Risk
12/18/2012
11:14 AM
50%
50%

Encryption Shortfalls Plague Healthcare Industry

Health Information Management and Systems Society report focuses on securing personal patient data, which providers must address in Meaningful Use Stage 2.

Health Data Security: Tips And Tools
Health Data Security: Tips And Tools
(click image for larger view and for slideshow)
Healthcare providers should start paying more attention to encryption of personal health information (PHI), says a new report from the Health Information Management and Systems Society (HIMSS). This is not only because of the proliferation of smartphones and other mobile devices, but also because of a provision in the Meaningful Use Stage 2 rule that mentions encryption.

As in MU Stage 1, providers must conduct a security risk analysis. But now they must also "address" the encryption of data stored in their certified EHRs. That doesn't mean they have to encrypt the information on all end-user devices, but they must "implement security updates as necessary and correct identified security deficiencies," the Meaningful Use rule says. So if they don't use encryption, they must document their reasons and explain what alternative security methods they're using, according to the HIMSS paper.

Lisa Gallagher, senior director, privacy and security, for HIMSS, told InformationWeek Healthcare that the Meaningful Use Stage 2 rule's stance on this issue is similar to the requirement in the HIPAA Security Rule of 2003. "By and large, that [HIPAA] requirement has been ignored," she said, perhaps because some providers thought encryption was too difficult. But with the rise of mobile devices and the storage of PHI on many of these devices, she pointed out, it is no longer possible to ignore this regulation.

[ Practice management software keeps the medical office running smoothly. For a closer look at KLAS' top-ranked systems, see 10 Top Medical Practice Management Software Systems. ]

"HHS [the Department of Health and Human Services] noticed that 35%-40% of the breaches being reported were a direct result of a lost or stolen portable or mobile device," Gallagher noted. "In HHS' view, because the data is not encrypted, that's a breach. If the data had been encrypted, that would mean that it wasn't a breach. So the action of encrypting data on a portable or mobile device is a 'safe harbor' from having to report lost data on a device to HHS."

If that isn't enough to spur hospitals and physician practices into action, she added, they must also attest that they have done a security review and have addressed encryption if they want to show Meaningful Use to obtain EHR incentives. "So HHS is using a policy lever to increase the use of encryption."

The HIMSS report notes that the average cost of a lost or stolen record to a healthcare organization is over $200. "So for a breach of 200 records, the impact to the organization of a single lost or stolen laptop is likely to be over $40,000." And that doesn't include legal and regulatory impacts, including potential fines.

Given the severity of the consequences, why don't more healthcare organizations encrypt all their data? "Anecdotally, it's the cost of encryption technology and also a lack of ability to implement it," Gallagher explained. "Many smaller physician offices and community hospitals don't have anyone on staff who knows how to load the software and encrypt data on the network and on portable devices. And until recently, there was no push for it. It was easy to say, 'it's too expensive or too hard.'"

The encryption that comes with Microsoft Windows operating systems is inadequate, partly because smartphones have three different operating platforms, Gallagher pointed out. Moreover, she said, "Two of the three [mobile phone] design centers don't make it especially easy for you."

The best solution would be to avoid having any PHI on end-user devices, she said. But the technical fixes that have been tried so far are far from perfect; for example, many clinicians have problems with virtualized desktop applications that are not well adapted to mobile devices. But Gallagher expressed confidence that vendors will find better solutions if providers demand it.

Meanwhile, encryption is better than the alternatives that are listed in the HIMSS report, such as physical controls, administrative controls, having staff members sign legal agreements, or educating them on the need to protect PHI. But electronic records are not the only data that needs to be safeguarded. Today, copiers, printers, fax machines, digital cameras, and medical devices all store data, too, and represent opportunities for security breaches, the report observes.

Gallagher acknowledges that there's a growing awareness of these chinks in the security armor and attempts to address them, although she notes that "we don't see a whole lot of breaches there." Medical devices, which are increasingly interconnected with EHRs, are an especially complex area. One reason is that medical devices are regulated by the Food and Drug Administration (FDA), which is looking at the security issue from its own angle.

Clinical, patient engagement, and consumer apps promise to re-energize healthcare. Also in the new, all-digital Mobile Power issue of InformationWeek Healthcare: Comparative effectiveness research taps the IT toolbox to compare treatments to determine which ones are most effective. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Ruby Raley
50%
50%
Ruby Raley,
User Rank: Apprentice
1/2/2013 | 11:19:21 PM
re: Encryption Shortfalls Plague Healthcare Industry
HIPAA regulations have been ignored because some providers think the encryption is too complex. However, by implementing HIPAA regulations and conducting a security risk analysis (the latter being a key component of Meaningful Use Stage 2 requirements), you will help to prevent hackers from leaking your organizationG«÷s private information; empower your organization to run more efficiently; effectively manage your organizationG«÷s internal and external information exchanges; monitor vulnerabilities; and avoid the financial liabilities of a data breach.

--Ruby Raley, Director of Healthcare Solutions, Axway
jaysimmons
50%
50%
jaysimmons,
User Rank: Apprentice
12/26/2012 | 3:41:16 AM
re: Encryption Shortfalls Plague Healthcare Industry
Encryption will play an important part in securing patient education, but as the report states, alternatives such as physical controls, administrative controls, legal agreements and education for those in contact with PHI should also be implemented. ItG«÷s not enough to simply encrypt data if there are still other vulnerabilities. Anyone that is looking to breach security and gather data will do so by the easiest entry.

Jay Simmons
Information Week Contributor
PJS880
50%
50%
PJS880,
User Rank: Ninja
12/24/2012 | 5:08:43 AM
re: Encryption Shortfalls Plague Healthcare Industry
A very simple fix of simply encrypting the data and another fine example of a easy security feature that is not utilized enough. Especially when you are talk ing about data as sensitive as a person's medical records. Those could be as potentially dangerous as your social security number, if one was to manipulate the prescription drug industry. It is obvious that they have done their research right down to finding the cost of what a potential loss could cost them. So they are aware are they currently doing anything to encrypt the data?

Paul Sprague
InformationWeek Contributor
Tina Stewart
50%
50%
Tina Stewart,
User Rank: Apprentice
12/20/2012 | 1:35:36 AM
re: Encryption Shortfalls Plague Healthcare Industry
Ken, with an unprecedented volume of sensitive and regulated PHI and PII proliferating across data center, virtual, cloud and mobile environments, itG«÷s not surprising that the new HIMSS MU Stage 2 rule prescribes that organizations "address" the encryption of data stored in their certified EHRs. Beyond compliance, encryption provides Safe Harbor from reporting data breaches, which can cost up to $200 per record plus fines and brand damage. For resources on using encryption in healthcare see: http://enterprise-encryption.v... @SocialTIS
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8551
Published: 2014-11-26
The WinCC server in Siemens SIMATIC WinCC 7.0 through SP3, 7.2 before Update 9, and 7.3 before Update 2; SIMATIC PCS 7 7.1 through SP4, 8.0 through SP2, and 8.1; and TIA Portal 13 before Update 6 allows remote attackers to execute arbitrary code via crafted packets.

CVE-2014-8552
Published: 2014-11-26
The WinCC server in Siemens SIMATIC WinCC 7.0 through SP3, 7.2 before Update 9, and 7.3 before Update 2; SIMATIC PCS 7 7.1 through SP4, 8.0 through SP2, and 8.1; and TIA Portal 13 before Update 6 allows remote attackers to read arbitrary files via crafted packets.

CVE-2014-1421
Published: 2014-11-25
mountall 1.54, as used in Ubuntu 14.10, does not properly handle the umask when using the mount utility, which allows local users to bypass intended access restrictions via unspecified vectors.

CVE-2014-3605
Published: 2014-11-25
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-6407. Reason: This candidate is a reservation duplicate of CVE-2014-6407. Notes: All CVE users should reference CVE-2014-6407 instead of this candidate. All references and descriptions in this candidate have been removed to pre...

CVE-2014-6093
Published: 2014-11-25
Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 7.0.x before 7.0.0.2 CF29, 8.0.x through 8.0.0.1 CF14, and 8.5.x before 8.5.0 CF02 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?