Feature | August 05, 2014| Lysa Myers

How Can Doctors Practice Better Security?

Being lax with security can have a long-lasting impact on all patients

Cyber security, HIPAA, securing medical information
Did you know that medical data on 20,000 people could be exposed to abuse today? According to the U.S. Department of Health and Human Services (HSS), that is the number of people whose protected health information was breached per day on average in 2013. While healthcare practitioners may not realize the value of the data in their care, criminals certainly do. Clinicians and nurses may feel wary of security measures that might slow them down, but there are ways to improve security that will not cost precious moments in an emergency situation. Being lax with security can have a long-lasting impact on all of your patients, not just those with emergencies.
 
What Motivates Cyber Criminals?
You may be wondering what data healthcare practitioners have that is all that interesting to criminals. Are people really profitting by stealing records of little Johnny’s ear infection? Not necessarily, though insurance fraud and blackmail certainly do happen. It’s less often the specific details of treatment, but rather the treasure trove of information that electronic health records (EHR) contain that can be sold on the black market to perpetrate identity theft and financial fraud. While federal rules and regulations (namely the Health Insurance Portability and Accountability Act of 1996, or HIPAA) exist to help healthcare practitioners protect data, compliance with those rules does not necessarily equate with security. 
 
Most of us think retail stores are the obvious choice for cyber criminals looking to wreak financial havoc. While Target retail stores stole the data hijacking headlines late last year, only 13 percent of the reported breach incidents in 2013 were in the retail sector, while 45 percent were in the medical field, according to Privacy Rights Clearinghouse (PRC). According to the HHS “Wall of Shame” where HIPAA violations are reported, more than 30 million records have been exposed between September 2009 and June 2014. 
 
Obviously credit and debit card information is useful for criminals, and most doctors’ offices and insurance companies accept both forms of payment from patients. But electronic health records may include other information that is useful to criminals as well. 
 
Social Security numbers are often required for insurance purposes, and these can be used to steal a person’s identity, which can be a lot more problematic to correct than someone stealing your credit card. Physicians and insurance companies also gather a patient’s name, physical address, phone numbers and maybe an e-mail address. The black market for this sort of information is mature and robust, and criminals can expect a big payday if they target healthcare providers that are unprepared and unaware of the value of the information they are storing.
 
Now What?
The bad news is that breaches are a very real and scary thing. The good news is that there are simple things you can do, as a healthcare practitioner, to protect that important data. Here are a few things that will help you improve your security without impeding your ability to respond to patients quickly.
 
Update early and often: Regular updates of all software is one of the most important things you can do to minimize the vulnerabilities criminals use to get into your machines. And, vendors often provide updates at no cost to you. When you get a notice from your vendor, be sure to go directly to the vendor’s website or a reputable app store to get the update as soon as possible. Some malware will pretend to be a software update warning, so this is an important step. Do not let that nagging update notice go unheeded.
 
Create layered defenses: While your security department may have robust protection for your network, mobile devices and cloud computing can make boundaries very foggy. It is important to protect data, as well as devices. Do not expect that because your company has security products that this will protect you against everything. Many times lost or stolen devices or login credentials are all criminals need to get into a network. Make sure you have a good quality anti-malware suite, including a firewall, on all devices that you use to access or discuss healthcare information (do not forget Android tablets, Mac computers and Windows machines). Be sure to keep your security software and malware definitions updated. Any important data should be encrypted both in storage and any time it leaves your machine, such as via e-mail or on devices such as smartphones or USB sticks. Do not discuss patient information on unencrypted channels such as SMS texts.
 
Go beyond passwords: If you are protecting a lot of patient data, a password alone may not be enough. Consider implementing two-factor authentication. This can be a biometric such as a fingerprint or a one-time passcode that is provided via a small digital key card or fob, or even a smartphone app. You can also increase your password security by upgrading your password to a passphrase — a short sentence is much more difficult to crack than a single word, and it can still be easy to remember. Each of your digital devices should be protected with a passcode or biometric, with a short time-out setting. That way, if one falls into the wrong hands, the data is not easily accessible.
 
Choose to protect your own device: Having the ability to use a mobile device to check on your work-related information whenever and wherever you are is a huge boon for responsiveness. But it also leads to a host of problems, as those devices are easily misplaced and they are less apt to be protected from malicious access. More and more offices are offering employees the choice of a mobile device, one that IT staff can scan for problematic apps or links, or remotely wipe in case the device is lost or stolen. If you are not offered this, you can still get many of the benefits with free or low-cost apps. Anti-malware scanners on Android devices can help you avoid problematic apps and links, and device-finder apps that can also wipe data from lost devices are available for all smartphone operating systems.
 
Practice the principle of least privilege: The principle of least privilege simply means that no person, machine or system should have access to things they do not strictly need. For instance: If you use a personal device at work and at home, you can create a separate profile for each location. And if you share that device with other people in either place, you can create a separate guest account that does not have access to your sensitive information.
 
Encrypt everywhere: As said earlier in the “layered defenses” tip, encrypting is a very simple and effective way to safeguard data. When we have something that is valuable, we lock it up when it is not in use. The same is true with data; valuable information should be encrypted whenever it is not directly in use. That means when it is in storage, it should be encrypted. When it is being accessed or sent over the network, it should be through an encrypted connection. Having encryption from “end to end” minimizes criminals’ ability to get any useful data, even if they do manage to breach your other defenses.
 
Watch out for leaky data: Wi-Fi is becoming a fact of life — there are free hotspots available wherever you go these days. But that public Wi-Fi can be an easy way for attackers to eavesdrop and snag your data in transit if it is not properly secured. It is best, if you are using Wi-Fi when you are out and about, to avoid accessing or transmitting sensitive information. If you do need to do so, it is very important to make sure the connection is encrypted. Using a VPN can help you create a private network connection between your own personal devices and work resources. When connecting to the Internet or office network from unfamiliar places, consider using your smartphone’s 4G connectivity or a 4G hotspot instead of sketchy public Wi-Fi.
 
Good security should not make doing your job impossible: With a variety of small changes, the effect on your ability to do work should be negligible. And the effect of maintaining your patients’ trust by protecting their data will certainly make your job easier. 
 
Editor's note: Lysa Myers began her tenure in malware research labs in the weeks before the Melissa virus outbreak in 1999. She has watched both the malware landscape and the security technologies used to prevent threats from growing and changing dramatically. She enjoys explaining security issues in an approachable manner for companies and consumers alike. Over the years, Myers has worked both within antivirus research labs, finding and analyzing new malware, and within the third-party testing industry to evaluate the effectiveness of security products. As a security researcher for ESET, she focuses on providing practical analysis and advice of security trends and events.
 

Related Content

Find Your Heart a Home, ACC, cardiac care hospital, comparison database, MedStar Heart & Vascular Institute
News | Patient Engagement| February 08, 2016
MedStar Heart & Vascular Institute at MedStar Washington Hospital Center is one of two hospitals in the nation...
Stanford Health Care, MyHealth mobile app, Android
News | Patient Engagement| February 03, 2016
Stanford Health Care recently released a new app that allows patients using Android smartphones to easily access their...
Agfa Healthcare, HIMSS16, enterprise imaging, ECM, Portal
News | Enterprise Imaging| February 02, 2016
Agfa HealthCare announced it would be showcasing its convergence approach to enterprise imaging during the 2016...
American Heart Association, IBM Watson Health, Welltok, workplace heart health

American Heart Association Chief Medical Officer for Prevention Eduardo Sanchez, MD, MPH, checks out Welltok's health optimization app, which will serve as the platform for a new workplace health program in a new collaboration between AHA, IBM Watson Health and Welltok.

Technology | Patient Engagement| February 01, 2016
On February 1, the first day of American Heart Month, the American Heart Association (AHA) announced plans to develop a...
IBM Watson, Merge Healthcare, Best in KLAS 2015/2016, Phytel

Merge Hemo image courtesy of Merge Healthcare

News | Cardiac PACS| January 29, 2016
IBM Watson Health announced that the 2015/2016 Best in KLAS: Software & Services report recognized two of its newly...
Technology | Information Technology| January 28, 2016
Boston Scientific Corp. and Accenture have developed a cloud-based, data-driven digital health solution for hospitals...
integrated clinical decision support, CDS, Wolters Kluwer, E-book
News | Clinical Decision Support| January 28, 2016
The Health division of Wolters Kluwer announced the release of a complimentary e-book that demonstrates the critical...
CMS, Meaningful Use replacement, Meaningful Outcomes, JPM16
News | Electronic Medical Records (EMR)| January 15, 2016
The Centers for Medicare and Medicaid Services (CMS) announced Monday that it will be ending the Meaningful Use program...
AMA, Health2047, healthcare innovation company, Silicon Valley
News | Information Technology| January 13, 2016
The American Medical Association (AMA) announced that it is investing $15M to become founding partner of a healthcare...

Image courtesy of Philips Healthcare

Feature | Clinical Decision Support| January 06, 2016 | Dave Fornell
Overlay Init