We strive for compliance but fail at security?
Healthcare IT and Cyber Intrusion
The Internet and other information technologies have been plagued with security concerns since their inception. Those of us working in the health IT field have watched more advanced technologies expand further into our domain. As they have, our apprehensions over data security have grown with them. These concerns have been validated numerous times; costly and pervasive data breaches have led many IT professionals to believe that the healthcare industry is vastly unprepared to handle the current cyber threat level.
These individuals might be correct. Even in the age of standards and compliance, we are still far from feeling secure and confident. HIPAA standards have been effective in establishing basic procedures for protection from cyber threats, however they are in no way rigorous. As the frequency and seriousness of cyber attacks continue to grow, our preventative compliance measures must be adapted to address the changing digital conditions.
HIPAA standards have been effective in establishing basic procedures for protection from cyber threats, however they are in no way rigorous.
I urge you to read and reread this declassified FBI private industry notification (PIN) specifically directed toward healthcare, healthcare IT, and medical device organizations. Whether you are a healthcare IT professional or a patient worried about personal health information, you should be aware of the current risks to patient health information:
I was made aware of this document at a Health Information Management Systems Society (HIMSS) conference. The virtual event, which I attended from the comfort of my living room sofa, focused on accelerating the pace of health IT transformation and innovation.
I found security and compliance to be the central issues at the conference. Jeff Bell, a member of the HIMSS committee on Privacy and Security, led the discussion on security and generated some staggering figures by surveying the audience.
The first question asked how many individuals were aware of the FBI PIN document before the conference. I was shocked when the poll results were revealed; 86% of those respondents attending a health information management conference were unaware of the extent of the federal government’s concern regarding health data security.
This highlights the fact that much of the healthcare industry remains oblivious to the growth of real world cyber threats to protected health information. Even more worrisome was the next question posed to attendees: how many of you will go on to inform your organization’s leadership? 55% of respondents said they would; however, 9% said they would not and 36% were unsure. Given the seriousness of data security, this trepidation seems imprudent, if not irresponsible.
Multiple studies have released information regarding the prevalence of data breaches in the healthcare industry. According to a report published by Ponemon, an independent research institution for privacy and data protection, 90% of healthcare organizations have had at least one data breach in the last two years and 38% have had more than five. Each breach has an average financial cost of two million dollars per organization, a figure contributing to the inordinate cost of healthcare in the U.S.
Though not quite as extreme, the FBI also supports these notions with the following statistic: 63% of organizations experienced a breach in the last two years with an average cost of 2.4 million dollars per case.
It can be difficult to understand the relative seriousness of stolen health information when compared to more common forms of identity theft. While a credit card or social security number can be used to commit financial crimes, stolen EHRs or other identifiable data types can allow criminals to file fradulent insurance claims, obtain prescription medication, and advance identity theft beyond financial territory.
In fact, a partial EHR has fifty times the value of a credit card or social security on the black market.
Protected health information is valued so high that attempted cyber intrusions into health systems have increased 100% according to the annual report on Patient Privacy and Data Security by Ponemon. These attacks often originate from seemingly harmless devices: fax machines, flash drives, imaging equipment, etc.
All these details sum to show how woefully unprepared the healthcare community is for the increased level of threat to patient health information. Even with all of our manditory compliance training, auditing procedures, and general preventative measures, we continue to strive for compliance but fail at security.
