Is health care security in intensive care?

Spurred by millions in incentives to promote widespread Electronic Health Record (EHR) adoption, the healthcare industry is engaged in one of the broadest, most rapid digital-record rollouts in IT history. Started in force with the Health Information Technology for Economic and Clinical Health Act (HITECH Act ), which is part of the American Recovery and Reinvestment Act of 2009 (ARRA), ARRA advances an effort toward a national electronic health care infrastructure and is accelerating adoption dramatically.

However, can the health care industry manage to secure its EHRs as rapidly as it deploys them? Since September 2009, when the government started publishing health breach cases consisting of more than 500 patient records, there have been 265 incidents that have affected more than 10.8 million people. Those who are closely following security in the health care industry not only expect the number of incidents to continue to rise, but for there to be a number of significant incidents ahead. “I’m not saying that they’re not taking precautions when it comes to security, I’m saying that the more the health care industry moves toward electronic medical records, the more likely there’s going to be a spectacular data breach that will be an industry wake-up call, says Edward Schwartz, chief security officer at IT security firm NetWitness.

Mel Shakir, chief technology officer at IT security provider NitroSecurity, agrees. “I think there are going to be a lot of lessons learned ahead in this industry,” he says. “We’re seeing basic mistakes being made, such as identity and access management roles not being enforced. And many deploying electronic records are not always performing adequate monitoring, and they don’t necessarily have the expertise, especially in smaller organizations, to do so.”

“We know that even with all of security efforts in place, mature industry sectors who have experienced security staff with reasonable approaches to security in place are getting breached,” says Schwartz. “If organizations that already have the right technologies and staff in place are not successfully stopping data breaches, what hope is there for organizations that are just starting out and don’t have the same level of resources?”

Experts say it’s not as if health care companies are ignoring IT security: they’re certainly not. They’re conducting their Health Insurance Portability and Accountability Act (HIPAA) assessments, vulnerability assessments, and looking to build security controls where they can. “Still, you know they are being squeezed. They’re being told to constantly do more with less,” says Mark Rasch, director, cybersecurity and privacy consulting at It consultancy CSC.

All of the experts we interviewed say they’re seeing increased demand for security services from the health care industry, from security gap analysis to implementing security programs that include everything from endpoint encryption to improved identity and access management and security event monitoring. “There’s only so much you can do so quickly, there is education that needs to be done, policies that need to be adapted to, and a learning curve that will include mistakes,” Shakir says.

Shakir noted a recent example when regulated data had been put on a server that resulted in a health care providers DMZ (systems between the Internet and the internal network). “It was data that should not have been stored inside the DMZ, but protected within the network. That’s the type of education and training that needs to take place,” he says. “The challenge with security is that companies don’t think a breach will happen to them, and they don’t often take it seriously until there has been a breach.”

While experts agree that there’s much more work ahead of the health care industry when it comes to maintaining secure and private electronic records — the industry is taking action to fill the gap. We’ll soon cover what efforts health care companies have underway to fill in their gaps in a follow-up story.

George V. Hulme writes about security and technology from his home in Minneapolis. He can be found on Twitter as @georgevhulme.