Final Blog- An Analysis

It’s hard to believe the semester is ending as well as this blog.  Initially, I was skeptical about the idea of writing a blog strictly composed of security issues, but I believe it has provided me the opportunity to better understand current issues related to my long-time profession in healthcare.

 

Steeped in much tradition, change is very hard for most healthcare organizations, couple that with numerous government mandates and it can be a recipe for confusion and information security disasters.   Due to the American Recovery and Reinvestment Act of 2009 (ARRA), and the Affordable Care Act 0f 2010, healthcare organizations are now mandated to implement electronic charting and health records and demonstrate meaningful use.  The Health Information Technology for Economic and Clinical Health (HITECH) Act, which is a part of the ARRA, has created quite a flurry in hospitals as they strive to meet mandated milestones in addition to the ever increasing rules, regulations, and penalties associated with any type of data breach.

I began discussing Apple’s new operating system and improved security options, but quickly realized that I would like to use this blog as an opportunity to discuss the measures being taken by healthcare organizations to protect patient data and the associated challenges. These measures consist of a variety of topics addressing everything from USB drive security to medical device vulnerabilities.  The following is a list of topics discussed and a small description of each:

1.     Apple’s iOS just became more secure- Apple announced a variety of security changes in the new operating system.

2.     HIPAA Omnibus Rule- Increased PHI Security Requirements- Stricter regulations surrounding vendors, sub-contractors, and consultants and an organizations accountability related to patient data and privacy became effective in March 2013.

3.     Data Breach Insurance in Demand- Given the costs associated with data breaches and HIPAA violations, hospitals are opting for insurance to offset the high costs.

4.     Medical Device Vulnerability Alert from DHS- Numerous medical devices were found to have password vulnerabilities.  Researchers are advocating for a digital signature requirements to prevent hackers from tampering with devices.

5.     Improving Security for USB Drives- Healthcare Organizations are encouraged to improve USB security through preventative measures such as encrypting USB devices and regular scanning for malware in order to protect patient data.

6.     Office of the National Coordinator Released 2014 Priorities- The ONC released their security priorities, which include: identify cyber-security threats, expanded technical assistance, work with NIST to patient identity management, and further privacy and security in future HITECH stages.

7.     BIG Data- Protecting Patient Privacy- Discovering correlations between treatments and medical conditions require digging through data, but ensuring the information is de-identified is a priority.  Intermountain Health and Deloitte have teamed up to discover clinical nuances with Outcomes Miner, and have gone to great lengths to ensure patient data is protected.

8.     Scrutinizing Healthcare Data Encryption Options- Data encryptions is coming to the forefront in healthcare organizations due to penalties associated with HIPAA violations, therefore a variety of recommendations were discussed.

9.     Aligning Healthcare Management, staff to strengthen security- In order for healthcare organizations to properly organize security priorities, a number of issues must be addressed. 

The articles referenced in this blog came from a variety of healthcare/IT/security resources such as “Healthcare IT News,” and “Healthcare Info Security,” and are just a few of the many available.  I believe using a plethora of references provided a wider array of topics and viewpoints surrounding healthcare.

I also believe this blog would be helpful to information security officers in healthcare organizations.  While not all encompassing, this blog could be used as a reference point to learn more about the variety of resources available and the number of issues facing all healthcare organizations. 

For those students embarking on this journey in the future, I would recommend finding a theme they're interested in and expounding on it weekly.  A previous Professor offered some advice at the end of his class “Read as much as you can about current events in your profession and you’ll be propelled to the front of the pack.”  I’ve never forgotten this and have found it to be true.  Writing this blog has been an enjoyable experience that has provided me the opportunity to learn much more than I anticipated.  Thanks for the push to do something outside of my comfort zone!

Aligning healthcare management, staff to strengthen security

Technology is an important piece of the puzzle in healthcare organizations, but proper funding, people, management buy-in and process are equally important pieces.  Unfortunately, funding can be a significant challenge for many organizations.  The third annual Benchmark Study on Patient Privacy & Security by the Ponemon Institute, which was released in December 2012, showed that only 27% of those surveyed reported sufficient resources, while 34% felt they had a sufficient security budget.

In order for healthcare organizations to properly organize their security priorities, buy-in from the most senior executives must be obtained.  This can be accomplished by conducting quarterly meetings with the C-suite to review changes, breaches and the short/long term goals of the security team.  Arming executives with this information will raise awareness and help to garner their support.  Vendors can also be of assistance by providing the current state of the industry, thus offering executives the opportunity to understand where their organization ranks among current security trends.

Staffing is also extremely important, as an overworked department will lessen the likelihood of a breach being discovered early on.  Given the sophistication of most hackers and internal threats, it’s suggested that healthcare organizations should have employees who’s main duty it to identify threats.  Moreover, the security administrator’s and all IT personnel should possess the skills to identify malicious behavior in addition to understanding how to deal with such incidents.  If internal employees are not skilled enough, outsourcing might need to consider outsourcing.

Utilizing these best practices with good business processes, and including other departments such as human resources or the legal department will result in an organization prepared to protect and prevent data loss.  This approach will definitely help to reduce or eliminate the impact felt by all organizations that will inevitable experience a breach.

I could not agree more with this article.  As the author stated “Healthcare decision makers often do not understand the value of investing in IT security, and no one will ever thank a security administrator for not getting breached.” Engaging executives and any other key stakeholders in an awareness campaign will certainly result in positive outcomes.  Important decisions cannot be made if leaders are not aware that they need to be made.  Moreover, lack of funding and staffing will inevitably result if leadership is not engaged.  Therefore, the key take away from this article is “Awareness!”

Article Referenced:

http://healthitsecurity.com/2013/07/25/aligning-healthcare-management-staff-to-strengthen-security/

Scrutinizing Healthcare Data Encryption Options

Data encryption is coming to the forefront in healthcare organizations due to the increased penalties associated with HIPAA violations.  Unfortunately, most hospitals are considered to be pretty outdated when it comes to encrypting and their understanding of the present options. 

A recent article in Wired listed 9 Biggest Data Encryption Myths Busted.  A few of those are believed to be relevant to healthcare.

1.     Encrypt regardless of compliance reasons- The Office for Civil Rights recommends encrypting, but it has yet to be mandated.

2.     Pair inexpensive encryption tools with knowledge of your organization- The size of the organization shouldn’t matter.  Both small and large should be encrypting all data.

3.     Cloud encryption key management has come a long way- With a business associate agreement (BAA), organizations shouldn’t have an issue with a vendor managing the key. 

4.     Encryption can be a big part of healthcare big data security

John Christly, CISO of Nova Southeastern University, has expressed concern that HIPAA only defines encrypting as addressable and not required as other elements are.  Therefore, many organizations will wait until it’s required and even more troubling is that many do not know where or what the data is coming from. 

Finally, while encryption is needed, organizations must be careful when doing so, as important data could be lost if not performed correctly.  Moreover, costs associated with the technology and education can be high, but given the risks, it’s important to ensure it is performed properly. 

Just a few weeks back I discussed USB security and how some hospitals are encrypting them as a precautionary measure.  I believe that many hospitals are waiting to begin data encryption with anything else due to the potential for numerous issues, but especially due to the fear of losing important data in the process.  In my opinion, hospitals should be encrypting all data, as the possibility of hefty fines and patient harm resulting from a data breach, could be much greater than any other risk associated with encrypting.   As a patient, I would be relieved to know that my data is being treated as carefully as and safely as possible. 

Article referenced:

Ouellette, Patrick.  (May 31, 2013).  Scrutinizing healthcare data encryption options. HealthIT Security.  Found on July 22, 2013.  Retrieved from

http://healthitsecurity.com/2013/05/31/scrutinizing-healthcare-data-encryption-options/

Big Data: Protecting Patient Privacy

Intermountain Healthcare, Deloitte Develop New Analysis Tool

Discovering important correlations between treatments and medical conditions requires a lot of digging and analysis.  Protecting patient privacy can be a challenge during this process, but Intermountain Health and Deloitte have developed a bid data analytical tool called OutcomesMiner, which Intermountain Health is using in conjunction with the electronic health record (EHR) repository to identify “clinical nuances.”  Asthma is a condition Intermountain plans to study to determine which mediations provide the best clinical outcome.

To protect patient privacy, Intermountain has patient data “curated, cleansed and de-identified” twice to ensure compliance with HIPAA privacy laws.  They’ve even hired professional statisticians to ensure data is completely de-identified. 

De-identification of data is something that Deloitte is accustomed to performing and plans to help other organizations who wish to utilize the OutcomesMiner analytical tool.

I believe this is a great tool that has the potential to change patient care on many different levels.  More importantly, if a correlation is discovered, organizations will be able to notify patients and offer the opportunity to participate in further studies if needed.  The fact that both Deloitte and Intermountain are so attuned to ensuring patient privacy and HIPAA regulations will also be a large selling point for many different types of healthcare organizations.  However, the biggest challenge they may face is understanding local and industry requirements for de-identifying and cleansing patient data.  If they are as good as they say they are, this shouldn’t be a challenge!

Article Referenced:

Kolbasuk McGee, Marianne.  (July 2, 2013).  Big Data: Protecting Patient Privacy.  HealthcareInfoSecurity.com.  Found on July 7, 2013.  Retrieved from http://www.healthcareinfosecurity.com/big-data-protecting-patient-privacy-a-5880

Office of the National Coordinator Released 2014 Priorities

The Office of the National Coordinator (ONC) for Health IT’s privacy and security priorities recently released a list of their priorities for fiscal year 2014 starting on October 1, 2013. 

For those wondering, the ONC is a division of the Department of Health and Human Services and is headed by Farzad Mostashari, MD.  ONC duties include:

1.     Administer programs to guide healthcare providers as they “meaningfully use” certified electronic health record (HER) technology under the HITECH ActEHR incentive program.

2.     Development of standards and technologies that will facilitate interoperability and secure health information exchange (HIE).

The ONC’s 2014 agenda includes:

1.     Identify and address cybersecurity threats

2.     Provide technical assistance in:

A.   Security program management.

B.    Risk management

C.    Access management

D.   Integrity management

E.    Audit management

F.    Incident management

G.   Continuity management

H.   Chains of trust controls

I.      Workforce management

J.     Media management.

3.     Work with National Institute of Technology (NIST) and others to develop frameworks that provide a foundation for patient and provider identity management, which will ensure clinical information is associated with the correct patient and/or provider.

4.     Continue to further privacy and security in future stages of the HITECH Act.

Has the ONC chosen the right privacy and security and priorities?

I believe they have chosen the appropriate priorities for security management.  My suggestion would be for the ONC to also concentrate on interoperability issues.  The number of proprietary systems in existence creates significant challenges for organizations attempting to comply with “meaningful use” initiatives.  Furthermore, critical access hospitals are struggling with just meeting mandated milestones, thus leaving security initiatives as a last priority.

Article Referenced:

Kolbasuk McGee, Marianne.  ONC’s New Privacy, Security Priorities: Office of the National Coordinator for Health IT Outlines Goals.  Safe and Sound.  Found on July 5, 2013.  Retrieved from