Digitized medical records are easy prey, but all is not lost

Christopher Burgess on writing a new prescription for health data trust.

Wherever money and information flow, so do the bad guys. And with estimates that the Electronic Medical Record (EMR) and Electronic Health Record (EHR) market in the U.S. will reach $6 billion by 2015 -- according to the research and consulting firm MarketsandMarkets -- it's no surprise criminals are paying more attention. Also no shock is that as more records are digitized, there are many more breaches involving patient data. This is not unlike when vast credit card breaches quickly followed the rise of e-commerce in the early part of the previous decade.

CSOonline has been staying on top of the health care security issue, including what health care organizations are doing to protect their customers' data and the rising risk of medical identity theft.

Also see: Healthcare security in intensive care

Christopher Burgess, frequent author on IT security subjects and member of the External Advisory Board for the Mayo Clinic Center for Social Media, recently published a blog post, Patient Data: The Crown Jewels on the Mayo Clinic's site that provides recommendations health care providers can use to better secure their patient data. We took the opportunity to discuss the state of health care data security with Burgess as it relates to current trends, cloud computing, physical security and criminal motives.

CSOonline: When looking at the types of breaches health care organizations have suffered, they don't look like sophisticated hacks. Many of them, such as hardcopy breaches, stolen systems, and lost thumb drives all look avoidable.

Burgess: That was one of the reasons I wrote the piece. My feeling was that this level of data loss and the manner in which these records were lost are basic blocking and tackling in the protection of data arena. I would venture to guess, though I didn't do any research on this, that most if not all of the entities that lost their data were HIPAA compliant. As I said in my piece, and as you and I have said many times elsewhere, being compliant doesn't mean being secure. It just means you're compliant to a level, and I have to say that HIPAA absolutely raised the tide and put in a modicum of security. But the secure practices need to be ingrained in everyone handling medical records. With digital records, folks lock their offices and they chain down their computers, but a bolt cutter can steal their computer. But if the data isn't protected within that state, then if you lose all your servers, what have you lost? You've lost all your customer data. And take this to the next level. What about those entities that are outsourcing to a cloud storage environment, their data records or their patient data records? How are they being secured in that environment? If that entity is breached, it's not just one organization's list of patients, but potentially dozens or hundreds of organizations.

Well, some folks argue that they're probably more secure there because that's the job of the cloud provider. And a cloud provider may have the resources and expertise to focus on keeping the systems more secure.

Burgess: I would say that it is incumbent upon the custodian of the data to understand if the level of protection is equal to or superior to that which you can provide in your own environment.

Because the delegation of security doesn't delegate responsibility, right?

Burgess: I absolutely agreed with what you just said. And does the service provider have access to your data? Can they read your data in clear text? If they can, are they in a position where they may be able to access your data and thus violate the integrity of the information without your knowledge? So what's my solution? Encrypt, encrypt, encrypt. If you're going to store data outside, make sure it's stored encrypted. That way you don't have to worry about whether or not your service provider can access your data. And that if they lose patient data, by extension they will probably lose patients. And if you lose your patient base, then you are soon out of business. Thus I believe there is a very clear connection between the continuity of business and the necessity of protecting patient data from inadvertent disclosure or disclosure when assets are stolen.

There were some examples that were laptops stolen out of trunks, laptops lost, or thumb drives that contain data misplaced. Again, why isn't the data encrypted then? If the thumb drive is encrypted and lost, it's a nonevent. It's when the laptop is lost and it's not encrypted and the data is known to be there in clear text, the entities or the individuals are crossing their fingers that this was just a theft and somebody's going to reimage it and not use the patient data.

There are plenty of cases of theft of notebooks, drives, even servers out of data centers. But do we have evidence that criminals are targeting medical information specifically?

Burgess: There is an instance of hard copy records being stolen from a doctor's residence. He took the records home to destroy from his private practice, and the thief was caught trying to sell the information. So it's not hypothetical anymore. People are stealing medical information to sell. Remember a criminal engages in theft for two reasons -- monetization or increased capability to engender more monetization. That's it. It's about power, access, and capability and making money. So when somebody steals something, you have to think through why did they steal it? And that's why I wrote it in this fashion for Mayo. In this aspect, about breaking trust, the way to keep your pulse on it is actually communicate with your employees. Let them know that you absolutely care about them, that they are the most important assets to all concerns. They are the avenue by which the corporation, the individual doctor, etc. engages with their patients and provides support to their patients. But what about the bad employee that was bad before you hired them? There were instances where individuals were hired that had criminal records that were germane to the duties in which they were given. For example, one lady was hired and they had a prior record on absconding with information and using it for identity theft. But she was hired to handle patient information.

Yes, that's just crazy. I think society wants to give people second opportunities, but to put someone in that position just seems ill-advised.

Burgess: In the United States, it is so easy to get an in-depth background check on any individual who gives consent, and it is inexpensive. There is no reason that a background check shouldn't be done on every individual who is touching patient health care records.

What would you say, for the medical community, are the top two or three things they should be doing to improve security

Burgess: They should absolutely make sure that the digital environment that is hosting the patient data records is accessible to only those with a need to know, the concept of least privilege access. If I'm a doctor, I need to be able to access my patients' records. If I'm a nurse on a ward, I need to access my patients' records, but do I need to access all patients of that hospital? So you construct on the basis of least privilege access. Then you make sure that you're data at rest is secure and that those who have access to that environment are also on the need to know with auditability and track records, so that you're able to tell who's touched the data, why, and when.

All of that's in place today with the requirements around HIPAA. So what you need to do is have security education and awareness for your population set. A good common sense everyday practices. You don't leave a patient record where a non-medical person can reach in and lift it. You don't put data on loading docks unsecured. You make sure that you have accountability when transiting data, and you can trust the service providers in the transportation industry. All of them have means by which to transmit and transport confidential data in a more secure manner. It just means a little more expense for the validation that the box or the envelope is not lost. Know who your service providers are and know and understand the level of service that they are providing to you is equal to that which you expect in the protection of your patient data.

Copyright © 2011 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.