Patient identity theft proves costly

Hospitals can reduce risk by learning from the banking industry
By Ronen Kenig
12:00 AM

Nine out of 10 hospitals in the U.S. have suffered a data breach or network intrusion over the past two years, costing the healthcare industry an average of $7 billion annually, according to a Ponemon Study. With more than 870,000 medical records exposed in just the first quarter of 2013, medical data breaches have become a source of bad publicity with serious fines possible for healthcare organizations.

Most of this data loss is due to devices such as laptops and USB sticks being stolen or lost. One incident alone, by an Alere Home Monitoring employee, resulted in the theft of a stolen laptop exposing the names, Social Security numbers, addresses and diagnoses of more than 100,000 patients. Brighton and Sussex University Hospitals was given the largest ever data breach penalty last year, of £325,000 ($525,000), after confidential patient data was sold on eBay.

Data breaches, however, can also be a result of unclear or unenforced security policies. The University of Idaho was recently fined $400,000 for having its firewall shut down for close to one year. As shocking as it sounds, it may not be that uncommon due to lack of awareness of security risks. A November survey by HIMSS found that one in four of the 196 health organizations that responded do not conduct a formal risk analysis to identify security gaps in electronic patient data.

In many cases, hospital IT administrators are faced with huge challenges as computer networks are expanding beyond their traditional borders with the digitizing of customer care, the rapid increase in online collaboration and the plethora of mobile devices.

Providers' security perimeters are expanding beyond the internal networks they typically manage to a large number of critical endpoints outside those networks. Interconnected networks between hospitals, clinics, physicians' offices, remote contractors, suppliers, university networks and other external parties are making patient data more susceptible to data breaches.

Laptops and mobile devices are proliferating both inside and outside the hospital, as are interconnected medical devices that increasingly operate on common IT platforms, and are susceptible to the same security risks as traditional IT devices. Day-to-day customer care now involves sharing confidential data both within and outside the hospital's boundaries. For example, physicians look at patient data from handheld devices while moving within the hospital and outside of it.

Data security is being further compromised by unclear or unenforced security policies for sharing patients' confidential information. Many employees believe they are doing the right thing by using personal devices and clouds to work at home and complete their tasks more efficiently, but often unintentionally they are exposing confidential patient data to risk. More than 3,000 patients at Oregon Health and Science University had their health information compromised after residents and physicians-in-training in three departments used Google cloud services to share patient data.

According to officials, the university doesn't have a contractual agreement to use the cloud-based ISP, but residents and physicians-in-training were using the service anyway to share patient information including their ages, provider names, diagnoses and, in some cases, addresses. Apparently this practice is fairly common. In the Ponemon survey, 91 percent of hospitals surveyed are using cloud-based services, yet 47 percent lack confidence in the ability to keep data secure in the cloud.

The use of cloud-based services is often 'hidden' from the hospital IT managers, when healthcare workers use cloud services using their own personal mobile devices. According to the Ponemon study, 81 percent of hospitals permit employees and medical staff to use their own mobile devices such as smartphones or tablets to connect to their organizations' networks or enterprise systems. However, 54 percent of respondents say they are not confident that these personally owned mobile devices are secure.

Previously focused on maintaining physical access to patient records with key cards, today medical IT managers are becoming aware that the process of sharing patient data also needs to be secured. In this constantly evolving environment, traditional security measures such as firewalls, antivirus and intrusion detection and prevention systems are no longer providing the required levels of granularity, protection and enforcement required for compliance with HIPAA and other security and privacy regulations.

If hospitals were to approach patient information in the same way banks approach personal data for online banking, many of the risks could be minimized. Maintaining security policies that grant individual authorizations and assign security levels to each patient file, while having sensitive data encrypted at all times, can bring control to managing hospital information.

If the process of loading documents on the cloud is policed and authorizations are enforced automatically using proper security systems, highly sensitive data would never be exposed. Likewise, if file-sharing policies were enforced, sensitive patient data would be encrypted resulting in no data loss if the devices were stolen.

Many of these secured data-sharing practices already exist in the banking and insurance industries and can be easily adapted to the healthcare industry. Now the pressure is on hospitals to make data security part of their everyday business. Even medical professionals are going mobile and using cloud services, but it is important they make sure they keep sensitive data secure, or they risk paying a heavy price.

Ronen Kenig is vice president of marketing and product management at security technology and services company Safe-T. In his role, Kenig is responsible for overall global marketing and product management activities of Safe-T, including product strategy, product marketing, positioning, go-to-market and corporate marketing.