April 25, 2011
Finding Holes in IT Security
By Leslie Feldman
For The Record
Vol. 23 No. 8 P. 10
One privacy misstep can land healthcare organizations in hot water.
With healthcare organizations increasingly moving to electronic means of storing protected health information (PHI), securing that data becomes a much more important task. Adding to the complexity is the rapidly growing number of diverse technologies used for processing and storing electronic PHI (ePHI). Each platform has its own format for recording specific activities, making it difficult for organizations to easily discover nefarious behavior.
Since HIPAA’s enactment in April 2003, Health and Human Services’ Office of Civil Rights (OCR) has investigated and resolved more than 11,000 HIPAA violations. Since enactment of the Interim Final Breach Notification Rule in September 2009, nearly 7 million patients have been affected by data breaches. Privacy and security experts say healthcare providers need to conduct detailed policy and implementation reviews to make sure they are HIPAA compliant. Once holes are identified, they need to work quickly to remediate the situation before it leads to much larger problems down the road.
Finding those holes, however, is not always easy.
Mike Spinney, a senior privacy analyst with the Ponemon Institute, a research organization dedicated to advancing responsible information and privacy management practices in business and government, says one of the biggest security hurdles facing healthcare organizations is transitioning from paper-based medical records to a digital system.
“We’re already seeing these struggles play out with cases of improper management and security. And with increased penalties and enforcement under the HITECH Act, the costs of failure are steep,” he says.
Spinney says healthcare organizations must approach the move toward a digital health information network from more than a technology perspective. They should also consider it to be a strategic initiative that includes a review of policies and processes for securing and managing information.
“The old way of doing things is no longer sufficient in an age when so many have access to highly sensitive information,” he notes.
Where Are the Glitches?
Insiders pose a substantial security threat by virtue of their knowledge of and access to their employers’ systems and/or critical assets, says Randy Trzeciak, technical team lead for the Insider Threat Outreach and Transition group at Carnegie Mellon University’s Software Engineering Institute CERT program.
“Insiders can bypass existing physical and electronic security measures through legitimate measures,” Trzeciak says. “The majority of insider incidents are set up or carried out by employees, contractors, or other trusted business partners with authorized access performing authorized actions but with malicious intent. The difficulty facing most organizations is determining malicious intent. Most technical solutions applied to the insider threat problem are not able to efficiently differentiate between anomalous activity and ‘normal’ activity.”
The Insider Threat Center at CERT works with organizations to protect critical infrastructure and assets from insider threats. “We provide guidance on how organizations can be better prepared to prevent, detect, and respond to malicious insider activity. We do this by offering insider threat vulnerability assessments, providing training, and producing publications,” Trzeciak says.
Mac McMillan, chairman and CEO of CynergisTek and chair of the HIMSS Privacy and Security Steering Committee, believes the biggest problem with data security is a lack of appreciation or understanding for what it takes to actually do it correctly, which unfortunately translates all too often to a lack of focus and resources.
“The HIMSS annual security survey confirmed this once again for the third year in a row: Healthcare organizations routinely spend less than half of what other regulated industries spend on information security,” he says. “The second biggest problem, which relates to the first, is the lack of qualified staff managing or handling security responsibilities. Data security is a specialized field in IT and requires training and experience to be proficient just like any other profession. Many security staff in healthcare today are new to their positions and don't have the training necessary to make them successful. The last challenge is associated with the assumption that some have that data security in complex environments can be accomplished without investing in technology. This puts many organizations at greater risk than they know.”
He adds that organizations need to treat IT security with the priority it deserves. “Take a step back, conduct an objective risk assessment, develop a meaningful and integrated plan for remediation, and resource it properly,” McMillan suggests. “The money spent on doing it right up front will be far less than the potential negative outcomes, including the cost of doing it wrong. Recent OCR fines demonstrate this point.”
E-Mail Encryption — A Safe Harbor
Effective healthcare delivery typically involves collaboration and information sharing. E-mail remains the only ubiquitous network that’s well understood and efficient for the electronic exchange of healthcare information. The issue with e-mail is the fact that it’s inherently insecure.
These two factors have caused health plans and healthcare providers to turn to companies such as Zix Corporation (ZixCorp) in an effort to make their e-mail operations more secure. By enlisting these services, providers can help address the security of patient privacy, the protection of business partners, and compliance with healthcare regulations. For example, ZixCorp secures sensitive information in e-mail while in transit and ensures that hackers cannot access sensitive information on the Internet.
“Prior to HIPAA 2.0 and the HITECH Act, some healthcare organizations chose to implement paper-based policies and employee training as a means of satisfying their regulatory requirements,” says Rick Spurr, ZixCorp’s chairman and CEO. “After the updates and the changes ushered in via the HITECH Act, healthcare organizations no longer feel the same comfort with manual procedures. The problem with this approach is twofold. First, it is subject to human error, and secondly, it restricts the usage of e-mail, a great, well-understood vehicle for effective and efficient communication. They realize they need an automated solution to enforce their policies.”
He adds that healthcare organizations must increase their awareness of protecting patient privacy and are looking to e-mail encryption as a safe harbor for ensuring that sensitive information gets transmitted only to its intended recipients.
“An audit of your outbound e-mail traffic can offer a glimpse into the gravity of the problem. Even if a healthcare organization is sending PHI in only 1% of its overall outbound e-mail, about 100 of 10,000 e-mails per day will contain sensitive information,” Spurr says. “It takes only one e-mail containing information on 500 patients to land your healthcare organization on the OCR list, in the news, and on the minds of concerned patients.”
Spurr explains that a policy-based e-mail encryption solution automatically scans the e-mail subject line, content, and attachments and then encrypts as appropriate. “Other non–policy-based approaches can result in complicated security measures that often frustrate patients, physicians, nurses, staff, and business partners,” he says.
Employees Require Monitoring
Eric Knight, senior knowledge engineer at LogRhythm, which provides healthcare organizations with the means to proactively protect ePHI as well as the tools to identify the individuals who perpetuate data breaches, says healthcare organizations need to collect, securely store, and provide ready access to all ePHI-related log data for internal and external auditing and compliance.
LogRhythm collects audit, security, and operations logs from systems in the ePHI environment to create an official record of events. During the collection process, the tool identifies key events that signal a cause for action, such as breaches, system failures, or inappropriate usage. Using correlation, it can check for suspicious or hostile activities by looking for violations of pattern in specific IT activities. LogRhythm provides this capability in real time and can notify administrators directly of activities that can threaten the privacy and security of ePHI.
“Accomplishing this with high volumes of data from a multitude of device types and formats is overly resource and infrastructure intensive for most organizations,” Knight says. “Tracking individual user behavior and understanding the relevant context of that activity has historically been a time-consuming and manual process—assuming that the organization knows where to look in the first place. Organizations that experience an ePHI data breach are required to provide accurate forensic data containing all relevant details about the incident in a timely fashion. However, most IT groups are ill equipped to comply with such mandates, exposing their organizations to hefty fines and additional risks.”
Knight adds that hospitals can put strict processes in place for defining what constitutes appropriate access and can implement solutions such as log and event management designed to audit and report on activity that violates these policies in a secure, real-time fashion.
Stop the Medical Snooping
Part of the challenge facing healthcare organizations is how to effectively limit staff access to EHRs. It’s difficult, to say the least.
“Traditional approaches to detecting inappropriate access to electronic health records requires dedicated IT staff and burdens privacy and compliance officers with huge volumes of activity logs to investigate,” explains Alan Norquist, CEO of Veriphyr, which uses an on-demand service model to detect unauthorized personnel accessing patient files.
The rules governing access can get cumbersome because they change as the patient moves throughout the organization.
“The problem lies in static rules and scenarios that yield too many false-positives and false-negatives,” Norquist says. “For example, they cannot differentiate between appropriate access by a nurse looking at the records of a current patient and inappropriate access when the same nurse looks at the records of the same patient after the patient has been transferred to a different unit where the patient is under the care of a different nurse. Only a combination of privacy training and a reliable medical snooping detection capability will deter unauthorized access by employees.”
— Leslie Feldman is a freelance healthcare writer and marketing communications consultant in Philadelphia.
A Compliance Program in Action
At Lourdes Health System in Delran, N.J., “integrity in action” is the theme of its corporate compliance program. From administration and medical staff to department associates, the health system has developed a compliance awareness campaign that works to ensure all staff members understand they are accountable for their actions.
Barbara Holfelner, chief compliance officer and vice president for patient safety, risk management, and corporate compliance, says within a hospital setting, staff are exposed to confidential information and need to be champions for the protection of patient information and rights.
“We center all activities around patients and provide the education necessary to make certain that associates understand their obligations,” she explains. “We developed an online corporate compliance and HIPAA education program video that all associates must watch, which also tests their learning at the end. The health system has foundation documents which the compliance program is rooted in that include our mission statement, code of conduct, and code of ethics.”
As part of its corporate compliance program, Lourdes participates in privacy audits in which members of the compliance team visit hospital departments to conduct assessments and provide feedback. “We feel this gives visibility to our compliance program and helps reinforce the importance of HIPAA,” says Holfelner. “We encourage open communication, and we will investigate any concerns that are brought to our attention, ensuring resolution of the issue.”
The health system’s IT department also conducts periodic scans on its information security systems and has internal measures to handle any problems that might occur.
“All of our information is encrypted and can only be read by the intended receiver,” Holfelner says. “We encourage associates to change their passwords frequently and never share a password. In summary, our program is mission, patient rights, and organizational ethics equals integrity in action.”