Are providers ripe for a massive medical records heist?
Every lost laptop, stolen smartphone and missing thumb drive containing health information confirms the dark reality of an industry disconcertingly tone deaf when it comes to data encryption and protection.
Many healthcare organizations have yet to institute security practices that financial services companies, for instance, put in place two decades ago — a fact that leaves them increasingly vulnerable to the large-scale data thievery that organized crime has perpetrated in other realms.
Take TJX, for instance. Criminals in South Florida drove around to the retail subsidiaries in 2005, located and cracked into poorly-protected Wi-Fi networks, burrowed deeper into the corporate IT systems to vacuum out some 46 million credit and debit card records and then, ultimately, sold those to Ukrainian organized criminals.
Are healthcare organizations headed for a similar heist?
“Absolutely possible,” said Scott Lundstrom (pictured at right), group vice president of IDC Health Insights unit when asked point-blank about the potential.
Healthcare is not immune to hucksters, of course, as a variety of fraud and abuse practices are rampant. But most to date have been of a reasonably smaller scale. The kind of score that could be riding in on the wave of cutting-edge technologies is altogether different in damage and scope.
Consider two statistics from the Ponemon Institute’s latest field research on patient privacy and data security: More than half of healthcare organizations reported cases of medical identity theft among their patients, and 60 percent of healthcare organizations do not allocate enough resources to protect patient data.
“When we first started looking at this issue we noted that healthcare organizations didn’t really look at medical identity theft as their problem,” Ponemon Institute’s chairman Larry Ponemon said. “They saw it as the patient’s problem or a consumer issue.”
The historical prevalence of paper records, ironically enough, is perhaps chief among reasons that criminals have yet to pull off such a theft in healthcare.
It’s harder to steal millions of paper records than electronic ones. But as more EHRs create a digitized health system where HIEs and health insurance exchanges are the norm, electronic health data is widely shared and an increasing amount of it stored in clouds and other central repositories, from where it can be accessed by a variety of mobile devices, well, that is already changing. Add to it the rocket-like proliferation of mobile devices, easily-lost and frequently unencrypted.
All those factors are leading to a convergence point in which more avenues to reach centralized data sets exist. Yet, right now, even as breaches approach fever pitch, it’s an open question how tightly those systems will be secured and data encrypted.
“These are the big technology trends,” Ponemon continued, “and their impact on data protection is enormous.”
To be clear: The technology itself promises to bolster security in myriad ways — if healthcare IT shops use it properly, and that has been the problem.
“It’s not like we’re moving from a really secure world to one that’s fraught with danger,” said Micky Tripathi, CEO of the Massachusetts eHealth Collaborative (MAeHC), and a well-known data breach survivor (pictured at left). “Instead, we’re moving to a world that’s going to have different types of breaches in a variety of ways. We’re going to be better off overall because electronic systems are much safer than paper-based systems even though the types of risk are a little bit different.”
Astronomical street value
A lost or stolen laptop, in the meantime, can present a nightmare scenario.
The World Privacy Forum (WPF), as far back as 2007, valued a single health record at 50 times that of a financial record — and in 2012 the institute revisited that ratio only to determine it remains 50-1.
“Records that are stolen by individuals who know just what they want to do with them increasingly are connected with various types of organized crime,” said Pam Dixon, WPF executive director, “often with links to overseas crime rings.”
Clint Furhman, national director of government healthcare at risk management specialist LexisNexis, said that organized crime’s involvement with health data is something he sees “a lot of in urban settings. CMS has the coordination with the DOJ, FBI, and Inspector General, task forces in Miami, LA, Detroit, and other places,” Fuhrman explained. “A big part of that is to ferret out organized crime around health data. In these circles, you hear talk about certain eastern European enclaves, other groups.”
And it’s no wonder, given the strong street value and fact that many hospitals do not lock their proverbial doors by encrypting laptops, smartphones, and data on thumb drives or CDs.
“A healthcare record can be used for financial ID theft crimes, or a medical ID theft, or both. It provides a dossier of personal information so bad guys can do more like create passports, and visas, and because they have physical characteristics as well as information, it’s a big deal,” Ponemon continued.
And according to Arien Malec, vice president of strategy and marketing at RelayHealth, the healthcare industry is a at a point now where millions of patient records can be lost, even though the remediation and the fixes are pretty simple.
“Encrypt your laptops, encrypt your backup drives,” Malec explained. “This is not rocket science security posture, this is standard state-of-the-art security circa 20 years ago.”
What’s more, several experts agreed there is a risk that when criminals discover that identities are highly accessible in the health IT world they will start aggressively targeting the realm, with an eye on easy monetization.
Will it get worse?
A Harris Interactive study found that some 60 percent of hospital and health system CIO respondents plan to adopt cloud computing applications or services (PDF), with the intent of using them for EHRs, HIEs or both.
Much of the activity around health information exchanges and health insurance exchanges tends toward describing what they’re trying to accomplish, and less on how they’ll securely grant access to that data, LexisNexis’ Furhman explained.
That evokes the analogy that moving to EHRs, creating HIEs and large-scale health data repositories is akin to building a large, fancy mansion, storing all your valuables within, but only putting padlocks on the front door.
Among HIEs, HIXs and providers, “remote access is becoming more prevalent, people are doing business via their cell phones, submitting applications online — and, quite frankly, federal regulations are pushing us more in that direction,” Furhman said. Likewise, health IT and security technologies for protecting health data are advancing — as are the criminals’ quivers.
“We’re working in a world today where the bad guys have fighter jets, they have drones, they have sophisticated satellite systems and the healthcare world has the rent-a-cop by the front door,” RelayHealth’s Malec said. “And there’s a set of known threats and vulnerabilities that the bad guys use.”
What will it take for hospitals to just encrypt data?
It may not be possible for health organizations to guard against every criminal or kind of attack, even those already known, but consensus among experts Government Health IT interviewed for this article, many more than the ones directly quoted, suggest that it’s time for healthcare organizations to “get their heads out of the sand,” acknowledge the potential for a massive problem and the long-range implications, then take the basic steps to protect against what is possible.
All of this is not to say that every provider’s doors are unlocked, of course. MAeHC CEO Tripathi said that because of the nature of healthcare data, top-tier providers such as Kaiser and Mayo have had a level of security diligence that might even be higher than other parts of the economy.
“I’ve got to think that the Mayo’s of the world have been thinking about security for a lot longer and in much deeper ways” than some retail outlets, Tripathi added. “As you move down the food chain [and look at smaller providers] security becomes more and more spotty.”
That highlights what IDC’s Lundstrom called “a significant delta between the haves and have-nots.” The haves being “sufficiently advanced healthcare organizations” harnessing IT.
“They’ve moved data off the device, they’re running a virtual desktop and probably supporting that for all their interactions, a PC, a tablet, a smartphone. There’s another level of encryption, make sure the data is encrypted at rest and in motion. A third component is secure your datacenter and your operating environments from unauthorized access, both electronic and physical,” Lundstrom explained. “In a sophisticated healthcare organization they are well down the path of implementing these technologies.”
Alas, the landscape is peppered with mid-tier and smaller providers, some acquired by larger health systems into which they could feasibly serve as entry points — much the way hackers used poorly-secured TJX retail outlet’s networks to worm into the corporate backbone.
“Community hospitals or physician practices, a lab or pharmacy, they won’t even understand what you’re telling them to do. And they have a huge volume of data,” Lundstrom continued. “We’ve provided a regulatory environment that a significant number of providers can’t reach, from either an economic or skills and sophistication perspective.”
Nick Combs, CTO of EMC Federal, points out that “all of the hospital systems have remote offices, there’s a lack of security in that environment.”
As the health IT trends of consolidation, cloud computing, and HIE reach into those health networks “cybersecurity is going to be so critical,” Combs added. “There will be information out there that shouldn’t be. This needs a lot more focus in our industry. I think it’s a big weakness.”
So, to protect against breach and theft, why aren’t all healthcare organizations taking the simple step of encrypting data?
The risks that healthcare providers run by not encrypting data may not become widely-understood until the first targeted theft of medical records, which will inevitably bring serious ramifications in terms of people’s trust, according to LexisNexis’ Furhman. And it needn’t be in the tens of millions of records to be effective.
“Unlike in financial services, where people understand that credit card numbers get stolen, Social Security numbers get stolen, there’s a certain amount of risk for that type of access,” Fuhrman continued. “People are much more sensitive about healthcare information.”
Even smaller breaches, such as the one that led to Hospice of Northern Idaho’s HIPAA settlement in early January, have highlighted the security and patient privacy conundrum in healthcare, chipping away at providers’ ability to, as Larry Ponemon described earlier, shrug it off as the patient’s problem.
Indeed, a first substantial breach, be it of a public HIE or a private health system, will inevitably plant the issue squarely in the hands of providers. Several experts agreed that the possibility is something private and public healthcare CIOs should be planning today to avoid tomorrow.
“This fast and furious push for technology and the centralization of patient information is where we’re heading very quickly,” Ponemon said. “But how do we get there if we don’t have a high level of security and data protection activities?”