Thursday, March 5, 2015

How Much Security is Secure?

The recent data breach at healthcare insurer Anthem whereby close to 80 million records were
compromised has brought the security and privacy of patient health information back to the forefront. Healthcare providers and affiliated organizations seem to be the next target for hackers, the reason being that they appear to be relatively easy targets, and in many cases don’t have the comprehensive security mechanisms that the financial institutions and e-commerce sites have learned to put in place.
Medical records are very valuable as they can easily be used by another person to create an account, for example at a bank, get access to existing accounts, and perform many other actions that can provide cash by using false identities. These hacking incidents can be very lucrative for hackers; knowing that a complete person-record might fetch between five and ten US dollars, stealing 100,000 records could fetch between $500,000 and $1 million US dollars.

How does the healthcare industry deal with this? The answer is that you put as much deterrent in place as practical, affordable and feasible, without impacting patient care. Any security expert will agree that it is virtually impossible to have a 100 percent secure system, but if you make it relatively hard, the potential hacker will search for an easier target and move on. By the way, security is not rocket science but more common sense than anything else.

A key part of security includes using passwords that are not being shared, hard to decipher and have a combination of characters, letters and special characters. If you go to the site “how secure is my password” you can actually see that the pw “123456” can almost instantly be cracked. By the way, this particular password happens to be in the top three used passwords, together with “password” and “12345.” But if you look at the list of common passwords, you’ll find that “baseball, football, monkey, batman superman and even Michael” are all in the top 25. This information is based on the statistics done of stolen passwords that were made public. Needless to say, there is a lot that can be improved in this area.

In addition, the use of firewalls, a DMZ, intrusions detection at your external gateways, use of VLAN’s for vendor access, VPN’s for external connections, shutting down unused ports, and other commonly known practices are a must. The use of a centrally managed virus protection is critical as well. This goes hand in hand with policies about the use of external media such as flash drives, which are notorious for transmitting viruses, and opening email attachments and downloading Internet spam.

The overriding concern however should always be the impact on patient care. There should be a balance between the means and tools that are needed by clinicians and what is allowed by what many people call the “IT mafia.” I actually believe that for every institution that hasn’t done its due diligence with regard to protecting patient privacy and security, there is at least one that goes too far. I personally have had a few experiences in that regard, In one instance, I wanted to provide support to a service engineer on another continent, we had set up an agreed upon time, and at the time that we were supposed to have the call we found that the IT department of the far institution did not allow users to connect to Skype. Another example, was when I saw my specialist, and I had brought my ultrasound exam on a CD, while specifically requesting a DICOM CD without a viewer from the imaging center (to avoid having them putting some proprietary images on there that could only be viewed on their own viewer). So, for this “clean” CD to be read by the specialist, he needed a DICOM viewer to be installed on his PC. I instructed him where to find one on the Internet, but his PC was locked down by his IT department and therefore he could not review my case. I learned that next time I will bring my own laptop for him to review my case, but this was definitely impacting patient care at the time of my appointment.

What to do next? As required by the US federal privacy regulation Health Insurance Portability and Accountability Act (HIPAA), a comprehensive risk analysis is definitely in order. This should be done at least once a year, and it might make sense to use an outside consultant for this. This audit should include all of the HIPAA items, such as physical security, policies and procedures, and technical means such as encryption, access, authorization, password usage or misuse, etc. You might come to the conclusion that there are more areas of patient information than you might be aware of, for example, on discarded computers, on the disks on intelligent copiers and fax machines, etc.

This analysis will identify weak spots and things to fix and monitor. Put an action plan in place to fix them and continue to provide patient care unhampered by extreme security measures but by policies, procedures and technical means that are pragmatic and make common sense.