Securing Electronic Health Records

Transition to EHRs should makes scenes like this a thing of the past, but with them comes data security implications
Transition to EHRs should makes scenes like this a thing of the past, but with them comes data security implications
Kurt Long, FairWarning
Kurt Long, FairWarning
Security will not be this simple with EHRs
Security will not be this simple with EHRs

Is the US healthcare industry focused enough on security as it races headlong toward electronic patient records, spurred on by billions of dollars in federal government stimulus money?

There are good reasons it needs to be. First and foremost, a condition of the stimulus money is that patient privacy is paramount, and there will be real consequences for organizations that go the EHR (electronic health records) route but fail to protect the information.

Second, criminals are realizing that within EHRs there is a treasure trove of information, such as SSNs, and a recent report shows that hack-attacks on healthcare organizations are skyrocketing.

Providing a ‘Stimulus’ for Change

While healthcare organizations and politicians have talked about the value EHRs since before the failed Clinton healthcare initiative back in the 1990s, their use came mightily into focus after February 17, 2009. That was the day the $787bn American Recovery and Reinvestment Act of 2009 was signed into law. Included in the legislation was the Health Information Technology for Economic and Clinical Health Act, or HITECH Act, which designated a total of $19.2bn to boost the “meaningful use” of EHRs by hospitals and physicians.

The carrot of stimulus money came with several sticks that will penalize providers if they do not attain increasingly stringent transactional and security standards between now and 2015. The actual technical standards are still being developed with the help of the National Institute of Standards and Technology (NIST).

"I don’t think HITECH is that complicated. I think everybody is making it complicated. I think they just need to simplify it and quit listening to vendors trying to scare the living daylights out of them"
Jana Grose, Massena Hospital Group

Penalties for non-compliance and negligent breaches of security could be harsh, as non-compliant providers will be frozen out of Medicare and Medicaid business. Providers suffering breaches caused by their lack of preparedness will, for the first time, face possible prosecution by states’ attorneys general − a penalty not included in the original Health Insurance Portability and Accountability Act (HIPAA).

That last provision gives HIPPA “teeth” says Beau Woods, solutions architect for SecureWorks, a company that reported a doubling of attempted hacker attacks launched at its healthcare clients in the fourth quarter of 2009.

Attempted attacks increased from an average of 6500 per healthcare client per day in the first nine months of 2009 to an average of 13 400 per client per day in the last three months of 2009. Interestingly, attempted attacks against other types of organizations, protected by SecureWorks, did not increase in the fourth quarter.

While those statistics should have the healthcare providers worried, Woods says, “I don’t think they are as secure as they need to be, especially taking care of patient information and some of the other things they have floating around their networks: credit card information and that kind of thing.”

Protecting Patients’ Privacy

Kurt Long, the CEO of FairWarning, a company that sells privacy breach detection software for EHRs, believes the bigger healthcare companies have gotten the privacy message and are well aware of their responsibilities under HITECH. “The leaders are very concerned with privacy”, he says. “They have received the message and are taking it very seriously. Their motivation is to see the expansion of electronic health records and to see more efficiencies gained from those; and better care delivered through electronic health records. They’ve now realized that privacy will be of the utmost consideration.”

Because HIPAA had no teeth, Long says that for healthcare companies that suffered a breach, “a reasonable strategy was to say ‘we will do nothing. We know something has happened but unless someone figures out – the media or the patient – that there is a problem, then we don’t have to do anything, and there is no legal obligation under HIPAA’.”

"The breaches that are injuring the industry and its reputation are perpetrated by authenticated and authorized users who work within the health system"
Kurt Long, FairWarning

“Doing nothing was a viable option”, Long says. “But now, one year after HITECH, doing nothing is illegal. It becomes willful neglect with escalating penalties”, he continues.

Woods’ concern is shared by James Van Dyke, president of Javelin Strategy & Research, a research firm specializing in trends in security and fraud initiatives. He believes healthcare is, and will remain a goldmine for fraudsters.

Van Dyke is unimpressed with the efforts of the healthcare industry – particularly small and mid-sized companies – since the Obama administration opened the financial spigot in early 2009. “Not much has happened in the last 12 months. And what has happened hasn’t really been great.”

He is worried that stimulus-hungry companies are rushing into EHRs without appreciating the security implications. Van Dyke says that as soon as the companies put the APIs (application programming interfaces) into their databases to make their systems capable of communicating with an individual’s e-records, they are opening themselves up for more fraud risk. “So things have gotten worse rather than better in the short term as a result of HITECH, and we would expect that from an industry that is in disarray”, he adds.

A House Divided

Identity theft that leads to identity fraud will continue to plague the healthcare industry until there is reform leading to more, if not all, people having affordable healthcare. It is too easy to steal an individual’s SSN and then use it to impersonate them to receive a medical procedure. “As long as you have an industry that, in terms of their own electronic sophistication, is a complete mess, you are more likely to have these crimes go on”, Van Dyke says.

"Things have gotten worse rather than better in the short term as a result of HITECH, and we would expect that from an industry that is in disarray"
James Van Dyke, Javelin Strategy & Research

FairWarning’s Long said the company recently completed a survey of 200 hospitals across the US, and nearly half of those organizations (47.3%) believe they are already compliant with HITECH and HIPAA and are audit ready.

On the downside though, nearly one-third of survey respondents stated they will not be compliant with HITECH requirements by the established deadlines. The survey indicates that organizations are concerned with the challenges of monitoring dozens of healthcare applications.

FairWarning’s software, developed specifically to work with healthcare applications from the likes of Siemens, McKesson, GE and Epic, monitors the actions of authorized and authenticated users to deter theft and other privacy issues, such as VIP snooping. “None of those breaches can be stopped by encryption; none can be stopped by authentication”, Long warns. “The breaches that are injuring the industry and its reputation are perpetrated by authenticated and authorized users who work within the health system”, he says.

So while opinions are divided on the security and privacy qualifications of the healthcare industry, one CIO on the frontline believes that EHRs will be too tempting for “nutballs” to resist trying to steal the information.

Jana Grose, of the Massena Hospital Group in New York, believes that sometime in the future there will be a major breach, and then everyone will be rushing around. “I don’t believe in that”, she declares. “I want to be ahead of the game.” 

 

A Message to the Healthcare Industry: Relax, It's not that Complicated

While much of the healthcare industry seems flustered by compliance and privacy issues caused by HITECH, Jana Grose, CIO of the Massena Hospital Group in New York, is sanguine.

Her first piece of advice to her colleagues is to stop listening to vendors who want their slice of the EHR stimulus pie. “I don’t think HITECH is that complicated. I think everybody is making it complicated. I think they just need to simplify it and quit listening to vendors trying to scare the living daylights out of them.”

Grose believes that hospital officials should stop going to seminars and listening to someone else tell them what the new regulations are, and they should sit down and read the policies for themselves. Next comes strategic planning with administration and other departments, vendors, and business associates. “It’s pretty simple and you should have been headed in that direction anyway”, she claims.

Helping Grose’s peace of mind is her complete faith in risk assessment compliance audit software from ACR2 Solutions. Under HITECH, the final item on “meaningful use” is that an organization must do a risk assessment on compliance every quarter. “I thought I found the best software ever with ACR2 because once you have put your information in at the beginning, then you just hit a button and there’s your report. It also shows your progress over time”, she said.

“This software has the regulations in and the interpretation of those regulations; in terms that you can understand, and it tells you what you need to do to fix anything. When we put it in we felt like a giant elephant [was] being lifted off our backs.”

Grose says she has even tried to convince the government to use the ACR2 software as their standard for compliance testing.

 

What’s Hot on Infosecurity Magazine?