Compliance Is Not Enough

Just because you are compliant with the regulations doesn’t mean that you are secure.

Many of the webinars I have written about in the past covered topics such as education and career development, which are areas I do find fascinating.  As always, I recommend anyone interested in these topics should check out the archived webcast pages at both the Association for Talent Development and Training Magazine for a great list of free webinars.  But today I decided to discuss a webinar that has a very different topic – Risk Management and Compliance in Health Care Organizations.

Healthcare IT NewsHealth Care IT News also has an extensive collection of free upcoming and archived webinars for professional development, and this topic caught my eye.  This particular webinar was hosted by the Healthcare Information and Management System Society (known more broadly as HIMSS) and featured experts in health care security discussing the latest trends from Symantec’s Internet Security Threat Report which was presented at the HIMSS 2015 Conference in Chicago.  Anyone who is even paying vague attention to the health care field knows that health care is radically changing, particularly in the adoption and use of technology-based programs for data collection.  Gone are the days when you would visit a doctor’s office and see vast amounts of movable shelving containing files and files of data on patients and their medical history.  Medical charts are now, for the most part, in electronic format as the last few stragglers either bring themselves up to date with Meaningful Use Stage 1 Criteria or close their doors.  As Meaningful Use Stage 2 approaches, data collection is going to increase exponentially as health care organizations begin granting patient access to their health care data through Patient Portals and the like.  At the same time, mobile healthcare devices are exploding, and many of those devices are either being used directly by health care organizations or are capable of integrating their data with that of your health care provider.

Not only does the acquisition and collection of this data represent privacy and security challenges, it’s presence makes health care an attractive target for hackers or for those seeking to exploit the data for financial gain.  Some key findings from the Security Threat Report include:

  • There has been a 25% increase in the number of data breaches in the health care sector.  This is a full 2% higher than any other industry, meaning that data breaches are rising faster in health care than in any other industry, including retail or financial/banking industries.
  •  In 2014, 11.4 Million people in the US were affected by health care data breaches.  Notification costs for those breaches alone was estimated at $2.3 Billion.
  •  1.85 Million Americans had their medical identities stolen in 2012, which can have fatal effects on the victim.  When medical identities are stolen, it is often done to obtain treatment or payment for treatment through your health insurance, which results in diagnosis codes being added to your health care record which are not accurate.  This can lead to misdiagnosis, mistreatment, delays in treatment and pharmaceutical errors the next time you visit the doctor.
  • Cybersecurity firm Dell SecureWorks reported that cyber criminals are willing to pay $2 or less for a credit card number.  This is mainly because it is easy to cancel a credit card and your liability for fraudulent charges is fairly small thanks to credit card and financial industry regulations, meaning there is a very limited amount of time that number could be used for nefarious purposes.  But cyber criminals were willing to pay $20 for health insurance credentials, precisely because it is NOT easy to change your health insurance and thus the length of time they can use the information fraudulently is far longer.

ChecklistIt is clear that security is a pressing issue, and will continue to be a big issue well into the future.  One of the major themes of this webinar was something that the financial services sector learned long ago…compliance is not enough.  Just because you are compliant with the regulations doesn’t mean that you are secure, simply because the regulations are reactive.  They cannot and do not anticipate attacks or vulnerabilities, they are updated only after these attacks occur.  Those of us working in the financial sector learned that lesson long ago; it seems that the health care sector is only now beginning to grapple with this issue.  This is where leveraging talent from other industries, particularly retail or financial services, can be a huge benefit for health care systems.  But the sector as a whole’s willingness to do this seems to be a bit fragmented at the moment, suffering from a typical I-don’t-trust-anyone-but-us mentality that is a typical initial response in businesses or industries undergoing significant changes.  I am of the opinion that this type of response, while understandable, is a grave mistake.

A second major theme of the webinar I found interesting was the relationship of governance to the questions surrounding security.  The presenters brought up on multiple occasions that the issues surrounding security go beyond the IT Department, despite most facilities desires to say that security issues are the sole responsibility of IT.  You only need to know one statistic among many from the webinar to see how flawed that method of thinking is:

44% of healthcare breaches in 2014 were due to lost or stolen devices. –  Symantec Internet Threat Security Report 20

Take a moment to think about that.  Just shy of half of the data breaches which occurred in the healthcare sector were the result not of hackers attacking your systems from outside, but from staff losing a flash drive with medical data or leaving their computers or other mobile devices in a public place where they were either forgotten or stolen.

It’s true that there are some things the IT department can do in situations like this.  For example, installing a Mobile Device Management system on all mobile devices which allow them to be remotely wiped the instant they are reported lost or stolen, or making sure that all devices are encrypted so that the data cannot be easily accessed by those who are unauthorized to do so.  But readers will note that these solutions are also reactive in nature; they are only activated or useful after a device goes missing.  That does not mean they shouldn’t be done, it just means that it does nothing to address the root of the problem.

To get to the root of the problem, you need to address the human factor.  Staff needs to be trained in basic security procedures, such as not leaving devices in areas where they can be readily stolen (like the front seat of your car, even if it’s locked).  Additional procedures for equipment check out might need to be implemented.  Policies relating to technology security and employee discipline may need to be crafted or revised.  The IT Department cannot do this alone; they must have the support and help of the governing body and management.  The concept of security needs to be re-framed so that everyone has a seat at the table, not just the IT Department.  After all, if there is a data breach, the entire facility suffers.  The presenters of the webinar recommended thinking about it this way:

Cybersecurity is a sub-component of information security, which is a sub-component of operational risk, which is a sub-component of enterprise risk in all industries.

Healthcare Tech TalkI highly recommend this webinar for anyone working in healthcare IT (or anyone like myself seeking to transition into healthcare IT).  Not only did it provide excellent information, it also provided a number of good tips for helping to get buy-in from your C-Suite or Board of Directors for shifting to this new frame of mind on cybersecurity issues.  There is also an excellent free podcast on healthcare information technology called Healthcare Tech Talk which examines everything from telemedicine to system coding (hello ICD-10!) to healthcare cybersecurity.  Check out their website for the latest episodes or view the entire podcast archives from the ITunes Store.

  1. […] The results of the survey show that the biggest players are aware of the increasing frequency of data breaches, as well as their data pool’s potential to cause great harm when exploited or used fraudulently.  Those hospitals designated as Most Wired stated that they were using and/or improving intrusion detection systems, increasing their use of drills and other exercises to test policies and responses to data breaches, and had increased board or other governing body oversight of and participation in risk management.  These are all great things to hear, in light of the threats these institutions now face. […]

    Like

    Reply

  2. […] discussed cybersecurity in the healthcare industry in several previous posts; for example in Compliance is Not Enough I discussed Symantec’s 2015 Internet Security Threat Report and how cybersecurity isn’t […]

    Like

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: