimes seem like Cassandra’s warning of doom, says Todd Richardson, senior vice president and chief information officer of Aspiris, a seven-hospital system with locations in Wisconsin and Michigan. “The more you know, the more afraid you become. It’s like a conspiracy theory: You see bad guys at every corner trying to get in and can get labeled as the guy with a tinfoil cap. But the threat here is real.”
Daniel Berger, president and CEO of health care IT security firm Redspin, Santa Barbara, Calif., suggests that hospitals of all sizes should invest in a full-time CISO. “Your CISO needs a seat at the table when resource allocation decisions are made,” he says. “And it’s not just IT, but overall security awareness training and education for all employees, not as an IT expense, but a corporate expense. The weakest link in cybersecurity has been people, and you need a champion to confront that.”
What are the threats?
A 2013 Ponemon Institute survey revealed that 94 percent of health care organizations experienced at least one breach over the last two years and nearly half — 45 percent — were struck by more than five. The top causes were lost or stolen devices, employee errors, miscommunications and mistakes by third parties, followed by criminal attacks.
Kristopher Kusche, vice president of information services for Albany (N.Y.) Medical Center, says unencrypted laptops, USB sticks and hard drives are vulnerable, but that the threats can be mitigated through education and strict policies. “Even email breaches can often be preventable with education and a focused approach in sharing information throughout the organization,” he says. “Many breaches today in the industry are ‘phishing scams’ that give bad actors access to authorized accounts. Training can reduce that risk.”
Carl Gunter, a professor of computer science at the University of Illinois, Champaign, says hospital executives should know that the points of attack are shifting. “The avenues by which someone might break into a hospital’s information system continue to evolve,” he says. “We’re seeing increasing use of mobiles — personal cellphones and tablets and handheld physician devices.” Gunter notes that hospitals have established portals for sharing health data to satisfy federal requirements for meaningful use. “Also, many smaller organizations have outsourced patient records to cloud-based services,” he says. “This has produced a changing environment of vectors through which they can get attacked.”
Experts disagree on the safety and security of cloud-based data storage solutions. “A lot of CISOs are skeptical,” concedes Darren Lacey, chief information security officer at Johns Hopkins University. “The cloud changes the risk dynamics and there are certainly benefits in utilizing best practices from multiple industries. But from a security perspective, some of these cloud companies are becoming targets. You’re not necessarily offloading a lot of risk.”
Christopher Allman, director of risk management, compliance and insurance for 323-bed Garden City (Mich.) Hospital, warns that hospitals face another looming cyber issue: The interoperability requirements that allow the widespread sharing of EHRs also entail risk. “Interoperability clearly presents a potential patient safety issue, opening a door for hackers to enter the system,” says Allman, who chairs the advocacy task force for the American Society for Healthcare Risk Management.
Harry Rhodes, director of practice excellence for the American Health Information Management Association, suggests hospital executives spend time analyzing the OCR Wall of Shame to learn more about the most common breaches. Over the coming year, AHIMA will work with members on topics covered by the new OCR audits, which include encryption, access controls, complaints and breach reports.
“They’re interested in how hospitals are keeping out the bad guys and how effective their breach reports and complaint responses are,” Rhodes says.
Washington, D.C.-based health care attorney Adam Greene of the firm Davis Wright Tremaine recommends that hospitals look into purchasing cyber insurance policies to protect themselves from the potential damage of attacks, which, according to one industry survey, cost an average of $2.4 million to address. “Cyberattacks are often excluded from general insurance policies, but can be ruinous to large organizations if there are breaches,” he explains.
Greene also counsels hospital leaders to document what they are doing and why. “It’s not a question of if but when they’ll have a breach,” he asserts. “After that breach, they will be asked why they did not institute certain data loss technology. Documenting their efforts will help.”
At a minimum, all hospitals should perform risk assessments at least every other year, Branzell says, identifying the biggest and most complex vulnerabilities and prioritizing them.
Linda Fletcher, information security officer for 13-hospital, Mishawaka, Ind.-based Franciscan Alliance, says hospitals must separate confidential from non-confidential data. “Any one weak link can tumble the rest,” she says. “A vulnerability anywhere is a vulnerability everywhere. That’s sometimes a hard sell in our industry.”
Fletcher also advises hospitals to assume stronger oversight of their vendors. “You can’t secure something you don’t know exists,” she says. “When we negotiate contracts with outside vendors, we demand accountability, and identify and limit the type and quantity of data a vendor is able to access. They must demonstrate the security of their systems to us.”
Many medical devices can, like computers, measure, record and transmit data, says Susan Boisvert, R.N., senior risk management consultant for medical malpractice insurance provider Coverys, Brunswick, Maine. But, she notes, often devices are not equipped with antivirus software, even as data from those devices are imported into medical records and digitized into EHRs.
Sometimes hospitals become vulnerable to attack when they perform system upgrades to improve Internet speed and access, even by something like remotely testing X-ray machines. “The more devices you hook up, the greater chance you will connect to devices with malware in them,” Boisvert says.
She suggests that hospital executives employ a proactive strategy embraced by other industries facing cybersecurity challenges: hiring “white hat hackers” — professional hackers trained to test system vulnerabilities and penetrate them to find and correct weaknesses before bad actors wreak havoc.
One of the most valuable hospital assets is community good will, says Lucia Savage, chief privacy officer for the Office of the National Coordinator for Health IT. “Now that we’re implementing the meaningful use program and electronic health data is becoming more common, CEOs must return to the question of reputation: Are your patients worrying about their private health information and how can you reassure them?”
Donna Parker, regional compliance director for the Franciscan Alliance’s Northern Indiana Region, says greater transparency and information-sharing would help. “We do share information about breaches within the Franciscan Alliance, but sharing outside of our system is a good idea,” Parker says. “Every time I see a breach, I think: ‘That could have been us.’ ”
— Mark Taylor is a writer in Munster, Ind.
At Saint Francis Healthcare, Cybersecurity Is Ever-Evolving
Hospital executives recognize the threats from lost or stolen patient data and cyber intruders’ seeking access to hospital information, and most entrust their chief information officers and information technology departments to handle the details.
Steven Bjelich, president and CEO of Saint Francis Healthcare System in Cape Girardeau, Mo., says he counts on his CIO, tech department and compliance and risk management officers to prevent, evaluate and treat those threats. “This is such a complex field, there are few, if any, CEOs who can speak on it intelligently,” he says.
Saint Francis CIO Ed Duryee and his team lead the cybersecurity effort across the 282-bed hospital, the system’s 2,600 employees, hundreds of affiliated physicians and thousands of patients, visitors and vendors. Duryee says cybersecurity is finally being taken seriously in American hospitals. “We’ve been doing this all along because we have to protect our patient data and there are government regulations requiring those safeguards, particularly in the meaningful use requirements.”
Meaningful use requirements by the Centers for Medicare & Medicaid are “partly what’s driving the interest here,” Duryee says. “We’re obligated to conduct audits, actively remediate any problems we find and develop action plans. Even the best hospitals have been targeted and have faced or will face these issues.”
Saint Francis’ manager of technology, Kevin Essner, says C-suite buy-in is crucial to systemwide cybersecurity. “Physicians and employees have to perform these extra procedures because they represent secure ways to do things and without [executive] buy-in, it won’t happen.”
A Saint Francis risk assessment classified several items as critical, such as encrypting portable devices. The job, like plugging a dike, is never-ending. “Visitors come and go and want to get on our wireless network to read up on news,” Essner says. “We have to make our wireless network secure so that their access is limited. Employees are hired and when they leave, their passwords and access must be terminated and their physical devices turned in. And this is not just IT. Medical records — paper and electronic — need to be protected.”
He admits that cloud computing provides an added element of security, and shifts some of the risk and much of the work from Saint Francis. “But it’s more than that. You have to look at your wireless network, make sure the devices are current and have the most up-to-date encryption algorithms. Desktop devices need to be current and have the latest [software] patches. All points in the information system structure — wireless, wired, desktops and data center — need to be kept up-to-date with the latest versions of software and the most recent encryptions and regularly maintained. Patches, firewalls and antivirus protections are ongoing.”
Instead of storing data locally on desktops, which can be more easily accessed, Saint Francis patient records are accessed remotely through servers outside of the hospital. Essner says the virtual desktops allow the hospital to avoid hard drives and data storage on operating systems that can be vulnerable to cyber theft.
Assess the risk.
Hospital executives first should order a risk assessment to determine vulnerability.
Prioritize follow-up actions.
Executives then should focus on obvious and pressing issues like system access and control, laptop and portable hard drive security and encryption, and other top vulnerabilities uncovered during risk assessments. Develop strong cybersecurity policies. IT staff must ensure that all updates, patches, firewalls and antivirus protections are installed regularly, and that the entire staff is educated about security processes.
Learn the legal issues.
CEOs should acquaint themselves with hospital requirements under the HIPAA Privacy Rule, HITECH law and other pertinent legal obligations.
Cover your assets.
Explore cyber insurance to cover potential damage from breaches, which cost an average of $2.4 million.
Know thy enemy.
Executives should familiarize themselves with the online Privacy Rights Clearinghouse, the Health Information Trust Alliance and Office of Civil Rights “Wall of Shame” listings of data breaches to learn about existing threats.
Incorporate breach plan into overall disaster plans.
Prepare response plans for potential breaches that include reporting phone trees, media response plans and other systemwide protocols should a hospital experience a serious data breach.
Demand vendor accountability.
Require vendors to comply with the same security mandates the hospital faces and demonstrate cybersecurity preparedness.
Take ‘er for a test drive.
Consider hiring “white hat hackers” to perform penetration tests on your system defenses to uncover vulnerabilities.