From the January 2017 Issue
In June, a break-in at Phoeniz, Ariz.-based Banner Health impacted 3.7 million patients, making it the largest security breach of 2016 thus far.1 Why are hackers are so focused on medical data?
First, many health systems rely on aging computer technology that doesn’t use the latest data security features. The data, including birth dates, policy numbers, diagnosis codes and billing information, is also worth a lot of money. On the underground stolen data market, health credentials go for about 10 to 20 times the price of credit card numbers.2
Health data theft also takes much longer for providers and patients to identify. The Banner incident is a good case in point: the break in took place in mid-June but the news wasn’t announced to impacted patients until August. Since Banner’s announcement, 13 more breaches impacting 500 or more records have been reported by the U.S. Department of Health and Human Services Office of Civil Rights.3 These breaches cost the healthcare industry almost $5.6 billion.4
Closing the Doors is Not an Option
Faced with these facts, many health IT managers would prefer to block any and all potential weak points. The reality of today’s healthcare environment, however, make this response to security threats virtually impossible. Data sharing between providers, patients and referring sites is now critical to ensuring efficient, coordinated care. In addition, 70% of physicians rely on their mobile devices to manage patient data and want mobile access, both from within a health systems network and outside of it, to patient images and data.5
Supporting this demand while protecting patient data puts health IT departments in a constant state of conflict. They play a crucial role in providing critical patient data to providers in a timely way to support better care and they also bear an increasingly heavy burden of keeping that data safe and secure in the face of real threats. Health IT managers, however, can both provide and protect patient data if they have tools that support modern security requirements.
Modern mobile health IT tools need built-in support for security technologies. Any technology that is used for information sharing and exchange should be designed and developed with integrated security. An enterprise image viewer provides a good example of how security needs to be part of every action providers take when working with patient data.
Accessing Patient Images
The first step to viewing a patient image either from a mobile device or a remote location is gaining access to where the patient image is located. The systems that house patient image data, whether a PACS or a VNA, have their own security, and enterprise networks also have security systems to support secure external access.6
SEE ALSO: Can EHRs Survive Cyber Attacks?
This security is typically based on standards that allow IT departments to integrate the usernames and passwords from multiple accounts into a single, secure sign-on. Support for these standards is critical to both managing user authentication and to allowing users to keep their password safe and secure. It also enables IT managers to implement best practices, such as periodic password changes.
A secure enterprise image viewer should include built-in support for these standards, including Lightweight Directory Access Protocol (LDAP) and Authentication Directory (AD). With this support, the image viewer’s own security will work with existing user authentication systems, ensuring that anyone accessing patient data is who they say they are.
No Data Transfer
Security doesn’t stop at access. The action of viewing data also requires secure technology design. One way to protect patient a patient image when viewed on a mobile device or an external computer is to keep any patient data from being transferred and saved on the mobile or remote device.
To enable this, technology designs must first allow image data to be viewed during a connection in whatever way and however long a provider needs to view it. DICOM images, videos, 3-D images and more must be fully accessible at a quality level that allows the provider to diagnose based on what he or she is seeing. To keep patient image data secure, however, once the provider closes an image, or video, and/or logs out of the image server, all of the data needs to be completely expunged from the remote or mobile device.
Any data is transferred or stored on mobile devices or remote system becomes immediately unsafe. First, mobile devices are frequently lost or stolen; some data estimates that 68% of security breaches were due to the theft or loss of a mobile device.7 In addition, providers have no control over the level of security technology in place on a remote system. The best approach to ensuring the security of a patient image accessed by remote or mobile devices is to keep data from being saved on them.
End-to-End Data Encryption
Patient image data also needs to be protected during mobile or remote viewing sessions. Both mobile and remote image viewing increases the amount of patient data traveling both inside and outside enterprise networks. Wherever and whenever that data is transferred, it should be encrypted to protect it from eavesdropping hackers. Any technology built for a modern healthcare environment must include encryption and not be designed with the assumption that encryption will be implemented by the hardware of the accessing device or other health IT, such as electronic health records (EHRs).
Secure Patient Data Access
The prevalence of security breaches for both big and small healthcare organizations is expected to continue.8 With more patients in the system thanks to the Affordable Care Act, hackers now have more patient data to access, keeping healthcare a top target into the future.
At the same time, the need to share and exchange electronic patient data continues to rise among healthcare providers. As just one example, urgent care facilities and health systems are forming partnerships to better coordinate patient care. The success of these partnerships depends on seamless exchange of electronic patient information, which means sharing patient information between a health system and the many locations of an urgent care provider.
It’s not hard to imagine the complexity of implementing secure connections in a healthcare ecosystem with hundreds of separate locations. In these situations, health IT managers must use health IT tools with built-in modern security to manage the high risk inherent in the sharing and exchange of patient health data.
Jonathan Draper is director of product management, healthcare at Calgary Scientific.
References
1. Banner Health. Banner Health identifies cyber attack. www.bannerhealth.com/news/2016/08/banner-health-identifies-cyber-attack
2. Humer C, Finkle J. Your medical record is worth more to hackers than your credit card. www.reuters.com/article/us-cybersecurity-hospitals-idUSKCN0HJ21I20140924
3. U.S. Department of Health and Human Services Office for Civil Rights. Breaches Affecting 500 or More Individuals. https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
4. Munro D. Data breaches in healthcare totaled over 112 million records in 2015. www.forbes.com/sites/danmunro/2015/12/31/data-breaches-in-healthcare-total-over-112-million-records-in-2015/#bee1157fd5a9
5. Edds B. Secure Communications Strategies for a Mobile Healthcare Workforce. http://health-system-management.advanceweb.com/secure-communications-strategies-for-a-mobile-healthcare-workforce/
6. Barrett M. Image sharing goes mobile. http://health-system-management.advanceweb.com/image-sharing-goes-mobile/
7. Bitglass. The 2014 Bitglass healthcare data breach report. http://pages.bitglass.com/rs/bitglass/images/WP-Healthcare-Report-2014.pdf
8. Experian. Third annual 2016 data breach industry forecast. www.experian.com/assets/data-breach/white-papers/2016-experian-data-breach-industry-forecast.pdf
