Do Federal Regulations Help or Hinder Patient Data Security?
As healthcare security experts assess the fallout from the hacker attack at Anthem-by far the largest theft of personal data in the industry’s history-there is a growing consensus that current federal regulations may do more to encourage patient data theft than to halt it.
As healthcare security experts assess the fallout from the hacker attack at Anthem-by far the largest theft of personal data in the industry's history-there is a growing consensus that current federal regulations may do more to encourage patient data theft than to halt it.
Hospital security officers and other experts point fingers at prominent federal programs, the Department of Health and Human Services' HIPAA Security Rule and the Centers for Medicare & Medicaid Services' meaningful use program, which provides monetary incentives to health services providers that make greater use of electronic medical records (EMRs). They say the programs inadvertently encourage medical identity theft by making patient records more accessible online.
Meaningful use "is money the government is giving out to people, incentivizing them to get off paper and onto EMRs," says Kathy Hughes, assistant vice president and chief information security officer at the 6,400 bed North Shore-Long Island Jewish Health System. "The government has infused the healthcare vertical with these funds, and the 'hacktivists' and the black-market people know that. And they know that the data is now on computer systems."
In the meantime, the value of that data has soared. On the black market, a pilfered credit card currently goes for 10 to 25 cents, explains James Mapes, chief security officer at IT consultancy BestIT. But a stolen medical record-which contains more information, has a much longer life span and can be used to perpetrate a variety of frauds including identity theft-sells for $100 to $300.
Another factor contributing to the onslaught of hack attacks against healthcare systems: As the industry raced to meet the government's deadlines, "A lot of time and effort was put into getting off paper and onto electronic records," Hughes says. "But initially, at least, very few resources were committed by healthcare entities to make sure the environment was secure."
All this was reflected in a 2014 warning from the FBI's Cyber Division that healthcare systems were at increased risk for cyber break-ins "due to mandatory transition from paper to electronic health records, lax cybersecurity standards and a higher financial payout for medical records in the black market."
The warning was prescient, as 2014 became a landmark year for patient data intrusions, with healthcare organizations accounting for roughly 42 percent of the major data breaches reported in the U.S. last year, according to the Identity Theft Resource Center. The cost of these incidents has soared as well. The Ponemon Institute, a research organization, estimates that the healthcare industry paid as much as $5.6 billion last year to cover losses and remediate damages incurred.
Vulnerabilities at Anthem
The data breach uncovered in February at Anthem, the nation's second-largest health insurer, compromised as many as 80 million customer and employee records. It was discovered by an Anthem administrator who realized that his password was being used to authorize data queries he didn't initiate.
Anthem was credited with quickly discovering the intrusion, camouflaged as an ordinary task that appeared to be part of its daily workflow. Anthem is not commenting on specific information about the hack in order to not compromise the investigation. However, security experts like Mapes point to precautions that the insurer could have taken, but likely didn't, that would have stymied the attackers.
These include measures like adding an additional layer of authentication for privileged accounts such as that of the administrator's, and employing code editors to search for weaknesses a hacker could exploit. According to another study by the Ponemon Institute, the computer code used by hospitals and other healthcare providers contains on average three vulnerabilities per 1,000 lines of code.
However, these are not the type of safeguards mandated by the Health Insurance Portability and Accountability Act. The HIPAA Security Rule, adopted in 2003, emphasizes passwords, encryption and security audits, which-while important-are insufficient when confronted with highly sophisticated attacks like the one that took place at Anthem.
"The concept that HIPAA is somehow security is a day long gone," says Russ Branzell, president and CEO of the College of Healthcare Information Management Executives, an association of healthcare CIOs. "HIPAA is such a low level of security versus what's truly required that it's just a rounding error," quips Branzell, who formerly served as CEO and CIO for several different hospital networks and medical centers. "If you've met HIPAA and you think you're secure, that's just an absolute fallacy."
The initial concept behind HIPAA "was very worthwhile, but the world is very different now," agrees Hughes of North Shore. "A common opinion among my peers is that HIPAA is very much behind the times. It's not very prescriptive; it's subject to interpretation, and in some instances, it isn't even practical to implement."
The most glaring and contentious example concerns encryption. Under HIPAA guidelines that are more than 15 years old, healthcare entities are required to encrypt all electronic protected health information. While the original intent was to ensure patient privacy, "the reality is that most software application vendors don't even support encryption at the database level," Hughes says. "If they do, they strongly recommend that you don't implement it because it will so degrade the performance of the application that it will hinder your ability to render patient care."
At one point, North Shore decided to see for itself and encrypted its EMR system. "We discovered that the vendors were right -the system became unusable," Hughes says. Providers typically don't comply with encryption requirements of HIPAA, but instead seek exceptions from regulators, based on other security efforts being used.
But healthcare providers must still comply with HIPAA and meaningful use, forcing them to engage in a balancing act between meeting regulatory requirements on the one hand and maintaining a strong security posture on the other. As a result, hospitals and other institutions have to fend off emerging threats against which mandated safeguards like encryption are often ineffective; at the same time, they also have to document the security measures they take and provide elaborate rationales for why they conform to the HIPAA guidelines.
At Anthem, the attack was disguised to look like a routine batch of jobs being carried out by Anthem employees. Even if the insurer had met all of HIPAA's encryption requirements, it still would have needed an entirely different set of safeguards to block the attack because the queries used return results in plain tex.
Compliance vs. security
Meeting the letter of HIPAA requirements, in this day and age, does not provide sufficient protection from hacking, experts say.
"Compliance doesn't equal security," says John Houston, vice president for privacy and information security at the University of Pittsburgh Medical Center. "It demonstrates you're trying, but there's still a gap at the end of the day."
Houston believes that large healthcare networks like UPMC, which includes more than 20 hospitals and has about 50 employees dedicated to security, can handle the competing demands of federal regulators and real-world security requirements. But he worries that smaller community hospitals with scarcer resources will be forced to choose one over the other. "More enforcement by HIPAA will not give you a more secure environment," he says.
"Complying with a government requirement and remaining secure is not always the same thing," echoes Hussein Syed, CISO at Barnabas Health, New Jersey's largest integrated healthcare delivery system. "Encryption is not a solution to every security issue. There have to be other types of controls in place as well."
Syed suggests that these security efforts should include an analytics system that can monitor data requests, detecting changes in the frequency of these requests and the way in which they're made, as well as requiring additional forms of user identification besides the bare-bones requirement for an ID and password.
The Anthem incident is a case in point. Security specialists like Mapes point out that the breach consisted of a series of queries against the insurer's database. Encryption is generally ineffective against this sort of attack, because most queries results are delivered as ordinary text and numbers, which anyone can read.
Forcing users to make multiple queries to access the same data would be less convenient for employees who are legitimately attempting to piece together a patient record. But it also would force would-be thieves to conduct many more queries, thus making their activities much more conspicuous.
Experts looking at the details of the iniital Anthem announcement say another weakness exploited by the intruders was the ease with which they were able to use the Anthem administrator's log-in. If the insurer had required additional levels of user verification, not prescribed by HIPAA, this could have prevented the attack.
Imposing added layers of identity authentication can irritate healthcare workers, especially doctors and other professionals, who perceive these as a time-consuming barrier to the data they need to serve their patients. But these secondary forms of ID validation do not have to be applied across the board, Mapes says. Requirements for additional user authentication can be limited to privileged accounts, such as those of database administrators, that routinely have access to a broader array of data, or instances where alarms are triggered by behaviors that deviate from normal usage patterns.
An example is adaptive authentication of the sort increasingly employed by banks: If a normal pattern is violated-for example, if multiple attempts are made to log into the same account-the user must enter a PIN code, which is sent to a phone previously registered by the user.
The specter of audits
Along with passwords and encryption, the HIPAA Security Rule emphasizes security audits, and the HHS Office for Civil Rights has said it will begin random audits in 2015 with expanded penalties for those found to have violations. But here, too, the program's impact may not live up to its billing.
"No one I know feels too threatened by the prospect of a HIPAA audit," says North Shore's Hughes. Referring to the breach at Anthem, she says, "People are more motivated by these events that are taking place and the need to ensure that the data really is protected."
As for the likelihood of being audited, Hughes says that despite pronouncements to the contrary, the government has scaled back on the number of audits it conducts. "There haven't been a lot of hefty fines assessed due to an audit," she notes. "I don't believe anybody's been put in jail for failing to comply with one. I really don't believe that the threat of a HIPAA audit is actually scaring anyone."
The same can't be said of the Anthem break-in.
"The U.S. needs to take a fundamentally different approach to dealing with identity theft," asserts UPMC's Houston. With the Anthem attack coming on top of other large-scale data breaches in recent years, "Do you realize that one quarter of all U.S. citizens' personal information-the information needed to commit some form of identity theft-has now been stolen?" he says. "You have to fundamentally look at the way you approach privacy and security differently based on this type of an event."
"This will completely change the course for healthcare security, especially in the payer space," concurs Barnabas' Syed. "The Anthem breach is going to set precedents. I'm already hearing that a lot of healthcare organizations have been solicited to come and meet with lawmakers about cybersecurity. It could lead to the introduction of new legislation."
Hospital security officers and other experts point fingers at prominent federal programs, the Department of Health and Human Services' HIPAA Security Rule and the Centers for Medicare & Medicaid Services' meaningful use program, which provides monetary incentives to health services providers that make greater use of electronic medical records (EMRs). They say the programs inadvertently encourage medical identity theft by making patient records more accessible online.
Meaningful use "is money the government is giving out to people, incentivizing them to get off paper and onto EMRs," says Kathy Hughes, assistant vice president and chief information security officer at the 6,400 bed North Shore-Long Island Jewish Health System. "The government has infused the healthcare vertical with these funds, and the 'hacktivists' and the black-market people know that. And they know that the data is now on computer systems."
In the meantime, the value of that data has soared. On the black market, a pilfered credit card currently goes for 10 to 25 cents, explains James Mapes, chief security officer at IT consultancy BestIT. But a stolen medical record-which contains more information, has a much longer life span and can be used to perpetrate a variety of frauds including identity theft-sells for $100 to $300.
Another factor contributing to the onslaught of hack attacks against healthcare systems: As the industry raced to meet the government's deadlines, "A lot of time and effort was put into getting off paper and onto electronic records," Hughes says. "But initially, at least, very few resources were committed by healthcare entities to make sure the environment was secure."
All this was reflected in a 2014 warning from the FBI's Cyber Division that healthcare systems were at increased risk for cyber break-ins "due to mandatory transition from paper to electronic health records, lax cybersecurity standards and a higher financial payout for medical records in the black market."
The warning was prescient, as 2014 became a landmark year for patient data intrusions, with healthcare organizations accounting for roughly 42 percent of the major data breaches reported in the U.S. last year, according to the Identity Theft Resource Center. The cost of these incidents has soared as well. The Ponemon Institute, a research organization, estimates that the healthcare industry paid as much as $5.6 billion last year to cover losses and remediate damages incurred.
Vulnerabilities at Anthem
The data breach uncovered in February at Anthem, the nation's second-largest health insurer, compromised as many as 80 million customer and employee records. It was discovered by an Anthem administrator who realized that his password was being used to authorize data queries he didn't initiate.
Anthem was credited with quickly discovering the intrusion, camouflaged as an ordinary task that appeared to be part of its daily workflow. Anthem is not commenting on specific information about the hack in order to not compromise the investigation. However, security experts like Mapes point to precautions that the insurer could have taken, but likely didn't, that would have stymied the attackers.
These include measures like adding an additional layer of authentication for privileged accounts such as that of the administrator's, and employing code editors to search for weaknesses a hacker could exploit. According to another study by the Ponemon Institute, the computer code used by hospitals and other healthcare providers contains on average three vulnerabilities per 1,000 lines of code.
However, these are not the type of safeguards mandated by the Health Insurance Portability and Accountability Act. The HIPAA Security Rule, adopted in 2003, emphasizes passwords, encryption and security audits, which-while important-are insufficient when confronted with highly sophisticated attacks like the one that took place at Anthem.
"The concept that HIPAA is somehow security is a day long gone," says Russ Branzell, president and CEO of the College of Healthcare Information Management Executives, an association of healthcare CIOs. "HIPAA is such a low level of security versus what's truly required that it's just a rounding error," quips Branzell, who formerly served as CEO and CIO for several different hospital networks and medical centers. "If you've met HIPAA and you think you're secure, that's just an absolute fallacy."
The initial concept behind HIPAA "was very worthwhile, but the world is very different now," agrees Hughes of North Shore. "A common opinion among my peers is that HIPAA is very much behind the times. It's not very prescriptive; it's subject to interpretation, and in some instances, it isn't even practical to implement."
The most glaring and contentious example concerns encryption. Under HIPAA guidelines that are more than 15 years old, healthcare entities are required to encrypt all electronic protected health information. While the original intent was to ensure patient privacy, "the reality is that most software application vendors don't even support encryption at the database level," Hughes says. "If they do, they strongly recommend that you don't implement it because it will so degrade the performance of the application that it will hinder your ability to render patient care."
At one point, North Shore decided to see for itself and encrypted its EMR system. "We discovered that the vendors were right -the system became unusable," Hughes says. Providers typically don't comply with encryption requirements of HIPAA, but instead seek exceptions from regulators, based on other security efforts being used.
But healthcare providers must still comply with HIPAA and meaningful use, forcing them to engage in a balancing act between meeting regulatory requirements on the one hand and maintaining a strong security posture on the other. As a result, hospitals and other institutions have to fend off emerging threats against which mandated safeguards like encryption are often ineffective; at the same time, they also have to document the security measures they take and provide elaborate rationales for why they conform to the HIPAA guidelines.
At Anthem, the attack was disguised to look like a routine batch of jobs being carried out by Anthem employees. Even if the insurer had met all of HIPAA's encryption requirements, it still would have needed an entirely different set of safeguards to block the attack because the queries used return results in plain tex.
Compliance vs. security
Meeting the letter of HIPAA requirements, in this day and age, does not provide sufficient protection from hacking, experts say.
"Compliance doesn't equal security," says John Houston, vice president for privacy and information security at the University of Pittsburgh Medical Center. "It demonstrates you're trying, but there's still a gap at the end of the day."
Houston believes that large healthcare networks like UPMC, which includes more than 20 hospitals and has about 50 employees dedicated to security, can handle the competing demands of federal regulators and real-world security requirements. But he worries that smaller community hospitals with scarcer resources will be forced to choose one over the other. "More enforcement by HIPAA will not give you a more secure environment," he says.
"Complying with a government requirement and remaining secure is not always the same thing," echoes Hussein Syed, CISO at Barnabas Health, New Jersey's largest integrated healthcare delivery system. "Encryption is not a solution to every security issue. There have to be other types of controls in place as well."
Syed suggests that these security efforts should include an analytics system that can monitor data requests, detecting changes in the frequency of these requests and the way in which they're made, as well as requiring additional forms of user identification besides the bare-bones requirement for an ID and password.
The Anthem incident is a case in point. Security specialists like Mapes point out that the breach consisted of a series of queries against the insurer's database. Encryption is generally ineffective against this sort of attack, because most queries results are delivered as ordinary text and numbers, which anyone can read.
Forcing users to make multiple queries to access the same data would be less convenient for employees who are legitimately attempting to piece together a patient record. But it also would force would-be thieves to conduct many more queries, thus making their activities much more conspicuous.
Experts looking at the details of the iniital Anthem announcement say another weakness exploited by the intruders was the ease with which they were able to use the Anthem administrator's log-in. If the insurer had required additional levels of user verification, not prescribed by HIPAA, this could have prevented the attack.
Imposing added layers of identity authentication can irritate healthcare workers, especially doctors and other professionals, who perceive these as a time-consuming barrier to the data they need to serve their patients. But these secondary forms of ID validation do not have to be applied across the board, Mapes says. Requirements for additional user authentication can be limited to privileged accounts, such as those of database administrators, that routinely have access to a broader array of data, or instances where alarms are triggered by behaviors that deviate from normal usage patterns.
An example is adaptive authentication of the sort increasingly employed by banks: If a normal pattern is violated-for example, if multiple attempts are made to log into the same account-the user must enter a PIN code, which is sent to a phone previously registered by the user.
The specter of audits
Along with passwords and encryption, the HIPAA Security Rule emphasizes security audits, and the HHS Office for Civil Rights has said it will begin random audits in 2015 with expanded penalties for those found to have violations. But here, too, the program's impact may not live up to its billing.
"No one I know feels too threatened by the prospect of a HIPAA audit," says North Shore's Hughes. Referring to the breach at Anthem, she says, "People are more motivated by these events that are taking place and the need to ensure that the data really is protected."
As for the likelihood of being audited, Hughes says that despite pronouncements to the contrary, the government has scaled back on the number of audits it conducts. "There haven't been a lot of hefty fines assessed due to an audit," she notes. "I don't believe anybody's been put in jail for failing to comply with one. I really don't believe that the threat of a HIPAA audit is actually scaring anyone."
The same can't be said of the Anthem break-in.
"The U.S. needs to take a fundamentally different approach to dealing with identity theft," asserts UPMC's Houston. With the Anthem attack coming on top of other large-scale data breaches in recent years, "Do you realize that one quarter of all U.S. citizens' personal information-the information needed to commit some form of identity theft-has now been stolen?" he says. "You have to fundamentally look at the way you approach privacy and security differently based on this type of an event."
"This will completely change the course for healthcare security, especially in the payer space," concurs Barnabas' Syed. "The Anthem breach is going to set precedents. I'm already hearing that a lot of healthcare organizations have been solicited to come and meet with lawmakers about cybersecurity. It could lead to the introduction of new legislation."
More for you
Loading data for hdm_tax_topic #reducing-cost...