With security breaches dominating news headlines daily, those responsible for securing our systems, networks, and devices are struggling to keep pace with the evolving threat landscape. Perhaps some of the most concerning potential breach data comes from the healthcare industry where we entrust our most personal information—social security number, birth date, medical history—as well as our immediate family members’ sensitive information to medical care providers. Further, medical devices rely on secure IT networks to function properly and deliver continuous, critical care to patients with heart conditions, diabetes, and other ailments. In the event of a security breach, the malfunction of devices could have potentially life-threatening consequences.
So what can we do to create a more secure environment for protected health information and equip healthcare IT staff with the security skills they need to fulfill this task?
First, we must start with a level of awareness. Calling attention to the alarming number of data breaches in today’s healthcare industry certainly helps the cause. According to Redspin’s Breach Report 2013 – Protected Health Information (PHI), the number of PHI breaches were up 138 percent from 2012, with 199 incidents reported to the U.S. Department of Health and Human Services (HHS), impacting over 7 million patient records. HHS even has a “wall of shame” webpage for the world to see lists of U.S. healthcare organizations that have had a security breach of protected health information affecting more than 500 individuals.
Part of the problem with security awareness lies in current processes, which don’t take into account how to mitigate fraud or medical identity theft. “If a patient’s healthcare record is compromised by someone who stole the identity to receive care and consequently had false information entered into that patient’s electronic health record, there’s no process in place that allows medical providers to go in and fix the record because it’s considered a legal document,” said Lisa Gallagher, BSEE, CISM, CPHIMS, vice president, Technology Services, HIMSS. “Right now, we’re still at the awareness level for security and part of what we’re trying to do at HIMSS is to help hospitals and other healthcare organizations recognize when an instance of medical identity theft has occurred so they can improve processes to protect patients.”
Medical records are more susceptible to identity theft because the online systems for medical records and the networks on which they operate are not as locked down and sophisticated as other industries. According to the recently released HIMSS 2013 Security Survey, only 52 percent of hospital-based respondents reported that they had a CSO, CISO or other full-time leader in charge of security of patient data. The survey also found that in the past 12 months, 19% of respondents had a reported security breach and 12 percent of organizations had at least one known case of medical identity theft reported by a patient.
While these stats may seem alarming, we must also realize that healthcare is one of the last industries to move data from paper to online systems. Many physicians still use paper records for their patients. And others are only beginning the process of transitioning patient records to digital systems.
When it comes to educating healthcare IT staff, they need the resources, experience, and continuous drive to ensure they possess the latest knowledge and skills required to secure protected health information. (ISC)2 recently introduced the HealthCare Information Security and Privacy Practitioner (HCISPP) credential to educate and certify those responsible for securing protected health information. HCISPP is designed to provide healthcare employers and those in the industry with validation that a healthcare security and privacy practitioner has the core level of knowledge and expertise required by the industry to address specific security concerns.
At the HIMSS Conference this past week, a number of attendees were drawn to the (ISC)2 booth stating that a credential like the HCISPP is critical to developing a qualified workforce to protect the healthcare industry. Many also stressed the lack of security even at the basic awareness level in their organizations.
Let’s face it, making security a priority for the healthcare industry won’t happen overnight. It will require a concerted effort that begins with security awareness, followed by education and training of healthcare IT staff, and finally adoption and acceptance from the healthcare industry to create a secure digital environment for protected health information.