Health-care practices all over the United States are making the transition to electronic health records (EHRs). While EHRs deliver many benefits to physicians, nurses, staff and patients, they also open up health-care organizations to new threats — many of them virtual in nature.
Data security breaches are becoming increasingly common, as malicious individuals and groups are seeking patient information. Earlier this year, hackers from eastern Europe were able to break into servers at the Utah Department of Health to steal social security numbers and other personal and medical information from 780,000 people. The breach was ultimately blamed on a weak password.
In Washington, D.C., Howard University Hospital in the spring suffered from not one breach, but two. First, a laptop containing patient information — including social security numbers — was stolen from a hospital contractor’s car, putting more than 34,000 patients at risk. Then, a hospital employee was accused of stealing patients’ names, addresses and Medicare identification numbers to sell.
The Utah Department of Health and Howard University are just two examples of data breaches this year, but this is happening more often than many people know, and in cities all over the country. The truth is that medical records are valued higher on the black market than credit card numbers, and health-care organizations need to take the proper precautions to protect against these threats when they design their networks.
When keeping electronic health records for patients, care must be taken to consider a few compliance standards to which every health-care organization is held.
Provisions of the Health Insurance Portability and Accountability Act (HIPAA) set standards for the security and privacy of health records. The HITECH Act broadens the privacy and security protections set forth under HIPAA by increasing the penalties for non-compliance, thus further enforcing HIPAA rules. And PCI Compliance — the Payment Card Industry Data Security Standard — is relevant to the processing of credit-card payments. Under this standard, all merchants, including health-care organizations, are required to handle credit-card data within a secure environment. Failure to maintain data compliance under these three standards can result in fines of up to $1.5 million.
The most common types of threats plaguing the security of health-care organization networks include managing mobile devices, securing embedded devices and understanding the human factor associated with the EHR transition.
All industries are reacting to the explosive growth of mobile devices. In the case of health-care organizations, this increase, coupled with the steps you need to take to protect them, can put personal data at risk of malware infection. Additionally, managing embedded devices, such as X-ray machines, can be a challenge because they require VPN connectivity to vendors for maintenance, yet can expose patient data if not properly protected.
There can also be trouble associated with moving too quickly from paper to electronic records. Although it is required, many employees simply aren’t accustomed to thinking about information security.
Finally, malware propagation through lack of network access control, conservative acceptable use, intrusion prevention and network security monitoring are all issues that result in stolen patient information, and all instances that can be prevented.
When protecting sensitive data at health-care organizations, there is a role for everyone. Following these steps will help keep networks secure and patient information safe:
Set network access controls
Health-care providers that allow mobile devices to be used in the professional setting must apply stringent network access controls to those devices. Such controls include VPN connectivity and endpoint protection, which requires each computing device on a network to comply with certain standards before network access is granted.
Use zoning to reduce potential issues
Network administrators should work with security engineers to establish absolute minimum restrictions to embedded devices on a needs basis. For example, if a vendor needs access to an X-ray machine for regular maintenance, that machine should be placed in a zone established for device access of that type, then built as the sole member of a VPN that is remotely accessible by only the vendor.
Educate everyone on security
From the top-down, security must be positioned and reinforced regularly as a priority. Consistent education around patient records, examples of breaches and how they are carried out, training around common activities that threaten security, training around reducing the potential for social engineering and careful design of electronics records storage and movement is key in protecting the transition from paper to the ether.
At the end of the day, it really boils down to malware. All of the other problems are symptoms of a malware encroachment. If mobile devices controlled by the organization, desktop devices, servers, devices with embedded access and anything else that is publicly facing aren’t adequately restricted from an access perspective, protected with leading technologies, scanned and cleaned regularly, and monitored with IDS/IPS technology, then nothing a business does will provide any protection.
As health-care organizations work toward the 2015 EHR deadline, they must take this change head on and begin preparing through an assessment of their network infrastructure, as well as the security solutions they have — or will have — in place.
Any upgrades or changes required need to be considered now, before it is too late.
Herman Thomas is director of sales in Lexington for Windstream, a provider of advanced communications and managed solutions.