Few contest the notion that healthcare IT security needs to improve. The sensitivity (and black-market value) of patient data makes the industry a frequent target of thieves, while the age and usability of technology in many facilities makes healthcare professionals seek portability of data, paper or otherwise, with occasional unintended consequences.
Several recent reports shed some light on healthcare IT security, noting where the industry faces its biggest challenges and highlighting what it can do to better prevent data breaches. Admittedly, few of the findings are surprising, though the advice certainly can't hurt.
Reported Healthcare Breaches Abundant But Small
Verizon Enterprise Solutions' Data Breach Incident Report (DBIR), which examines data breach information from 50 global organizations, finds that 46 percent of healthcare data breaches are the result of loss or theft. Insider misuse (15 percent) and "miscellaneous errors" such as publishing errors or improper disposal (12 percent) round out the top three causes.
Across all industries, not just healthcare, loss is 15 times more likely than theft. The main challenge, the DBIR says, is mitigating the impact of lost devices. "That suggests simply having sensitive information 'behind locked doors' isn't enough; there are still a lot of people inside those locked doors," the report says, adding that, when it comes to thieves, 86 percent either disable or bypass controls to get behind those doors.
Backing up and locking down data will help, as will encouraging users to keep mobile devices on them at all times, but encryption represents the easiest way to thwart this challenge. In fact, the DBIR says, "Encryption is as close to a no-brainer solution as it gets for this incident pattern." It's easier said than done, though, since healthcare notoriously resists encryption.
Kevin Haley, director of Symantec Security Response — which recently issued its own 2014 Internet Security Threat Report — says healthcare may eschew device encryption due to concerns about viability, deployment, the need to update desktop software and the cost. On top of that, he says, measuring return on investment is difficult.
Symantec's report found that, of all reported breaches, 37 percent came from healthcare. Haley cautions against reading too much into that, though. HIPAA regulations require healthcare to report every breach involving more than 500 individuals, whereas "many industries are less forthcoming when a breach occurs," according to the Symantec report. "For instance, if a company has trade secrets compromised, which doesn't necessarily impact clients or customers directly, they may not be quite as forthcoming with the information."
[Related: 12 Tips to Prevent a Healthcare Data Breach]
In addition, while healthcare was responsible for 37 percent of all reported breaches, these incidents constituted only 1 percent of all identities exposed in 2013, which Symantec calls "The Year of the Mega-Breach" thanks to Target and others. "Clearly [healthcare is] experiencing a lot of breaches, but they are generally small in nature," Haley says.
Healthcare Must Stop Insider Misuse, 'Miscellaneous' Mistakes
Insider misuse of data — the second most common cause of healthcare data breaches, according to the Verizon DBIR — most often results from the abuse of privileged access to desktop computers, databases and servers. "Most insider misuse occurs within the boundaries of trust necessary to perform normal duties," the report says. "That's what makes it so difficult to prevent."
To prevent this from happening, healthcare organizations need to intimately know their data and who has access to it, the DBIR says. They need to watch for data exfiltration, regularly review user accounts and publish the results of any audits they conduct.
[ Analysis: Healthcare IT Security Is Difficult, But Not Impossible ]
Any employee accessing data that's not required of his or her job or department needs to be flagged, says Suzanne Widup, a senior analyst with Verizon Enterprise Solutions and DBIR author. "It's all about knowing who has access to sensitive data," she says. Better that you discover fraud and nip it in the bud, she adds, than to have patients learn the hard way that they're victims of fraud.
The third most common cause of data breaches is almost unique to healthcare and government — so much so that the Verizon DBIR categorizes it as "miscellaneous errors" — and is all too familiar to industry observers. Think paper records that aren't shredded, CD-ROMs that aren't destroyed, X-rays that are nabbed by opportunistic crooks who want the silver that's inside, and mass mailings where a single mistake means thousands receive the wrong record.
Here, again, the solution isn't difficult: Data loss prevention software to monitor email or USB drives, for example, or a policy that treats old hardware like hazardous waste that only IT can dispose of properly.
Cyberattacks, Point-of-Sale Vulnerabilities Still Matter
Though neither point-of-sale (POS) hacks nor cyberattacks rank among healthcare's top data breach causes, Verizon Enterprise Solutions and Symantec deem these respective vulnerabilities worthy of healthcare's attention.
Hospitals may use POS systems, for example, to collect copays or let cafeteria patrons pay for food. Many such systems are managed by third-parties; this makes them attractive to thieves, Widup says, as it gives them access to all of that vendor's customers.
[ Also: The Worst Data Breaches of 2014 … So Far ]
To keep POS systems safe, the Verizon DBIR report recommends restrictions on remote access, enforced password policies, robust antivirus software and limits on additional uses — that means no social media sites or games.
As for cyberattacks, Symantec points to several, including the "professionalization" of zero-day threats (23 reported in 2013, more than 2011 and 2012 combined), ransomware (500 percent more prevalent in 2013 than 2012) and, of course, website vulnerabilities such as Heartbleed, which Haley already expects to be a focal point of Symantec's 2014 report.
Across industries, 78 percent of websites had vulnerabilities. Haley says "One in eight [sites] had a very critical vulnerability that would make it trivial for a criminal to get on there and host malware." The overall industry response to Heartbleed was "great," he adds, but "website owners need to step it up to make sure their sites are safe."
To that end, the preliminary findings of the CyberRX exercise, led by the Health Information Trust Alliance and overseen by Booz Allen Hamilton, give healthcare organizations six recommendations for preventing cyberattacks. First and foremost: Participating in a cyberexercise will enhance preparation, no mature an entity's level of technical maturity.
Identify Data That's Most Critical and Guard It With Your Life
Along with the various security measures outlined above, healthcare organizations need to identify the data that's most critical to them and make sure their security and privacy policies place a priority on protecting that, Haley says.
Encryption, as noted, is a great place to start. As Haley sees it, a large number of breaches caused by lost and stolen devices could be prevented if laptops, mobile phones and thumb drives are encrypted. (Under the HIPAA Breach Notification Rule, encryption is one of several ways to render protected health information "unusable, unreadable, or indecipherable." The loss of such data does not constitute a data breach.)
Of course, device encryption would be less of a priority if those darn users wouldn't lose their stuff. However, as the Verizon DBIR report puts it, "If there's anything we know to be true about human nature, it's that losing things and stealing things seem to be inherent predispositions."
Plus, as Haley points out, users can serve as another line of defense against data breaches — provided that they undergo extensive security training and aren't simply handed "a bunch of rules they need to follow."
As Widup puts is: "We'd love to see change. We'd love to see this get better."
Brian Eastwood is a senior editor for CIO.com. He primarily covers healthcare IT. You can reach him on Twitter @Brian_Eastwood or via email. Follow everything from CIO.com on Twitter @CIOonline, Facebook, Google + and LinkedIn.