We all know that there are millions of new cyber threats everyday, many new and undetectable. We also know about the 2014 federal mandate for healthcare. As a part of the American Recovery and Reinvestment Act, all public and private healthcare providers and other eligible professionals (EP) were required to adopt and demonstrate “meaningful use” of electronic medical records (EMR) by Jan. 1, 2014.
“Meaningful use” of electronic health records (EHR), as defined by HealthIT.gov, consists of using digital medical and health records to achieve the following:
- Improve quality, safety, efficiency, and reduce health disparities
- Engage patients and family
- Improve care coordination, and population and public health
- Maintain privacy and security of patient health information
So we have this law from the federal government telling the healthcare sector that they must put our medical records online, well this same government was not doing so well securing their own data. Enter the 2014 HHS wall of shame: According to the tally, the top five health data breaches in 2014 affected a combined total of nearly 7.4 million individuals. The largest breach in 2014 was the hacking attack on Community Health System, which affected 4.5 million individuals. Add these 2015 healthcare breaches: Premera Blue Cross at 11 million individuals and Anthem with 80 million individuals affected and you see the healthcare sector was not ready to go online.
So let’s look at how the government was doing securing its own data. The Congressional Report on the OPM government data breach on the 20 million records compromised stated:
- The OPM data breach was preventable.
- OPM leadership failed to heed repeated recommendations from its inspector general, failed to sufficiently respond to growing threats of sophisticated cyber-attacks, and failed to prioritize resources for cybersecurity.
- Data breaches in 2014 were likely connected and possibly coordinated to the 2015 data breach.
- OPM misled the public on the extent of the damage of the breach and made false statements to Congress.
The OPM data breach was one of the worst data breaches ever, it impacted government and government contractors with secret and top secret clearances. It included everything about these individuals and their families, even their fingerprints and yes even FBI director James Comey’s records were compromised.
What’s different with healthcare breaches is that they can have an immediate impact on human life. A successful phishing attack may result in a significant security incident that adversely effects the confidentiality, integrity, or availability of information. And, most frightening of all is the potential for patient harm.
Add to this ransomware attacks that have locked up major hospitals information systems which further endangers patient’s life! Last February, Hollywood Presbyterian Medical Center paid a $17,000 ransom in bitcoin to a hacker who seized control of the hospital's computer systems and would give back access only when the money was paid. The malware prevented hospital staff from using the medical devices, said Chief Executive Allen Stefanek.
The impact of a significant security incident to a healthcare organization is not just financial or reputational. Such an incident may have an adverse effect on patient safety (e.g., a hacked EHR system with tampered information, or a connected medical device under the control of a hacker which may deliver a fatal dose of medicine to a patient).
The HIPAA Security Rule requires the standards be applied to safeguard and protect ePHI when it’s at rest and in transit. There are three parts to the HIPAA Security Rule – technical safeguards, physical safeguards and administrative safeguards. HIPAA is also a law, not a compliance framework.
The HIPAA law also covers physical and administrative safeguards as well as the Privacy Rule and a Breach Notification Rule.
Since HIPAA is a law, how do we make HIPAA compliance happen? For the purpose of this HIPAA compliance report card we will focus on the technical safeguards as outlined in NIST 800-66 Guide to implementing the HIPAA Security Rule.
This HIPAA compliance report card is The Healthcare Information & Management Systems Society (HiMSS) 2016 Cyber Security Survey. The survey's Introduction states: With a total of 183 responses received between Feb. 15 and May 15, 2016, the findings from the 2016 report are highly reflective of the 2015 findings. Recognizing the relative uniformity in the results, the present report focuses exclusively on the 150 respondents representing U.S. based provider organizations (e.g. hospitals, physician offices). The decision to concentrate on this subset of respondents was based on the spate of headline news stories this past year reflecting security breaches in U.S. hospitals and other provider care sites. The findings in this report have also been parsed to differentiate respondents from hospital associated (acute care) organizations versus those from non-acute care organizations.
The following IT controls are very much the same for IT General Controls Audits, The NIST Cyber Security Framework and even PCI DSS. So the bottom line is these are the foundational controls for most any IT audit and compliance framework. Let’s see how well the healthcare sector did on this report. Remember we want 100% on all these controls and as you see they are not all at 100%. No A’s on this report card!
Antivirus/anti-malware and firewalls These are industry standards that all organizations must have!
The results are surprising since only 84.9% (acute) and 90.3% (non-acute) of providers are using antivirus and anti-malware software.
Encryption at rest and in transit. This is a mandatory HIPAA requirement.
Interestingly, only 68.1% of acute providers and less than half (48.4%) of non-acute providers are encrypting data in transit.
Accountability through audit logs This provides oversight if someone has the role to look at it.
Moreover, only 59.7% of acute providers and 61.3% of non-acute providers are using audit logs for each access to patient health and financial records.
Patch and vulnerability management. This is like a vaccine for all critical systems!
Only 61.3% of acute care providers and 41.9% of non-acute providers admit to having a patch and vulnerability management program.
Intrusion detection systems. This is like an alarm system for critical data you are protecting.
IDS systems, however, are underutilized with only 57.1% of acute care providers and 41.9% of non-acute providers using them.
Network monitoring tools. Provides visibility as to what and who is on your network.
Only 54.6% of acute care providers and 45.2% of non-acute providers are using network monitoring tools.
Mobile device management Most users are mobile users, this is another place your data lives!
Only 56.3% of acute care providers and 35.5% of non-acute care providers are deploying mobile device management
Single sign-on Simplifies user access and maintains strong authentication standards!
Only 52.1% of acute providers and 29.0% of non-acute providers are using single sign-on technology
Finally, the vast majority of ePHI breaches result from the loss or theft of mobile devices containing unencrypted data and the transmission of unsecured ePHI across open networks. Breaches of this nature are easily avoidable if all ePHI is encrypted! More than 11 million healthcare records were exposed in June 2016.
Cybersecurity attacks have the potential to yield disastrous results for healthcare providers and society as a whole. It is therefore of the utmost importance that healthcare providers acknowledge the need to address cybersecurity concerns and act accordingly. This survey reveals a less than stellar report card, one which reveals much more needs to be done. The healthcare sector has much more work to do to get an A on this important report card.
One additional point is that we as auditors continually see the lack of an assigned security and compliance professionals in place at organizations in all sectors. How will we ever get this basic compliance to 100% when no one is assigned the role of achieving it year round vs relegating it to the IT department to do when they have time? Time from rolling out Ttchnology and fixing it is 24 x 7.
It’s time for all internet connected organizations that store and process our confidential data in all sectors including the government to adequately fund this critical role. Otherwise we will have no excuse on the next data breach as our report card has not met the A standard! We must focus on the fact that compliance is the minimum we must do, it’s all about prevention and detection and does not fully address a proactive response that could actually prevent an intruder from taking everything we have. My colleague Ira Winkler just released an excellent book on this next step above compliance. It’s called in his terms, “Advanced Persistent Security.”