Information Security in the Healthcare Industry

25 04 2012

In not too distant past, information security was considered a “good to have” feature instead of a “must have” feature by almost everyone involved in the IT sector.  Over the years however, this notion has changed considerably for most sectors of the IT industry like banking, e-commerce, and both Federal and State governments and many more.  These entities have become increasingly aware of the long – term impact of security breaches in terms of company reputation, lost customer base, shareholder prices and most importantly, there is a consciousness of a dollar figure attached to the security breaches. Most of the IT companies in these sectors have realized that security threats are real and that the IT systems need to be strategically secured instead of implementing security as a reaction to an actual violation.

As the US Healthcare industry is becoming more digitized, it is also undergoing the same transition due to a realization of the importance of security.  When President Obama began his term in the White House, he along with the U.S. Senate passed an $838 billion stimulus bill in February 2009.  This bill apart from rebuilding American infrastructure like railroads, highways and bridges also enabled the digitization of medical records. Healthcare organizations began computerizing their medical records, in order to take advantage of the financial incentives which the government was offering [1] . In a rush to do this on Uncle Sam’s dime security often languished on the back burner.  These lagging security investments have left medical records more susceptible than ever to accidental or intentional disclosure, loss, or theft. What were once isolated records in paper files rapidly became electronic health data on millions of individuals that could be transmitted in seconds. According to a report prepared by Identity Theft Prevention and Identity Management Standards Panel (IDSP) of the American National Standards Institute (ANSI), in partnership with The Santa Fe Group/Shared Assessments Program Healthcare Working Group and the Internet Security Alliance (ISA), there were nearly 39.5 million electronic health records breached between 2005 and 2008 [2].  To provide a more recent figure, Ponemon Institute surveyed 72 organizations in November 2011 and found that 96% of respondents reported at least one data breach within the past 24 months [2].  Healthcare systems have caught the eyes and become a lucrative target for hackers because they seems to offer a greater return on investment for hackers due to the high price for which medical records sell when compared to financial records [2] and yet according to a survey conducted in 2011 by HIMMS [3] , 35% of respondents in the medical industry acknowledged spending not more than 3% of the total IT budget on information security. However, the respondents also admitted that there has been an increase in the security budget over the past year as a result of federal initiatives and security attacks.

The health care industry is particularly susceptible to data fraud and medical identity theft due to the sensitivity of the data it creates, collects and stores such as PII data, payment information, medical history of patients [3].  This information can enable criminals to file fraudulent claims that often go undetected for long periods of time [3] . One of the key areas where the industry specifically lacks in security is something as basic as encryption of devices used by employees because laptops have been the number one source of location of breached information [4]. For example, on September 20, 2010, a computer flash drive containing the names, addresses, social security numbers (SSNs), and protected health information (PHI) of 280,000 Medicaid members was stolen from the corporate offices of a health plan company [4]. It is even more surprising to know that the second highest source of breached information happens with paper records and this proves that the industry often lacks behind in the implementation of basic security measures [4].   To be fair, hospitals are often concerned about malpractice cases and in order to be safe on that front all patients are required to wear arms tags with names, DOB, insurance info and other data.  Medical procedures as mundane as feeding a medicine does not happen until a patient or an escort first positively identifies the patient and the nurses often are required to match that data numerous times on computer carts which are often left unsecured in the hallways when they are not in use.

Finally, most of such untoward happenings can be greatly reduced if sound security principles are adopted throughout the healthcare industry.  The government is doing its part by introducing legislation which allows punitive damages in case avoidable situations result in data being compromised.  But like most other businesses, the culprits are often a step ahead of the law.  As authorities are busy catching up, new avenues are being discovered which could results in devastation or in case of healthcare even death.  According to a recent Boston Globe article, computer scientists and Boston cardiologists have warned that it may be possible to hack medical devices like pacemakers which are implanted in the bodies of the patients [5].  Even devices used to monitor the health of patients remotely may be susceptible to security attacks [5]. Although no such occurrences have been reported so far, manufacturers of medical equipment like pacemakers are working hard to ensure things remain that way.  However, such proactive behavior as the one shown by these manufacturers is rather rare in this field where sadly most of the efforts are being directed towards the proverbial firefighting efforts instead of fire prevention efforts.  The patients and government on the other hand must also do their part in order to safeguard personal and taxpayer funds. For public safety a certain level of trust is essential between care seekers and care providers and implementing sound security measures will go a long way in building this trust.

______________

[1] Rick Kam; Jeremy Henley, “Healthcare Data Breaches: Handle with Care,” 20 March 2012. [Online]. Available: http://www.propertycasualty360.com/2012/03/20/healthcare-data-breaches-handle-with-care. [Accessed 25 March 2012].
[2] T. Olavsrud, “www.cio.com,” CIO, 06 03 2012. [Online]. Available: http://www.cio.com/article/701492/Healthcare_Industry_CIOs_CSOs_Must_Improve_Security. [Accessed 20 03 2012].
[3] HIMSS, “4th Annual HIMSS Security Survey,” [Online]. Available: http://www.himss.org/content/files/2011_HIMSS_SecuritySurvey.pdf.
[4] Kekley, Paul D, “Privacy and Security in Health Care,” 2011. [Online]. Available: http://www.deloitte.com/assets/Dcom-UnitedStates/Local%20Assets/Documents/Health%20Reform%20Issues%20Briefs/US_CHS_PrivacyandSecurityinHealthCare_022111.pdf. [Accessed 25 March 2012].
[5] E. Cooney, “Security of medical devices is a concern,” Boston Globe, 05 July 2010.
[6] “www.himss.org,” himss, [Online]. Available: http://www.himss.org/ASP/topics_FocusDynamic.asp?faid=280. [Accessed 20 03 2012].
[7] A. ZIMMERMAN and L. RADNOFSKY, “Doctors accused of big Medicare Scam,” The Wall Street Journal, 29 02 2012.

 

Advertisements

Actions

Information

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: