Information technology (IT) has been a lifesaver and a timesaver in healthcare, bringing speed and precision to medical-surgical procedures and replacing paperwork with electronic computation, storage, and communication.
But there is a dark side. Systems can be sabotaged, files can be opened, and devices used in surgery can fail at the worst moment. Data that only a few decades ago were being transferred from paper records to pocket-sized floppy disks now reside in the Internet cloud, accessible from anywhere in the world with the right keystrokes.
Although theft of any personal information, such as bank records, is harmful, theft or misuse of health information can be a life or death matter.
The US Department of Health and Human Services (HHS) reported 110 million healthcare security incidents in 2015.
Also that year, a survey by the Health Information and Management System Society (HIMSS), Chicago, indicated that two-thirds of US healthcare organizations have had breaches of IT security. In a report based on the survey, HIMSS vice president of technology solutions Lisa Gallagher says, "I don't think anyone was prepared for the level of cyber threats we're seeing."
According to the HIMSS report, hackers have learned that medical records contain more valuable information than other types of records. Electronic health records, for example, contain such personal data as date of birth, email address, diagnosis codes, Social Security numbers, and credit card numbers.
A thief or purchaser of these sensitive data can use them to commit insurance fraud or to obtain medical equipment or controlled substances.
At the same time, the healthcare industry is more vulnerable to hacking than are many other industries because of its decentralized nature; security policies and enforcement may be inconsistent or inadequate. Healthcare professionals, however skilled, tend not to have an interest or education in IT management.
In addition, with their focus on reducing costs, healthcare organizations avoid hiring security experts, according to Mac McMillan, chief executive officer of CynergisTek, a healthcare IT consulting firm in Austin, Texas. Government, finance, and other organizations are required by law to have outside consultants test and monitor data security, he notes. "Healthcare is unique in that people are trying to do this themselves," he says.
Healthcare providers also face two conflicting trends: increasing demand for information transparency and patient access to medical records vs the unique privacy mandates of the Health Insurance Portability and Accountability Act.
"Patients have privacy rights, but they can share their details on Facebook," notes C T Lin, MD, FACP, chief medical information officer at the University of Colorado Health System. He says surveys show that patient satisfaction increases when they are able to communicate with doctors via email.
However, security experts say those emails are a convenient portal to confidential information. Many people have been victimized by phishing, a term for infiltrating an email or social media account by impersonating someone else. Among other tactics, phishers try to lure individuals to share information on counterfeit websites.
Although distant hackers may present the greatest threat to healthcare organizations (according to 28% of HIMSS survey participants), there are entry points closer to home. Employees with access to confidential information are tempting targets for phishers. There is also a threat of what the report terms "malicious insiders" in a facility, who may deal in information the way others deal in drugs.
Hacking the hardware
With more medical, office, and building equipment dependent on computers, remote sabotage is a threat, and poorly maintained software can be subject to internal malfunction. Automated building security components, such as door locks and cameras, are equally vulnerable.
This past February, a cardiac catheterization procedure was stopped for 5 minutes when the imaging device shut down because of a scheduled scan for viruses.
The manufacturer, Merge Healthcare, Chicago, had installed the scanning application with instructions, but the physicians were unaware of it, or of the time it was due to run. Merge Healthcare filed an Adverse Event Report as required by the US Food and Drug Administration.
Also in February, data thieves infiltrated and shut down computers in several departments at Hollywood Presbyterian Medical Center in Los Angeles for 10 days until the hospital paid a ransom of $17,000 to regain access.
A growing threat
The use of ransomware is growing, and perpetrators have migrated to healthcare after attacking other industries and individuals, according to a report by Healthcare Informatics magazine and Symantic, Mountain View, California.
Medical devices are becoming prime targets because they can be entry points to networks containing personal health data. Vendors should be held responsible for the security of software in their products. However, the report notes, manufacturers often are more concerned with the effectiveness and convenience of their products than with data security.
More commonly, healthcare executives may see IT as a low priority. David Finn, health IT officer at Symantic and a former hospital chief information officer (CIO), recalls trying to convince hospital management to upgrade Pyxis automated drug-dispensing cabinets and being told the money wasn't available. He met with a nurse manager instead, and learned that unusable cabinets would cost more in employee work hours and would likely require hiring more staff. Based on that argument, the upgrade budget was approved.
"The reality is that every end user needs to be a security person," Finn says.
Other experts stress the need to address security threats directly. This means backing up files frequently (some recommend daily) and having outside consultants test for vulnerabilities and hidden breaches. Backing up files and programs may not prevent a ransomware attack, but it is a good way to avoid being incapacitated by one, and to speed recovery (sidebar, p 18).
Howard Haile, vice president and chief information security officer at SCL Health, Denver, counsels standing firm against any demands for ransom. "Contact the FBI [Federal Bureau of Investigation] or DHS [Department of Homeland Security], but don't pay it. There's nothing that says they won't come back and do it again."
Restrict access to workstations based on need, he counsels, and do not allow staff to connect personal devices to the facility's network.
Employees should receive training in recognizing security risks and preventing loss. Above all, experts agree that all staff and anyone else with access to internal data must be trained to avoid phishers; even IT professionals are often taken in, they say.
For example, with the growth in phishing, some experts recommend never clicking on a link to another site, but rather taking the time to type it into the browser.
Having caught the attention of predators, healthcare now has no choice but to look for ways to protect itself. Fernando Blanco-Dopazo, vice president and CIO at Christus Health in Irving, Texas, calls for urgency: "Healthcare is 10 years behind the financial services industry in IT security. The question is, will it take us 10 years to catch up?" ✥
ASCs: Next in line for security breaches
On June 1, The Ambulatory Surgery Center at St Mary, Langhorne, Pennsylvania, lost access to about 13,000 patient records when ransomware infected its database. The ASC avoided paying a ransom because all of the records were backed up and were restored within a day. However, as required by the Health Insurance Portability and Accountability Act (HIPAA), the facility sent alerts to each affected patient that health information may have been compromised.
"In most cases, the patient-level information consisted of name and date of birth, but more sensitive data may have been accessed," St Mary noted in a press release. Ransomware is a type of malware that is usually designed to encrypt data, shutting off access until the ransom is paid, but it does not reveal the data itself. According to a report on the breach in HIPAA Journal, St Mary is also conducting an internal audit to locate any additional malware that may have been left on the system and that could continue to threaten privacy.
Ad hoc approach
Medical IT consultant Chris Johnson, chief executive officer of Untangled Solutions, Mount Pleasant, Iowa, specializes in working with physician practices and ASCs to develop security strategies. He has observed that most ASCs take an ad hoc approach to IT security, reacting to incidents rather than having a strategy to prevent them. This is critical, he says, because healthcare data breaches generally result in violations of patient privacy provisions in HIPAA.
According to Johnson, the most common compliance and security discrepancies in ASCs are in these categories:
• no strategy
• no framework
• no metrics
• no documentation.
"Their focus is on keeping things running," Johnson explains.
As with other nonclinical functions such as disaster preparedness, staff training and management support are crucial. In fact, Johnson likens IT management to disaster planning. The five elements in a successful plan are the same:
Make security a priority
At ASCs, the gaps in security may also result from lack of resources; their independent owners rely on small staff who focus on clinical issues.
Some of the security advice given to hospitals, such as hiring full-time IT security officers (who may command $500,000 salaries, according to some estimates), is impractical for ASCs.
Advice that applies to all healthcare facilities, however, is to convince upper management that IT security is critical to their mission, not an afterthought. As Johnson notes in the ASC context, governing boards should have a strong commitment to developing and funding the best possible strategy.
Ideally, facilities should have full-time security specialists to develop and coordinate the system, but for most ASCs the first step in bolstering their IT security is contracting with consultants familiar with healthcare operations and regulations.
There's really no better way to have confidence in your security environment than to hire an expert, Johnson says.
A second priority is to protect data and the facility by controlling access through passwords, badges, and physical barriers. A third is to follow the disaster planning model and appoint a committee to administer a plan for addressing security breaches. The plan and its implementation must be documented and tested. "‘Document life cycle management' is a parallel HIPAA requirement that is underperformed and underappreciated, yet it's the source of many compliance shortcomings," Johnson notes.
Consider vendors and other business associates in terms of their vulnerability to data theft and willingness to support the ASC's security measures.
The important thing, Johnson stresses, is to take the first step: Commit to making an investment in IT security, and recognize that, however great the financial outlay may be, the cost in money, public relations, and possibly patient safety will be far higher when that breach happens.
"Doing nothing is the scary part," Johnson says.
Johnson C. Ensuring IT security and HIPAA compliance in ASCs: Complex rules, more challenges, higher penalties. Presented at ASCA Conference, 2016.
Pennsylvania ambulatory surgery center alerts 13K patients to ransomware attack. HIPAA Journal. July 15, 2016. www.hipaajournal.com.
Hagland M. With the ransomware crisis, the landscape of data security shifts in healthcare. Healthcare Informatics. 2016;33(3):41-47.
Hagland M, ed. Ransomware and emerging cyber threats: Why it's more than just an IT problem in healthcare. Healthcare Informatics special report. www.healthcare-informatics.com.
Health Information and Management System Society. The state of web and mobile application security in healthcare. 2016. www.himssmedia.com.