How healthcare can profit from financial security practices
On an almost daily basis, we hear of another healthcare organization, hospital or health plan that has experienced some kind of hack or data breach. According to a study by Symantec Corporation, there were 120 healthcare data breaches in 2015, accounting for 39 percent of all breaches across industries, more than any other sector.
The finance industry has experienced its fair share of cybersecurity issues and has rallied together to ensure that its consumers are secure against hacks, phishing schemes and the like. To protect itself from myriad security threats faced on a daily basis, the healthcare industry can learn a lot from the finance industry.
In addition to implementing specific healthcare-focused data and security standards to hopefully narrow the currently wide interpretation of "HIPAA compliance," as finance has done with its own cybersecurity standards, healthcare organizations must better utilize technology to create smarter algorithms that can detect fraud and abuse, as well as prioritize security budgets to enhance consumer awareness and education, get proper expertise on-staff, and design products with security as a priority, not an afterthought.
Since technology first made its appearance in the healthcare sector, industry stakeholders and the government have tried to create regulation and guidelines on how to securely deploy IT solutions. As technology’s role in healthcare grew and evolved, so did this patchwork of security regulation.
According to CHIME, “healthcare organizations are subject to divergent and duplicative guidance on data security and privacy by various federal entities, state regulators and business agreements.” Before the digital age, the Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 to restrict how patient health information was to be shared by healthcare providers. However, HIPAA has no specific guidelines for securing electronic data from unauthorized exposure.
When the HIPAA Omnibus update took effect in 2013, it specified more specific security requirements, provided guidance on breach notifications and liabilities, and required Business Associate Agreements (BAAs) between covered entities and their subcontractors. Requiring BAAs and moving to a "shared responsibility" model greatly improved healthcare information security because all vendors handling protected health information are now responsible for their own protection of it under the law.
However, the technology landscape in healthcare is vast. More software and hosted services are being developed to improve care, quality of life and outcomes for patients. Increasingly, this technology—and the associated PHI—is moving to the cloud and away from private data centers of large companies and is becoming more distributed. Cloud vendors are catching up, both in processes and technology. For example, with the enactment of the Omnibus rule, all leading cloud providers (including AWS, Google Cloud, and Rackspace) have started signing BAAs with their customers. They are also providing technology to help ensure that protected data is automatically encrypted at rest and in transit, offering dedicated hardware (that is not shared with other customers), and proving compliance by undergoing external audits and attaining certifications.
Today's cybersecurity threats, though, come from many vectors and target all layers of application stacks—people, applications, operating systems, servers and VM hypervisors, to name a few. The healthcare sector could benefit strongly from specific and actionable guidelines for data security requirements.
This is an area where the financial industry is ahead of healthcare. The Payment Card Industry Data Security Standard (PCI DSS) provides a cohesive set of standards for data protection, including types of encryption to use and other technical guidelines. It also requires regular audits by external assessors to stay compliant with the requirements.
The healthcare sector has something similar with the Health Information Trust Alliance (HITRUST), which is also a group formed by industry leaders to improve and enhance data security. However, in contrast to the PCI standard, the HITRUST Alliance is a commercial entity that both writes the standards and is the sole assessor and certifier of compliance. As a result, over the past year, the HITRUST certification backlog of companies that have met all the requirements and are waiting to be assessed has grown to over a year.
Finance, on the other hand, has multiple certification entities, eliminating this backlog and ensuring that companies are secure and more quickly identifying risks in cases where they’re not.
Finance also has more advanced methods to identify fraud and misuse after they’ve occurred. Consumer Action states that “most credit card companies have developed the technology to help identify fraudulent activity and they will act quickly to stop misuse once they discover it.” For example, if the credit card company notices that a purchase was made in California, but sees that the consumer is currently located in Boston by looking at location data from the consumer’s cell phone, they will notify the consumer, shut down the credit card and credit the fraudulent charge.
Of course, there isn’t a human being comparing every consumer purchase with the consumer’s current location—this is an automated process that uses complex algorithms. Healthcare could utilize similar algorithms to notify organizations and consumers alike of potential cases of fraud. Has a patient portal been accessed from a non-verifiable location? Is a physician accessing more records than is normal within a set timeframe? These types of events could be flagged as potential cybersecurity breaches and addressed more quickly.
While such enhancements would benefit healthcare organizations and consumers, they also take significant upfront investment. Unlike the finance cybersecurity industry, which is expected to grow to $68 billion by 2020 and has the big players (JPMorgan, Bank of America, Citigroup and Wells Fargo) spending a collective $1.5 billion on cybersecurity annually, healthcare organizations are only allocating 10 percent or less of their IT budgets on cybersecurity and protecting patient information.
Not only do enhancements need to be made to the technology itself, but resources also need to be devoted to getting proper cybersecurity experts on staff, conducting vulnerability testing and educating end-users on ways to reduce cybersecurity threats. According to a recent healthcare technology survey conducted by Trustwave, 34 percent of respondents stated that shortage of cybersecurity staff and expertise was a concern, and 35 percent stated their organization performed vulnerability testing only once a year. While upgrading the technology and on-staff expertise will be helpful, comprehensive end-user training and education is the only way to reduce one of the most vulnerable aspects of cybersecurity in any industry: human error.
Although updating guidelines and regulations, creating smarter algorithms and investing in on-staff expertise and patient education comes with a hefty price-tag, the risks associated with a breach are far costlier. Not only does a recent Ponemon report state that a healthcare data breach costs $355 per stolen record – more than any other industry surveyed – but there are also other ramifications: damaged reputation, identity theft and extortion, among others.
We may never be able to fully define security standards because of technology’s constant evolution, but we can at least follow the financial industry’s lead to establish tangible, actionable best practices that will lead to better implementations, and ultimately better security.