In other words, lack of proper access management for IT systems in healthcare leaves private patient data susceptible to attack.
“Just because your EHR [Electronic Health Record] forces a username and password, doesn’t mean you’re compliant,” said Mac McMillan, chair of the HIMSS Privacy & Security Policy Task Force at the 2016 HIMSS Annual Conference & Exhibition.
Anthem agreed to settle litigation for $115 million — the largest settlement for a data breach and a pricey lesson on healthcare security best practices and, specifically, how to control access to sensitive data in organizations. Anthem authorities believe the lack of proper access management allowed hackers, who had gained authorized credentials, to breach Anthem’s patient information. The vulnerability was not in the operating system, hardware or software, but in the process of managing proper access controls.
Until healthcare as an industry improves both its legacy technology and adoption of security practices — including data access control — cybercriminals will continue to view healthcare data as a vulnerable target.
A report by the Identity Theft Resource Center (ITRC) showed that medical and healthcare sector security incidents made up 43.6% of all breach incidents identified by the ITRC in 2016. And Experian’s 2017 Data Breach Industry Forecast predicts that healthcare will be the most targeted industry, with attacks growing in number and sophistication.
“Cybercriminals view healthcare organizations as a soft target compared with financial services and retailers because, historically, healthcare organizations have invested less in IT, including security technologies and services, than other industries, thus making themselves more vulnerable to successful cyberattacks,” says Lynne Dunbrack of IDC Health Insights in this Healthcare IT News article.
The healthcare sector was responsible for 450 data breaches in 2016, which exposed more than 27 million patient records to fraud and identity theft, according to a report by Protenus. The report also showed that the largest incident in 2016 was the Banner Health hacking incident, which affected 3.62 million patient records.
Experts suggest medical information is 10 times more valuable than a credit card number on the black market. While healthcare organizations are known for low security, they also hold large batches of personal data for profile. “The social security number is the crux there,” says McMillan.
In an excerpt from McMillan’s presentation for HIMSS16 session, Compliance does Not Equal Security, McMillan writes, “HIPAA was not intended to cover all forms of information or to be a complete standard for data protection. … The Security Rule initially conceived in 2001 did not envision cloud computing, the proliferation of mobile devices, bring your own device, networkable medical devices, wearables and many other technology advancements seen since that time.”
The presentation continues, “Compliance and security are two different paradigms. Certification is not a ‘magic’ pill. Compliance is a ‘floor’ rating… [a] point in time. Manual processes are too slow. Controls are not enough."
McMillan urged healthcare organizations to follow the National Institute of Standards and Technology (NIST) Cybersecurity Framework, which includes the following recommendations:
“Being compliant does not make you safe. Being certified does not mean you are protected, and neither of those things are going to save you from the impact or fallout associated with a breach,” says McMillan. “The things that matter are discipline, vigilance and readiness.”
To improve the state of IT security in the healthcare sector, hospitals will have to adopt and enforce stringent cybersecurity policies that provide the highest levels of protection for patient data — and demand strict compliance from partners, including labs, imaging centers and clinicians.
While hospitals may not be ready to implement such policies with their healthcare partners, on-site safety measures should always be in place. Safeguards that are critical to control access to sensitive data include granting role-based access to data and applications on a need-to-know basis; controlling physical workstation access and access to clinical applications; and creating comprehensive policies and auditing tools that allow a compliance manager to report on who has access to which systems, applications and patient records as it applies to their role.