Data related to patients is now, unfortunately, the lowest hanging fruit for the bad guys, who are not wasting any time leveraging that advantage. HealthITSecurity.com has 10 pages of confirmed data breaches in the healthcare industry just from the past five months. As to what kind of data is being taken, it varies. However, most often, it includes patient names, addresses, birth dates, telephone numbers, and Social Security numbers.
The Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data, conducted by Ponemon Institute and sponsored by ID Experts, adds more fuel to the fire. For the second year in a row, criminal attacks are the leading cause (50%) of healthcare data breaches, and have already cost the industry $6.2 billion. (This is based on multiplying $1,112,771.50, which is 50% of the average two year cost of a data breach experienced by the 91 healthcare organizations in this research, x 5,627, which is the total number of registered US hospitals per the AHA.)
The conclusions of the Ponemon Institute research include:
- Data breaches in healthcare remain consistently high in terms of volume, frequency, impact, and cost.
- Healthcare industry is more vulnerable to data breaches than other industries.
- Patients are suffering the effects of data breaches in the form of medical identity theft.
The above seems to indicate existing security methodology is woefully lacking, which is troubling as the stolen information can be used to:
- instigate true-name identity theft schemeswhen combined with other false documents;
- create synthetic identities by combining real and falsified personal information; and
- file fraudulent insurance claims.
All this bad news is not lost on David Severski, manager of information security at Seattle Children’s Hospital. Severski, an 18-year information security veteran, told Bill Siwicki of HealthcareITNews.com, implementing security products to safeguard hospitals is simply not enough, adding, “Health IT professionals, rather, must use data generated by those security technologies to create programs that best protect their organizations.”
SEE: Security and privacy: New challenges (ZDNet/TechRepublic special feature)
Making the case for data-driven security
Severski and his team at Seattle Children’s Hospital feel it is important to provide actionable data-driven analysis to upper management. “My team’s function is almost like a research arm; we provide intelligence to business leaders on how they can best allocate their resources,” adds Severski. “In healthcare, there never are enough resources for what organizations want to do.”
Severski goes on to say C-Level execs at Seattle Children’s Hospital ask his team to project possible outcomes of pending security decisions. The projections allow managers to make choices based on data-driven predictions rather than guesswork.
Patch management of EHR systems
The healthcare industry, to avoid issues with HIPAA and myriad other regulations, needs to stay on top of its digital infrastructure, including patch management of the Electronic Health Record (EHR) system. “There are lots of devices, from workstations to medical devices to servers, and the organization does not have enough resources to patch everything, everywhere, all at once,” mentions Severski. “So, how do we prioritize our technical remediation efforts?”
Severski’s answer: “What matters most, and what will give us optimal outcomes?”
That translates into Severski and his team examining what EHR physical assets need to be safeguarded, what tasks they perform, what data is being protected, and whether it is possible for attackers to reach the assets. “We have a program that pulls all that information in, then we optimize the information against our threat environment,” explains Severski. “Then we draw our conclusions and provide intelligence to IT owners and business leaders, saying this is what you should be worried about first, and at the same time, here are some things that are not as worrisome.”
Besides the EHR system, Severski warns, “There are hundreds of applications, even in a mid-sized institution like Seattle Children’s Hospital, that have access to quite a bit of information; as a result, these other systems can present as great a threat to the institution as the EHR.”
It’s obvious that complexity is a major factor in trying to secure a healthcare organization’s digital assets. “If you are not applying a data-driven, scientific approach to managing your resources, you are managing at best by instinct,” concludes Severski. “And in a competitive business world, instinct is not enough.”