Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Cost of a Breach, Proper Medical Record Disposal, and Delayed Breach Notifications

Posted on June 22, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Time for a quick roundup of HIPAA related tweets from around the Twittersphere. Check out these tweets and we’ll add in a bit of our commentary.


Matt’s correct that it’s not all avoidable, but at $380 per record that’s expensive. Breaches are expensive everywhere, but especially in healthcare. When you look at how insecure various industries are, my guess is that healthcare would be near the top of the list as well. That’s a problem.


I’m with Danika Brinda as well. I have no idea why this is still happening. Are people really that uneducated and naive when it comes to disposal of paper medical records? Hire a company with a great reputation if you’re not sure how to do it properly yourself.


Happens all the time. The fine for the delay is more than the damage of the breach itself. There should be no reason organization’s delay in their efforts to notify patients of a breach. Doing so can be a very expensive prospect. Plus, it’s the right thing to do for the patients.

Why Small Medical Practices Are at Great Risk for a Cyber Attack

Posted on June 14, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

The good people at ClinicSpectrum recently shared a look at why small practices are at risk for a cyber attack. They label it as why your EHR is at risk for a cyber attack, but I think their list is more specific to small practices as opposed to EHR. Take a look at their list:

Each of these issues should be considered by a small medical when it comes to why they are at risk for a cyber attack. However, the first one is one that I see often. Many small practices wonder, “Why would anyone want to hack my office?”

When it comes to that issue, medical practices need to understand how most hackers work. Most hackers aren’t trying to hack someone in particular. Instead, they’re just scouring the internet for easy opportunities. Sure, there are examples where a hacker goes after a specific target. However, the majority are just exploiting whatever vulnerabilities they can find.

This is why it’s a real problem when medical practices think they’re too small or not worth hacking. When you have this attitude, then you leave yourself vulnerable to opportunistic hackers that are just taking advantage of your laziness.

The best thing a medical practice can do to secure their systems is to care enough about having secure systems. You’ll never be 100% secure, but those organizations who act as if they don’t really care about security are almost guaranteed to be hacked. You can imagine how HHS will look at you if you take this approach and then get hacked.

No Duh, FTP Servers Pose PHI Security Risk

Posted on April 12, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

The File Transfer Protocol is so old – it was published in April 1971 – that it once ran on NCP, the predecessor of TCP/IP. And surprise, surprise, it’s not terribly secure, and was never designed to be so either.

Security researchers have pointed out that FTP servers are susceptible to a range of problems, including brute force attacks, FTP bounce attacks, packet capture, port stealing, spoofing attacks and username enumeration.

Also, like many IP specifications designed prior before standard encryption approaches like SSL were available, FTP servers don’t encrypt traffic, with all transmissions in clear text and usernames, passwords, commands and data readable by anyone sniffing the network.

So why am I bothering to remind you of all of this? I’m doing so because according to the FBI, cybercriminals have begun targeting FTP servers and in doing so, accessing personal health information. The agency reports that these criminals are attacking anonymous FTP servers associated with medical and dental facilities. Plus, don’t even know they have these servers running.

Getting into these servers is a breeze, the report notes. With anonymous FTP servers, attackers can authenticate to the FTP server using meaningless credentials like “anonymous” or “ftp,” or use a generic password or email address to log in. Once they gain access to PHI, and personally identifiable information (PII), they’re using it to “intimidate, harass, and blackmail business owners,” the FBI report says.

As readers may know, once these cybercriminals get to an anonymous FTP server, they can not only attack it, but also gain write access to the server and upload malicious apps.

Given these concerns, the FBI is recommending that medical and dental entities ask their IT staff to check their networks for anonymous FTP servers. And if they find any, the organization should at least be sure that PHI or PII aren’t stored on those servers.

The obvious question here is why healthcare organizations would host an anonymous FTP server in the first place, given its known vulnerabilities and the wide variety of available alternatives. If nothing else, why not use Secure FTP, which adds encryption for passwords and data transmission while retaining the same interface as basic FTP? Or what about using the HTTP or HTTPS protocol to share files with the world? After all, your existing infrastructure probably includes firewalls, intrusion detection/protection solutions and other technologies already tuned to work with web servers.

Of course, healthcare organizations face a myriad of emerging data security threats. For example, the FDA is so worried about the possibility of medical device attacks that it issued agency guidance on the subject. The agency is asking both device manufacturers and healthcare facilities to protect medical devices from cybersecurity threats. It’s also asking hospitals and healthcare facilities to see that they have adequate network defenses in place.

But when it comes to hosting anonymous FTP servers on your network, I’ve got to say “really?” This has to be a thing that the FBI tracks and warns providers to avoid? One would think that most health IT pros, if not all, would know better than to expose their networks this way. But I suppose there will always be laggards who make life harder for the rest of us!

Wide Ranging Impact of A Healthcare Cybersecurity Attack

Posted on March 8, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

David Chou recently shared this amazing graphic of the “above the surface” and “beneath the surface” impacts from cyber attacks. The above the surface attacks are those that are better know costs related to an incident. The beneath the surface attacks are the less visible or hidden costs of a cyber attack.

Which of these impacts concerns you most?

If this list of 14 impacts on your organization isn’t enough to wake you up to the importance of cybersecurity, then there isn’t much hope. However, most of the CIOs I’ve seen are well aware of this and it’s why it keeps them up at night.

Hybrid Entities Ripe For HIPAA Enforcement Actions

Posted on February 8, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

As some readers will know, HIPAA rules allow large organizations to separate out parts of the organization which engage in HIPAA-covered functions from those that do not. When they follow this model, known as a “hybrid entity” under HIPAA, organizations must take care to identify the “components” of its organization which engage in functions covered by HIPAA, notes attorney Matthew Fisher in a recent article.

If they don’t, they may get into big trouble, as signs suggest that the Office for Civil Rights will be taking a closer look at these arrangements going forward, according to attorneys.  In fact, the OCR recently hit the University of Massachusetts Amherst with a $650,000 fine after a store of unsecured electronic protected health information was breached. This action, the first addressing the hybrid entity standard under HIPAA, asserted that UMass had let this data get breached because it hadn’t treated one of its departments as a healthcare component.

UMass’s troubles began in June 2013, when a workstation at the UMass Center for Language, Speech and Hearing was hit with a malware attack. The malware breach led to the disclosure of patient names, addresses, Social Security numbers, dates of birth, health insurance information and diagnoses and procedure codes for about 1,670 individuals. The attack succeeded because UMass didn’t have a firewall in place.

After investigating the matter, OCR found that UMass had failed to name the Center as a healthcare component which needed to meet HIPAA standards, and as a result had never put policies and procedures in place there to enforce HIPAA compliance. What’s more, OCR concluded that – violating HIPAA on yet another level – UMass didn’t conduct an accurate and thorough risk analysis until September 2015, well after the original breach.

In the end, things didn’t go well for the university. Not only did OCR impose a fine, it also demanded that UMass take corrective action.

According to law firm Baker Donelson, this is a clear sign that the OCR is going to begin coming down on hybrid entities that don’t protect their PHI appropriately or erect walls between healthcare components and non-components. “Hybrid designation requires precise documentation and routine updating and review,” the firm writes. “It also requires implementation of appropriate administrative, technical and physical safeguards to prevent non-healthcare components from gaining PHI access.”

And the process of selecting out healthcare components for special treatment should never end completely. The firm advises its clients review the status of components whenever they are added – such as, for example, a walk-in or community clinic – or even when new enterprise-wide systems are implemented.

My instinct is that problems like the one taking place at UMass, in which hybrid institutions struggle to separate components logically and physically, are only likely to get worse as healthcare organizations consolidate into ACOs.

I assume that under these loosely consolidated business models, individual entities will still have to mind their own security. But at the same time, if they hope to share data and coordinate care effectively, extensive network interconnections will be necessary, and mapping who can and can’t look at PHI is already tricky. I don’t know what such partners will do to keep data not only within their network, but out of the hands of non-components, but I’m sure it’ll be no picnic.

How Many Points of Vulnerability Do You Have in Your Healthcare Organization?

Posted on December 21, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Far too often I hear healthcare CIOs talk about all of the various electronic devices they have in their organization and how this device proliferation has created a really large risk surface that makes their organization vulnerable to breaches and other nefarious actions. This is true to some extent since organizations now have things like:

  • Servers
  • Desktops
  • Mobile Devices
  • Network Devices
  • Internet Access
  • Medical Devices
  • Internet of Thing Devices
  • etc

As tech progresses, the number of devices we have in our healthcare organizations is only going to continue to grow. No doubt this can pose a challenge to any Chief Security Officer (CSO). However, I actually think this is the easiest part of a CSO’s job when it comes to making sure a healthcare organization is secure. I think it’s much harder to make sure the people in your organization are acting in a way that doesn’t compromise your organization’s security.

As one hospital CIO told me, “I’m most concerned with the 21,000 security vulnerabilities that existed in my organization. I’m talking about the 21,000 employees.

Granted, this CIO worked at a very large organization. However, I think he’s right. Creating a security plan for a device is pretty easily accomplished. It will never be perfect, but you can put together a really good, effective plan. People are wild cards. It’s much harder to keep them from doing something that compromises your organization. Especially since the hackers have gotten so pernicious and effective in the tactics they use.

At the end of the day, I look at security as similar to child proofing your house when you have a young child. You’ll never make it 100% completely safe, but you can really mitigate most of the issues that could cause harm to your child. The same is true in your approach to securing your healthcare organization. You can never ensure you won’t have any security incidents, but you can mitigate a lot of the really dangerous things. Then, you just have to deal with the times something surprising happens. Now if we would just care as much about keeping our healthcare organizations secure as we do keeping our children safe, then we’d be in a much better place.

The Teeter Totter of Security and Usability – Tony Scott, US CIO at #CHIME16

Posted on November 15, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I was recently at the CHIME Fall Forum and had the privilege of hearing a keynote presentation by Tony Scott, US Federal CIO, that was made possible by Infinite Computer Solutions. Tony Scott has a fascinating background at VM Ware, Microsoft, Disney and GM which gives him a pretty unique perspective on technology and his topic of cybersecurity.

During Tony’s keynote, he made a great plea for all of us working in healthcare IT when he said:

Cybersecurity is important and there’s something that each one of us can do about it!

When it comes to Cybersecurity I think that many people throw up their arms and think that there’s not much they can do. However, if we all do our small part in improving cybersecurity, then the aggregate result would be powerful. That’s something each of us in healthcare should take seriously as we think of how cybersecurity issues could literally impact the care patients receive going forward.

Along these same lines, Tony Scott also suggested that members of CHIME (largely healthcare CIOs) should work to share with peers. Cybersecurity is such a challenging problem, we have to share and learn from each other. I saw this happening first hand in a few of the cybersecurity sessions I attended at the conference. Healthcare CIOs were happily sharing security best practices with each other. The reality is that everyone in healthcare suffers when healthcare organizations suffer a breach and erode the confidence of patients. So, we all benefit by sharing our experience and knowledge about cybersecurity with each other.

Tony Scott also framed the cybersecurity challenge when he said, “Every time we have a breach, we could think of it as a quality issue.” No doubt this was calling back to his days at GM when quality issues were a major challenge, but what a great way to frame a breach. When there’s a breach, there’s something wrong with the quality of the product we provide our healthcare organizations and ultimately patients. With that mindset, we can go about making sure that the health IT product we provide is of the highest quality.

While I enjoyed each of these insights from Tony Scott’s keynote, I had the unique opportunity to be able to head backstage to the green room to talk privately with Tony Scott and the team from Infinite Computer Solutions that was hosting him as keynote. We had a brief but interesting discussion about his keynote and the challenges of cybersecurity in healthcare.

During our discussion, Tony Scott offered an important insight about the balance of cybersecurity and usability when he compared it to a teeter totter. Far too many organizations treat cybersecurity and usability like a teeter totter. If you make something more secure, then that makes things less usable. If you make things more usable, then they’re going to be less secure. Or at least that’s how many people look at cybersecurity.

In my discussion with Tony, he argued that we need to look at ways to raise the teeter totter up so that there’s not this give and take between security and usability. We should look for ways to make things extremely usable, but also secure. I’d suggest that this is the challenge we must face head on in healthcare over the next decade. Let’s not just settle ourselves with the teeter totter effect of security and usability, but let’s strive to raise the teeter totter up so we preserve both.

Security and Privacy Are Pushing Archiving of Legacy EHR Systems

Posted on September 21, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

In a recent McAfee Labs Threats Report, they said that “On average, a company detects 17 data loss incidents per day.” That stat is almost too hard to comprehend. No doubt it makes HIPAA compliance officers’ heads spin.

What’s even more disturbing from a healthcare perspective is that the report identifies hospitals as the easy targets for ransomware and that the attacks are relatively unsophisticated. Plus, one of the biggest healthcare security vulnerabilities is legacy systems. This is no surprise to me since I know so many healthcare organizations that set aside, forget about, or de-prioritize security when it comes to legacy systems. Legacy system security is the ticking time bomb of HIPAA compliance for most healthcare organizations.

In a recent EHR archiving infographic and archival whitepaper, Galen Healthcare Solutions highlighted that “50% of health systems are projected to be on second-generation technology by 2020.” From a technology perspective, we’re all saying that it’s about time we shift to next generation technology in healthcare. However, from a security and privacy perspective, this move is really scary. This means that 50% of health systems are going to have to secure legacy healthcare technology. If you take into account smaller IT systems, 100% of health systems have to manage (and secure) legacy technology.

Unlike other industries where you can decommission legacy systems, the same is not true in healthcare where Federal and State laws require retention of health data for lengthy periods of time. Galen Healthcare Solutions’ infographic offered this great chart to illustrate the legacy healthcare system retention requirements across the country:
healthcare-legacy-system-retention-requirements

Every healthcare CIO better have a solid strategy for how they’re going to deal with legacy EHR and other health IT systems. This includes ensuring easy access to legacy data along with ensuring that the legacy system is secure.

While many health systems use to leave their legacy systems running off in the corner of their data center or a random desk in their hospital, I’m seeing more and more healthcare organizations consolidating their EHR and health IT systems into some sort of healthcare data archive. Galen Healthcare Solution has put together this really impressive whitepaper that dives into all the details associated with healthcare data archives.

There are a lot of advantages to healthcare data archives. It retains the data to meet record retention laws, provides easy access to the data by end users, and simplifies the security process since you then only have to secure one health data archive instead of multiple legacy systems. While some think that EHR data archiving is expensive, it turns out that the ROI is much better than you’d expect when you factor in the maintenance costs associated with legacy systems together with the security risks associated with these outdated systems and other compliance and access issues that come with legacy systems.

I have no doubt that as EHR vendors and health IT systems continue consolidating, we’re going to have an explosion of legacy EHR systems that need to be managed and dealt with by every healthcare organization. Those organizations that treat this lightly will likely pay the price when their legacy systems are breached and their organization is stuck in the news for all the wrong reasons.

Galen Healthcare Solutions is a sponsor of the Tackling EHR & EMR Transition Series of blog posts on Hospital EMR and EHR.

Will a Duo of AI and Machine Learning Catch Data Thieves Lurking in Hospital EHR Corridors?

Posted on September 19, 2016 I Written By

The following is a guest blog post by Santosh Varughese, President of Cognetyx, an organization devoted to using artificial intelligence and machine learning innovation to bring an end to the theft of patient medical data.
santosh-varughese-president-cognetyx
As Halloween approaches, the usual spate of horror movies will intrigue audiences across the US, replete with slashers named Jason or Freddie running amuck in the corridors of all too easily accessible hospitals. They grab a hospital gown and the zombies fit right in.  While this is just a movie you can turn off, the real horror of patient data theft can follow you.

(I know how terrible this type of crime can be. I myself have been the victim of a data theft by hackers who stole my deceased father’s medical files, running up more than $300,000 in false charges. I am still disputing on-going bills that have been accruing for the last 15 years).

Unfortunately, this horror movie scenario is similar to how data thefts often occur at medical facilities. In 2015, the healthcare industry was one of the top three hardest hit industries with serious data breaches and major attacks, along with government and manufacturers. Packed with a wealth of exploitable information such as credit card data, email addresses, Social Security numbers, employment information and medical history records, much of which will remain valid for years, if not decades and fetch a high price on the black market.

Who Are The Hackers?
It is commonly believed attacks are from outside intruders looking to steal valuable patient data and 45 percent of the hacks are external. However, “phantom” hackers are also often your colleagues, employees and business associates who are unwittingly careless in the use of passwords or lured by phishing schemes that open the door for data thieves. Not only is data stolen, but privacy violations are insidious.

The problem is not only high-tech, but also low-tech, requiring that providers across the continuum simply become smarter about data protection and privacy issues. Medical facilities are finding they must teach doctors and nurses not to click on suspicious links.

For healthcare consultants, here is a great opportunity to not only help end this industry wide problem, but build up your client base by implementing some new technologies to help medical facilities bring an end to data theft.  With EHRs being more vulnerable than ever before, CIOs and CISOs are looking for new solutions.  These range from thwarting accidental and purposeful hackers by implementing physical security procedures to securing network hardware and storage media through measures like maintaining a visitor log and installing security cameras. Also limiting physical access to server rooms and restricting the ability to remove devices from secure areas.

Of course enterprise solutions for the entire hospital system using new innovations are the best way to cast a digital safety net over all IT operations and leaving administrators and patients with a sense of security and safety.

Growing Nightmare
Medical data theft is a growing national nightmare.  IDC’s Health Insights group predicts that 1 in 3 healthcare recipients will be the victim of a medical data breach in 2016.  Other surveys found that in the last two years, 89% of healthcare organizations reported at least one data breach, with 79% reporting two or more breaches. The most commonly compromised data are medical records, followed by billing and insurance records. The average cost of a healthcare data breach is about $2.2 million.

At health insurer Anthem, Inc., foreign hackers stole up to 80 million records using social engineering to dig their way into the company’s network using the credentials of five tech workers. The hackers stole names, Social Security numbers and other sensitive information, but were thwarted when an Anthem computer system administrator discovered outsiders were using his own security credentials to log into the company system and to hack databases.

Investigators believe the hackers somehow compromised the tech worker’s security through a phishing scheme that tricked the employee into unknowingly revealing a password or downloading malicious software. Using this login information, they were able to access the company’s database and steal files.

Healthcare Hacks Spread Hospital Mayhem in Diabolical Ways
Not only is current patient data security an issue, but thieves can also drain the electronic economic blood from hospitals’ jugular vein—its IT systems. Hospitals increasingly rely on cloud delivery of big enterprise data from start-ups like iCare that can predict epidemics, cure disease, and avoid preventable deaths. They also add Personal Health Record apps to the system from fitness apps like FitBit and Jawbone.

Banner Health, operating 29 hospitals in Arizona, had to notify millions of individuals that their data was exposed. The breach began when hackers gained access to payment card processing systems at some of its food and beverage outlets. That apparently also opened the door to the attackers accessing a variety of healthcare-related information.

Because Banner Health says its breach began with an attack on payment systems, it differentiates from other recent hacker breaches. While payment system attacks have plagued the retail sector, they are almost unheard of by healthcare entities.

What also makes this breach more concerning is the question of how did hackers access healthcare systems after breaching payment systems at food/beverage facilities, when these networks should be completely separated from one another? Healthcare system networks are very complex and become more complicated as other business functions are added to the infrastructure – even those that don’t necessarily have anything to do with systems handling and protected health information.

Who hasn’t heard of “ransomware”? The first reported attack was Hollywood Presbyterian Medical Center which had its EHR and clinical information systems shut down for more than week. The systems were restored after the hospital paid $17,000 in Bitcoins.

Will Data Thieves Also Rob Us of Advances in Healthcare Technology?
Is the data theft at MedStar Health, a major healthcare system in the DC region, a foreboding sign that an industry racing to digitize and interoperate EHRs is facing a new kind of security threat that it is ill-equipped to handle? Hospitals are focused on keeping patient data from falling into the wrong hands, but attacks at MedStar and other hospitals highlight an even more frightening downside of security breaches—as hospitals strive for IT interoperability. Is this goal now a concern?

As hospitals increasingly depend on EHRs and other IT systems to coordinate care, communicate critical health data and avoid medication errors, they could also be risking patients’ well-being when hackers strike. While chasing the latest medical innovations, healthcare facilities are rapidly learning that caring for patients also means protecting their medical records and technology systems against theft and privacy violations.

“We continue the struggle to integrate EHR systems,” says anesthesiologist Dr. Donald M. Voltz, Medical Director of the Main Operating Room at Aultman Hospital in Canton, OH, and an advocate and expert on EHR interoperability. “We can’t allow patient data theft and privacy violations to become an insurmountable problem and curtail the critical technology initiative of resolving health system interoperability. Billions have been pumped into this initiative and it can’t be risked.”

Taking Healthcare Security Seriously
Healthcare is an easy target. Its security systems tend to be less mature than those of other industries, such as finance and tech. Its doctors and nurses depend on data to perform time-sensitive and life-saving work.

Where a financial-services firm might spend a third of its budget on information technology, hospitals spend only about 2% to 3%. Healthcare providers are averaging less than 6% of their information technology budget expenditures on security, according to a recent HIMSS survey. In contrast, the federal government spends 16% of its IT budget on security, while financial and banking institutions spend 12% to 15%.

Meanwhile, the number of healthcare attacks over the last five years has increased 125%, as the industry has become an easy target. Personal health information is 50 times more valuable on the black market than financial information. Stolen patient health records can fetch as much as $363 per record.

“If you’re a hacker… would you go to Fidelity or an underfunded hospital?” says John Halamka, the chief information officer of Beth Israel Deaconess Medical Center in Boston. “You’re going to go where the money is and the safe is the easiest to open.”

Many healthcare executives believe that the healthcare industry is at greater risk of breaches than other industries. Despite these concerns, many organizations have either decreased their cyber security budgets or kept them the same. While the healthcare industry has traditionally spent a small fraction of its budget on cyber defense, it has also not shored up its technical systems against hackers.

Disrupting the Healthcare Security Industry with Behavior Analysis   
Common defenses in trying to keep patient data safe have included firewalls and keeping the organization’s operating systems, software, anti-virus packages and other protective solutions up-to-date.  This task of constantly updating and patching security gaps or holes is ongoing and will invariably be less than 100% functional at any given time.  However, with only about 10% of healthcare organizations not having experienced a data breach, sophisticated hackers are clearly penetrating through these perimeter defenses and winning the healthcare data security war. So it’s time for a disruption.

Many organizations employ network surveillance tactics to prevent the misuse of login credentials. These involve the use of behavior analysis, a technique that the financial industry uses to detect credit card fraud. By adding some leading innovation, behavior analysis can offer C-suite healthcare executives a cutting-edge, game-changing innovation.

The technology relies on the proven power of cloud technology to combine artificial intelligence with machine learning algorithms to create and deploy “digital fingerprints” using ambient cognitive cyber surveillance to cast a net over EHRs and other hospital data sanctuaries. It exposes user behavior deviations while accessing EHRs and other applications with PHI that humans would miss and can not only augment current defenses against outside hackers and malicious insiders, but also flag problem employees who continually violate cyber security policy.

“Hospitals have been hit hard by data theft,” said Doug Brown, CEO, Black Book Research. “It is time for them to consider new IT security initiatives. Harnessing machine learning artificial intelligence is a smart way to sort through large amounts of data. When you unleash that technology collaboration, combined with existing cloud resources, the security parameters you build for detecting user pattern anomalies will be difficult to defeat.”

While the technology is advanced, the concept is simple. A pattern of user behavior is established and any actions that deviate from that behavior, such as logging in from a new location or accessing a part of the system the user normally doesn’t access are flagged.  Depending on the deviation, the user may be required to provide further authentication to continue or may be forbidden from proceeding until a system administrator can investigate the issue.

The cost of this technology will be positively impacted by the continuing decline in the cost of storage and processing power from cloud computing giants such as Amazon Web Services, Microsoft and Alphabet.

The healthcare data security war can be won, but it will require action and commitment from the industry. In addition to allocating adequate human and monetary resources to information security and training employees on best practices, the industry would do well to implement network surveillance that includes behavior analysis. It is the single best technological defense against the misuse of medical facility systems and the most powerful weapon the healthcare industry has in its war against cyber criminals.

What Would a Patient-Centered Security Program Look Like? (Part 1 of 2)

Posted on August 29, 2016 I Written By

Andy Oram is an editor at O'Reilly Media, a highly respected book publisher and technology information provider. An employee of the company since 1992, Andy currently specializes in open source, software engineering, and health IT, but his editorial output has ranged from a legal guide covering intellectual property to a graphic novel about teenage hackers. His articles have appeared often on EMR & EHR and other blogs in the health IT space. Andy also writes often for O'Reilly's Radar site (http://oreilly.com/) and other publications on policy issues related to the Internet and on trends affecting technical innovation and its effects on society. Print publications where his work has appeared include The Economist, Communications of the ACM, Copyright World, the Journal of Information Technology & Politics, Vanguardia Dossier, and Internet Law and Business. Conferences where he has presented talks include O'Reilly's Open Source Convention, FISL (Brazil), FOSDEM, and DebConf.

HIMSS has just released its 2016 Cybersecurity Survey. I’m not writing this article just to say that the industry-wide situation is pretty bad. In fact, it would be worth hiring a truck with a megaphone to tour the city if the situation was good. What I want to do instead is take a critical look at the priorities as defined by HIMSS, and call for a different industry focus.

We should start off by dispelling notions that there’s anything especially bad about security in the health care industry. Breaches there get a lot of attention because they’re relatively new and because the personal sensitivity of the data strikes home with us. But the financial industry, which we all thought understood security, is no better–more than 500 million financial records were stolen during just a 12-month period ending in October 2014. Retailers are frequently breached. And what about one of the government institutions most tasked with maintaining personal data, the Office of Personnel Management?

The HIMSS report certainly appears comprehensive to a traditional security professional. They ask about important things–encryption, multi-factor authentication, intrusion detection, audits–and warn the industry of breaches caused by skimping on such things. But before we spend several billion dollars patching the existing system, let’s step back and ask what our priorities are.

People Come Before Technologies

One hint that HIMSS’s assumptions are skewed comes in the section of the survey that asked its respondents what motivated them to pursue greater security. The top motivation, at 76 percent, was a phishing attack (p. 6). In other words, what they noticed out in the field was not some technical breach but a social engineering attack on their staff. It was hard to interpret the text, but it appeared that the respondents had actually experienced these attacks. If so, it’s a reminder that your own staff is your first line of defense. It doesn’t matter how strong your encryption is if you give away your password.

It’s a long-held tenet of the security field that the most common source of breaches is internal: employees who were malicious themselves, or who mistakenly let intruders in through phishing attacks or other exploits. That’s why (you might notice) I don’t use the term “cybersecurity” in this article, even though it’s part of the title of the HIMSS report.

The security field has standardized ways of training staff to avoid scams. Explain to them the most common vectors of attack. Check that they’re creating strong passwords, where increased computing power is creating an escalating war (and the value of frequent password changes has been challenged). Best yet, use two-factor authentication, which may help you avoid the infuriating burden of passwords. Run mock phishing scams to test your users. Set up regular audits of access to sensitive data–a practice that HIMSS found among only 60% of respondents (p. 3). And give someone the job of actually checking the audit logs.

Why didn’t HIMSS ask about most of these practices? It began the project with a technology focus instead a human focus. We’ll take the reverse approach in the second part of this article.