Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Healthcare Providers and Patients Deserve Better Security

Posted on June 1, 2015 I Written By

The following is a guest blog post by Anna Drachenberg, Founder and CEO of HIPAA Risk Management.
Anna Drachenberg

Our firm has been helping dentists and other healthcare providers with their HIPAA security compliance for several years. Based on our customers’ experience, many dentists lack healthcare IT partners who are committed to data security and HIPAA compliance.  Unfortunately, this lack of commitment appears to be an epidemic across healthcare IT, and healthcare providers and patients need to demand a change.

In our recent alert, Dentrix Vulnerabilities and Mitigation for HIPAA Compliance, we described two major vulnerabilities we’ve had to assist our clients in mitigating in order to protect their patients’ data and comply with our clients’ HIPAA security policies. Our regulatory and data security experts were concerned, on behalf of our clients, with the way Henry Schein handled these two issues. More concerning, this seems to be a trend with many healthcare IT companies.

From the article, “In October 2012, it was reported to the Community Emergency Response Team (CERT) that all Dentrix G5 software was installed with hard-coded credentials to access the back-end database.” Pretty serious, right? The National Vulnerability Database gave this a severity score of 5.0 and an exploitability score of 10.0.  In the CERT notification you can see that the vulnerability was credited to Justin Shafer, not the vendor, Henry Schein, and there are several months between the time that the exploit was reported (11/22/2012) until Henry Schein released a fix for the issue (2/13/2013). Read the linked article for more details on the fix Henry Schein provided.

In a time when most industries are embracing security and offering “bug bounties,” many in the healthcare IT industry are trying to ignore the problem and hope that their customers are ignoring it, too. Take the recent panic over hackers controlling airplanes. What did United Airlines do? Offer a bug bounty that pays out in airlines miles that can be redeemed for free tickets. Most software and IT companies offer similar bug bounty programs and actively cooperate with independent security professionals. These companies know that every bug that is found before it is exploited can save millions of dollars and improve their product.

I’d like to challenge all of the blog readers today to find a healthcare IT vendor who has the same approach to security. For that matter, do a search on CERT vulnerability database or the National Vulnerability Database for any healthcare software or product you know or general terms like medical, hospital, healthcare. Surprised at the lack of issues reported and fixed? Are we really supposed to believe that the healthcare IT developers are superior to other industries?

Note: The only results in a search I did on 5/30/2015 of the National Vulnerability Database for “Epic” returns vulnerabilities in the Epic Games Unreal Tournament Engine. It is good to know that my video game company cares about my data security.

Everyone who purchases, administers, and uses healthcare IT systems and software deserves vendors who are committed to security. Consider for a moment – the customers of these products are the responsible parties for ensuring the security of the data they put in to these systems. Although the change to business associates under the HIPAA Omnibus Rule puts more liability on some of these vendors, the covered entity is still ultimately responsible and takes the hit to its reputation. Patients, the ones who experience harm when these systems are breached, have to rely on their doctors and other healthcare providers to ensure that the healthcare IT software and products are secure.  I don’t know about you, but I really hope that my physician spent more time in medical school learning about medicine than he did about encryption.

It’s time for all of us in the healthcare industry to demand that our vendors have the same level of commitment to security as the healthcare providers who are their customers. It’s time for all of us as patients to demand that these vendors improve the security of the products used by our healthcare providers.

One last note. In our alert, we link to Dentrix’s notice on the type of “encryption” they offer on one of their products. From Dentrix’s article:

“Henry Schein introduced cryptographic technology in Dentrix version G5 to supplement a practice’s employee policies, physical safeguards and data security. Available only in Dentrix G5, we previously referred to this feature as encryption. Based on further review, we believe that referring to it as a data masking technique using cryptographic technology would be more appropriate. Regardless of what you call it…”

To your clients, it matters what the federal government “calls” it, and they don’t call it encryption.

About Anna Drachenberg
Anna Drachenberg has more than 20 years in the software development and healthcare regulatory fields, having held management positions at Pacificare Secure Horizons, Apex Learning and the Food and Drug Administration. Anna co-founded HRM Services, Inc., (hipaarisk.com) a data security and compliance company for healthcare. HRM offers online risk management software for HIPAA compliance and provides consulting services for covered entities and business associates. HRM has clients nationwide and also partners with IT providers, medical associations and insurance companies.

HIPAA Security and Compliance Thoughts from the Healthcare Cyber Security Summit

Posted on January 12, 2015 I Written By

The following is a guest blog post by Anna Drachenberg, Founder and CEO of HIPAA Risk Management.
Anna Drachenberg
It’s taken a while to collect our team’s thoughts, feedback and reactions to the SANS Institute Healthcare Cyber Security Summit 2014 held last month in San Francisco. The holidays, end-of-year, and beginning-of-the-year craziness played a part, but it also required several team discussions to produce a concise wrap-up of the event because it covered so many topics.

The healthcare community needs to get active in SANS Institute’s events and programs. SANS Institute was created in 1989 as a cooperative research and education organization. The organization is focused on information security for all industries. However, SANS needs industry participation in order for that industry to benefit from its research and information-sharing programs. Most of the SANS healthcare community is made up of IT executives and professionals who started in the financial sector and have moved to healthcare in the past couple of years at some of the largest organizations – Kaiser Permanente, Aetna, etc. It’s a great start, and the recent summit, while only in its 2nd year, was a well-developed, well-organized event. But, SANS needs more participation from different healthcare organizations including smaller covered entities.

We asked the three members of our team who attended the conference to provide their top “take-aways” from the Summit.

“Stop focusing on compliance and start focusing on security”
This concept was repeated in several presentations, and for the most part, it is true. So many organizations and HIPAA Security Officers focus on whether or not they are in compliance with the regulation – documenting why they are not implementing an addressable standard like encryption – instead of securing the information that is at risk. That said, the presenters missed an important reality of healthcare information security: owners and management understand compliance; they don’t understand security. Until the healthcare community fears the cost of the breach more than the cost of a HIPAA fine, covered entities will spend money on “compliance” before they spend money on “security.” I would not recommend that a healthcare IT professional start his or her next presentation to the executive team with “Forget Compliance – Focus on Security!” any time soon.

“No one had a good answer when asked how small businesses could implement effective information security programs when most don’t even have a dedicated IT staff person”
Yes, our team asked several presenters and panelists how the majority of covered entities were supposed to implement the technology, tool and/or process being discussed when, according to Census.gov, 89% of healthcare businesses in the U.S. have less than 25 employees. The answers varied, from “use cloud technology,” from a cloud technology vendor; to “participate in the NH-IASC,” from a board member of the National Health Information Sharing and Analysis Center. The most honest answer was from Rob Foster, Deputy Chief Information Officer and Acting Chief – Information Security, U.S. Dept. of Health and Human Services. Mr. Foster acknowledged that small covered entities would need to look outside their organization to consultants and other experts. We have to give the folks from HHS and ONC credit – they suffered many jabs at healthcare.gov, meaningful use and CMS with good humor and professionalism.

“Healthcare software and technology vendors are decades behind when it comes to security”
There was a panel of healthcare software and technology vendors from some of the most widely-used products, including McKesson and Siemens Healthcare. We were shocked at the level of self-congratulation these panelists had when they admitted that their software security initiatives were all less than five years old – some less than a year. They were seriously proud of the fact that they had implemented a formal software security process “last year.” There should have been a lot more heads hung in shame rather than pats on the back. Covered entities need to start demanding accountability from vendors on the security of their products, especially if you are entrusting your patient data to a cloud vendor. A business associate agreement is not enough – ask them specific questions about their risk analysis process, if they’ve had a third-party perform a penetration/vulnerability test on their software and infrastructure and if they have off-shore development teams.

“The healthcare community needs to get more involved with the information security community”
Jim Routh, CISO, Aetna & Board Member, NH-ISAC, used a common analogy about information security, “I don’t have to run faster than the bear; I just have to run faster than you.” The reality is that most covered entities don’t know that they are in the woods, not to mention the fact that they are supposed to be running from a bear. The healthcare industry is not the same as the financial industry and we need effective solutions to our industry’s problems. Until the healthcare industry commits to information security and is more active in the information security community, we aren’t going to get the same level of education, information and technology specific to our needs that is available to the financial industry.

In summary, the SANS Healthcare Cyber Security Summit was well worth the investment for our team; however, it highlighted a need for the healthcare industry to make information security a higher priority and get more involved in the information security community.

About Anna Drachenberg
Anna Drachenberg has more than 20 years in the software development and healthcare regulatory fields, having held management positions at Pacificare Secure Horizons, Apex Learning and the Food and Drug Administration. Anna co-founded HRM Services, Inc., (hipaarisk.com) a data security and compliance company for healthcare. HRM offers online risk management software for HIPAA compliance and provides consulting services for covered entities and business associates. HRM has clients nationwide and also partners with IT providers, medical associations and insurance companies. Anna is available via email at adrache@hipaarisk.com