Health IT adoption, bolstered by federal funding, has expanded greatly in the past few years. But the outstanding question is whether or not there has been enough focus on securing all of this data that hospitals and other providers are creating.
The recent breach of 4.5 million medical records from Community Health Systems has, once again, turned the focus toward hospital data security. But that was the tip of the iceberg.
Healthcare topped the Identity Theft Resource Center's list of data breaches for the first time in 2013. Not including the Community Health breach, the U.S. Department of Health and Human Services estimates that more than 30 million people have been affected by medical record breaches, most of which were due to theft.
This is mainly because the information in that data is so valuable. Records hold Social Security numbers and other personal information which can be used for identity theft. They can also be used to get care and prescription medication. The records often sell for $50 each on the black market.
The cost of breaches to the healthcare industry is estimated to be in the billions, but according to a 2013 study, only about 69% of organizations have a breach plan in place.
Thieves are clearly finding ways to get to this data that is loaded with valuable patient information. But there are ways to keep hackers out, says Sean Curran, director of technology infrastructure and operations at the consulting firm West Monroe Partners.
Tricks of the trade
1. Have a security professional embedded in your organization, Curran advises providers. It is not enough to just have a chief information officer anymore. A person in-house can monitor the changing IT landscape and plan ways to resolve its issues.
2. Have a continuous program to monitor risk instead of a simple annual scan. Think of it this way, Curran says: If someone has a fence around a perimeter, they walk that fence in daily shifts, searching for problems. Health IT should be no different, Curran said.
3. Monitor your "kill chain"—the places where hackers can get in need to be identified and fixed. In the case of the recent Community Health Services breach, passwords were captured and used to get into the viral connection of the hospitals. Passwords, according to Curran, are quickly becoming health IT's weakest link. A simple solution is to have two types of authentication, which is now required in the banking sector.
4. Work with people in other industries instead of only those in the healthcare silo. According to Curran, what is happening in healthcare is similar to what happened in banking and years ago. While other sectors may not understand the intricacies of hospitals as well, they might have more security experience than people in the health IT field do.
The importance of investment
"The reality is that organizations are still struggling to understand what is necessary to protect against breaches," said Curran. "In healthcare, if they have $1 million to spend, where would they rather spend it—patient health or infrastructure? Patients are the focus of the organizations and I don't blame them."
But organizations have to make an investment in their security. Banking used to be the most-targeted sector for hackers, but after years of increased security implementation, there are fewer bank robberies.
"A large part of whether or not an industry is a focus is if there is a deterrent," Curran said. "How hard is it to get in and what is the reward? If the softer target is health IT with a high reward, we are going to see breaches."
Much of the government funding for health IT has targeted implementation, so that has understandably been the focus for many organizations. Curran said hospitals and other providers now need to turn their focus to security. And it's not as a one-off project but a never-ending process: Because hackers are getting more sophisticated, providers will need to as well.