Important Lessons for Health Data Privacy, Security in 2015

Health data privacy and security issues are not going to disappear anytime soon, and will likely continue to evolve along with technology. Covered entities need to keep their privacy and security measures current, especially as they integrate new systems and devices into their daily routines.

By Elizabeth Snell, HealthITSecurity.

While the Anthem and Premera data breaches were not shining moments for the healthcare industry, several healthcare leaders state that it is important for other providers to take those situations and learn from them.

The large-scale healthcare data breaches reported earlier this year were definitely a wakeup call to the industry, according to Seattle Children’s Hospital CISO Cris Ewell, Ph.D. Adversaries are now looking toward medical data to be used in multiple avenues, such as Medicare insurance fraud or medical identity theft, he said in an interview with HealthITSecurity.com.

“We have to take notice of that and start really paying attention to the practices that we have related to cybercrime and just vulnerabilities in general,” Ewell said.

Sharing data securely is becoming more important for healthcare, he added. Whether facilities are sharing internally or externally, either to third-party organizations or fellow providers, it’s essential to do that in a secure way. Cloud technology is on the rise, as is the use of mobile devices, and healthcare processes weren’t originally designed to account for all of that, Ewell said.

“How do we ensure that we are protecting all that data and still allowing the interaction between the clinician and the patient?” he asked.

For Seattle Children’s specifically, Ewell explained that the population does not want to use the telephone, and would rather text and use other communication applications. A key issue is to find ways to utilize that technology in a secure way.

“We have some new vendors coming out, some new technologies to help with secure texting and those type of things,” Ewell said. “But I think the technology has to catch up with the actual interaction.”

Sanjeev Sah, Director of IS Risk & Controls at Texas Children's Hospital said that maintaining HIPAA compliance and implementing the necessary federal safeguards are top issues for healthcare in 2015.

“We want to ensure that we are protected from threats from a security perspective,” Sah said. “Also, we want to make sure we are meeting our compliance obligations when it comes to safeguarding health information, either in due force of business or when we exchange data with other entities for business purposes. We need to be focused on that front.”

The other key focus area needs to be on patient expectations when it comes to their data security, Sah explained, and facilities must focus on adhering to the HIPAA and HITECH safeguards.

“The focus in 2015 is much more about ensuring that the [health data] compromises are not traditional in nature,” he said. “We have the ability to detect them from a safeguard perspective and take preventative measures before they ever take place. There’s a bit of anticipation that goes into this.”

Key takeaways from large health data breaches

Health data security must go beyond the technical safeguards, according to Sah, and it requires covered entities to be vigilant on numerous fronts. It is a combination of understanding the facility’s existing gaps to better achieve comprehensive security.

“Breaches can be highly damaging to an entity from a reputation perspective, and is highly damaging,” Sah said. “Learning and applying those lessons to safeguard your own environment is what I take away from these breaches.”

Proper auditing is something that healthcare facilities of all sizes need to adhere to, according to Aaron Kramer, Director of Information Technology at St. Lukes/Cornwall Hospital. Facilities need to ensure that employees who have permissions to access certain files or databases actually should have those permissions in order to do their job properly.

“It’s difficult to plug all [security] holes,” Kramer said, adding that smaller entities likely have limited resources when compared to larger providers.

“A place like Anthem has a tremendous amount of resources, much more than a community hospital,” he explained. “It’s always a challenge making sure we can put enough resources toward securing everything that’s required.”

Ewell echoed those sentiments, adding that his facility’s practice revolves around the assumption that a data breach will take place.

“You can certainly help mitigate it, but a very vengeful person or someone who is directed to accessing your system, they will be able to do it,” Ewell said. “The adversaries are that good, so with that in mind, it’s a good reminder that [breaches] do happen.”

Another key element is for healthcare organizations to have a strong information security program based on risk, according to Ewell. Seattle Children’s has been “beefing up” its intelligence and monitoring program, he said, to ensure that if a data security breach does happen, the organization can detect it as quickly as possible.

How employee training can affect the organization

Employee training and awareness programs will have a huge effect on covered entities, according to all three healthcare leaders. With anything from phishing scams to sophisticated cyber attacks putting health data at risk, it’s important for staff members to have a comprehensive idea of what type of malicious activity to be on alert for.

“The trick is, how do we balance that with everything else that’s required for [employees] to keep up their practices and actually what they need to do: treat patients,” Ewell said.

Not only is employee training critical, according to Sah, employee training at all levels is necessary. Everyone from senior level to contributors to those affiliated with a covered entity’s partners and vendors must have an understanding of proper health data security.

“All can fail if people are not aware,” Sah said. “And they need to be aware in a way that when they see malicious activity or they see something abnormal, that they have the awareness, knowledge, and know-how to take the next step of action.”

For example, if an employee sees what they think might be a phishing email, it’s essential to not only recognize it as malicious activity, but to then take the next step and notify the necessary personnel. That will better help the organization respond to the issue, Sah explained.

“A single person who is not aware can still cause a gap that can then be leveraged to create the types of threats or attacks we’ve seen,” said Sah. “[Employee training] is the most invaluable thing that any organization can do.”

The future of healthcare privacy and security

One positive factor that can help healthcare improve its privacy and security measures, according to Kramer is that more organizations are creating C-level positions that handle those issues. It’s not just an IT focus anymore, Kramer explained, it’s about the entire organization.

Even so, the healthcare industry as a whole is very immature when it comes to the protection of its data, according to Ewell, and it is definitely becoming more evident. Risk management cannot be overlooked, regardless of an organization’s size, he explained. This could be due in large part to the majority of physician practices being smaller and not being able to hire individuals whose sole job is to manage risk and oversee security issues.

“We keep making things more secure, but our adversaries are just as quick and they are very well funded, and that’s the problem,” Ewell said. “We just aren’t moving fast enough.”