For every breathless account of how technology is revolutionizing the healthcare industry, there is a cautionary tale.
A health IT system – with the promise of streamlined processes, effortless patient access to information, and the power to manage care with data-driven treatment – is still in its nascent stages. Yet even with this initial adoption of new technologies, systems are becoming increasingly vulnerable to hacking, identity theft, malware and other security threats.
In its annual report on patient privacy and data security, the Ponemon Institute recently warned that threats to healthcare organizations – complicated by employee mistakes, negligence and new technologies – have become harder to manage. Among the 80 healthcare organizations studied, 94 percent suffered at least one data breach in the past two years, according to the December report.
Ken Bradberry, chief technology officer at Xerox Healthcare Provider Solutions, told HealthBiz Decoded that his top security concern is protecting patient data – especially in electronic medical records and on mobile devices.
Recent reports echo these concerns. A yearlong investigation by The Washington Post recently found that the healthcare industry is among the most susceptible to security attacks. The number of attempted intrusions is relatively small compared with those seen in financial services. Yet because hospitals and providers often lack even very basic protection, they may be at greater risk than institutions that have faced comparable risks for years.
Breaches, Bradberry says, are often the result of misconfigured portals, wrong firewalls or improper content management.
The High Cost of Healthcare Data Breaches
Data security breaches could be costing the U.S. healthcare industry $7 billion a year, according to Ponemon, and more than half of the organizations in the study had little or no confidence they could protect their data. For example, last March, the Utah Department of Health announced that hackers had breached its server and “multi-layered security system,” gaining access to information in 24,000 Medicaid claims. The data stored on the department’s server included patient names, address, birth dates and Social Security numbers – opening the door to identity theft.
“Overall, most organizations surveyed say they have insufficient resources to prevent and detect data breaches,” said Dr. Larry Ponemon, chairman and founder of Ponemon Institute, in a statement.
The Promise and Peril of Medical Devices
Medical devices and their increasing sophistication represent a new front in the battle against hackers. The Department of Homeland Security issued a bulletin last May outlining how the portability and remote connectivity of medical devices create new risks for healthcare systems, creating an opportunity for hackers to penetrate the network in pursuit of valuable data. Security professionals and experts have done their own hacking experiments, with diabetic Jerome Radcliff notably discovering how to remotely tamper with his own insulin pump. While no known hacking incidents have occurred, according to the Food and Drug Administration, the U.S. Government Accountability Office urged the agency in August to develop a plan to focus on security risks in medical devices.
Medical devices aren’t the only type of medical equipment vulnerable to tampering and viruses. Any piece of hospital infrastructure controlled by software and connected to an internal network or the Internet can be infected or tampered with. In 2011, for example, SecurityNewsDaily reported that a Georgia hospital system had to divert ambulances and shut down for three days after malware was found on its network.
To Err is Human
Technical or human error also plays a large role in creating vulnerabilities to malware and viruses, with only a third of hospitals in Ponemon’s study suffering a targeted attack. Bugs can find their way into a hospital’s IT system when staff members use corrupted memory drives on work equipment or connect a personal computer or device to the network.
The rapid adoption of these advancing technologies is putting patient data and safety increasingly at risk. Many providers look favorably on the convenience of mobile technology in the healthcare setting, with a recent HIMSS Analytics survey of health IT professionals showing three-quarters of respondents planned to expand use of such devices. Mobile technology use has increased so quickly that some providers are improvising – and possibly putting patient information at risk when accessing it from unsecure phones and tablets. A recent survey of more than 100 nurses conducted by Spyglass Consulting Group found that 69 percent of respondents indicated their nursing colleagues used a personal smartphone for clinical communications.
Trust in Health IT at Stake
One of the biggest questions about the industry’s ability to deliver on the promise of healthcare IT is whether the integrity of the electronic health record can be safeguarded.
A secure electronic medical record is the cornerstone of a trustworthy health IT system, but providers and hospitals making the transition have been the victim of breaches. At Howard University Hospital in Washington, D.C. , two high-profile incidents in which data was stolen or compromised made headlines last year. In January, the medical data of 34,000 patients was compromised when a contractor downloaded it to a personal laptop that was subsequently stolen. In an apparently unrelated case, prosecutors charged a hospital medical technician in May for selling patient information, including names, addresses and Medicare numbers.
With these data and security breaches happening across the industry, Bradberry says that what is at stake is provider – and public – trust in the security of healthcare technology. Yet meeting and exceeding those expectations is a complicated task.
“It’s the challenge of guaranteeing the delivery of records and orders and information in a timely fashion that meets the needs of the healthcare provider, but also [offers] a new advantage to that provider from an evidence-based medicine perspective,” said Bradberry.
To eliminate such vulnerabilities, Bradberry has directed his staff to not only identify potential security risks, but also to scan each application and drive to understand where its programs hold protected health information.
Photo courtesy of gabster_ro via Flickr