As the U.S. healthcare sector's electronic outreach grows, so does the potential for IT security lapses.
The increased use of electronic health records, the spread of health-related mobile applications, and the emergence in recent months of Affordable Care Act-mandated health insurance marketplaces all contribute to a new healthcare privacy and security landscape. Accordingly, IT consultants, integrators and security specialists are busily pointing out the issues and working with healthcare clients to shore up gaps in their defenses.
The stakes are high. Healthcare organizations that fall under the Health Insurance Portability and Accountability Act (HIPAA) are subject to fines of up to $1.5 million per year for each violation. Last September, the final HIPAA omnibus rule extended the compliance burden -- and exposure to civil penalties -- to the business associates that work with hospitals and health plans in addition to the covered entities themselves.
The Ponemon Institute report noted that the number of data breaches attributed to criminal attacks doubled since 2010.
The healthcare privacy and security rules in HIPAA have acquired more teeth, but that's not the only market development. Now, more regulators are watching. The Department of Health and Human Services' Office for Civil Rights (OCR) has been the most notable enforcement agency in the field of healthcare data breaches. But earlier this year, the Federal Trade Commission affirmed its authority to take enforcement action against businesses that drop the ball on protecting consumer data. That ruling arose from a complaint FTC filed against LabMD, a medical testing laboratory based in Atlanta. The complaint alleges that LabMD failed to "reasonably protect the security of consumers' personal data, including medical information."
Against that backdrop, healthcare organizations are looking for help as they seek to stay on the right side of the regulators. Scott Walters, director of security at INetU Inc., an Allentown, Pa.-based cloud hosting and managed hosting company that operates in the healthcare industry, said customers are asking for assistance on what they need to do to comply with HIPAA.
"They might have some idea of the things they need to do, but they are looking for a partner who can provide guidance at a detailed level," Walters noted.
The healthcare sector remains vulnerable to data breaches. The Ponemon Institute's Fourth Annual Study on Patient Privacy & Data Security, published in March 2014, found that the number of healthcare data breaches declined slightly in 2013, but noted that 90% of the study's respondents reported at least one data breach over the past two years.
The survey, sponsored by ID Experts, a data breach solutions provider based in Portland, Ore., queried hospitals and clinics that are part of a healthcare network, integrated delivery systems and standalone hospitals or clinics.
Larry Ponemon, chairman and founder of Ponemon Institute, based in Traverse City, Mich., called the data breach decline the only truly positive finding in this year's report. He said the drop could be an indication that healthcare companies are making modest improvements in how they protect patient information. He said the increased security could also be in response to OCR's audits.
One the other hand, the nature of the threat has shifted and intensified over the course of the benchmark study. The Ponemon Institute report noted that the number of data breaches attributed to criminal attacks doubled since 2010. That year, 20% of the organizations surveyed reported criminal incursions, while 40% cited such attacks in 2013.
"We think that is an important finding," Ponemon said, adding that cyber criminals view healthcare data as a "treasure trove" of information.
Amid the broader concerns, specific areas of vulnerability include what Ponemon Institute described as the "unproven security" in the health insurance marketplace, or exchanges, launched under ACA. In the Ponemon Institute study, about 70% of the respondents said they believe ACA has increased or significantly increased the risk to patient data due to such factors as insecure databases and insecure websites for patient registration. The security of the data exchange between healthcare providers and government was another ACA concern cited in the report.
"We are going to see more ... risk associated with sensitive patient information over the next several months," said Rick Kam, president and co-founder of ID Experts.
"Definitely with the advent of the federal and state marketplaces ... as well as the online eligibility systems, the risks in all areas have gone up," said Bobbie Wilbur, director of application solutions at Social Interest Solutions, a Sacramento, Calif.-based solutions provider and integrator focused on health and social services.
Social Interest Solutions implements enrollment and eligibility systems, working with government customers in Arizona, California, Indiana and Maryland.
With the federal and state marketplaces, consumers, community-based assisters, navigators and other parties use online systems to apply for benefits and insurance, Wilbur noted. The process also involves online access to verification sources such as the Internal Revenue Service, Department of Homeland Security and Social Security Administration data. In addition, the application task often requires employment and income information.
"The balance of providing online real-time determinations has been offset by increased risk that must be managed to protect privacy and security," Wilbur said.
"We are seeing increased attempts to access data from our systems," she said. "Many are coming from IP addresses that are not U.S. based."
The Ponemon Institute report also identified mobile devices as another prominent healthcare IT security risk. The institute stated that 75% of the healthcare organizations it surveyed listed employee negligence as their biggest security concern, noting that employees' growing use of unsecured smartphones, laptops and tablets increase exposure to sensitive data.
The report said 88% of organizations permit employees and medical personnel to use their own devices "to connect to their organization's networks or enterprise systems such as email."
More drilldowns in vertical industries
Rental management software demand is rising
Fast-casual restaurant technology goes beyond POS
ERP for the aerospace supply chain on the upswing
Paradoxically, less than a quarter of healthcare entities require employees to take such measures as having antivirus/anti-malware software installed on their mobile devices prior to connection.
Clinicians and administrators are "all equipped with smartphones and other mobile devices and some of these devices are owned by individuals," Ponemon said. "It basically makes it very hard for the healthcare organization to control the devices."
Another potential source of insecurity: the consumer-oriented healthcare apps entering the market.
Greg Eoyang, president and CEO of daVinci, the mobile application development subsidiary of Intelligent Decisions, a federal IT solutions provider in Ashburn, Va., said third-party developers are rushing apps to the market and may not follow the same development lifecycle as the development shop of a large hospital.
"Security may not be built in from the beginning" and may be hard to retrofit once the product has emerged, he said.
Channel companies are helping customers navigate healthcare privacy regulations and are also boosting their own security profiles.
At INetU, the company helps its clients take HIPAA into account when planning for managed cloud or managed hosting solutions. Walters suggested that the law is ambiguous. For example, does a HIPAA risk assessment call for a vulnerability scan or a penetration test? Walters said the law isn't particularly specific on what technology should be used in different scenarios. He said an IT services provider with HIPAA expertise can provide guidance.
INetU offers HIPAA-compliant hosting services. The scope includes fully managed intrusion detection and prevention; file integrity monitoring; security information and event management; internal vulnerability scanning; Web application firewall; and managed backup, recovery and archival, according to the company.
Social Interest Solutions, meanwhile, follows the Minimum Acceptable Risk Standards for Exchanges (MARS-E) standards as part of its IT security regimen. The Centers for Medicare & Medicaid Services developed MARS-E as a minimum set of standards for health insurance exchange security.
Wilbur described MARS-E as a compilation of standards including HIPAA and National Institute of Standards and Technology guidance.
In addition, Social Interest Solutions is purchasing more third-party security assessments associated with ethical hacking, social engineering and other measures, she said. The company also applies more penetration tools on its systems to identify vulnerabilities.