Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

12/18/2012
11:14 AM
50%
50%

Encryption Shortfalls Plague Healthcare Industry

Health Information Management and Systems Society report focuses on securing personal patient data, which providers must address in Meaningful Use Stage 2.

Health Data Security: Tips And Tools
Health Data Security: Tips And Tools
(click image for larger view and for slideshow)
Healthcare providers should start paying more attention to encryption of personal health information (PHI), says a new report from the Health Information Management and Systems Society (HIMSS). This is not only because of the proliferation of smartphones and other mobile devices, but also because of a provision in the Meaningful Use Stage 2 rule that mentions encryption.

As in MU Stage 1, providers must conduct a security risk analysis. But now they must also "address" the encryption of data stored in their certified EHRs. That doesn't mean they have to encrypt the information on all end-user devices, but they must "implement security updates as necessary and correct identified security deficiencies," the Meaningful Use rule says. So if they don't use encryption, they must document their reasons and explain what alternative security methods they're using, according to the HIMSS paper.

Lisa Gallagher, senior director, privacy and security, for HIMSS, told InformationWeek Healthcare that the Meaningful Use Stage 2 rule's stance on this issue is similar to the requirement in the HIPAA Security Rule of 2003. "By and large, that [HIPAA] requirement has been ignored," she said, perhaps because some providers thought encryption was too difficult. But with the rise of mobile devices and the storage of PHI on many of these devices, she pointed out, it is no longer possible to ignore this regulation.

[ Practice management software keeps the medical office running smoothly. For a closer look at KLAS' top-ranked systems, see 10 Top Medical Practice Management Software Systems. ]

"HHS [the Department of Health and Human Services] noticed that 35%-40% of the breaches being reported were a direct result of a lost or stolen portable or mobile device," Gallagher noted. "In HHS' view, because the data is not encrypted, that's a breach. If the data had been encrypted, that would mean that it wasn't a breach. So the action of encrypting data on a portable or mobile device is a 'safe harbor' from having to report lost data on a device to HHS."

If that isn't enough to spur hospitals and physician practices into action, she added, they must also attest that they have done a security review and have addressed encryption if they want to show Meaningful Use to obtain EHR incentives. "So HHS is using a policy lever to increase the use of encryption."

The HIMSS report notes that the average cost of a lost or stolen record to a healthcare organization is over $200. "So for a breach of 200 records, the impact to the organization of a single lost or stolen laptop is likely to be over $40,000." And that doesn't include legal and regulatory impacts, including potential fines.

Given the severity of the consequences, why don't more healthcare organizations encrypt all their data? "Anecdotally, it's the cost of encryption technology and also a lack of ability to implement it," Gallagher explained. "Many smaller physician offices and community hospitals don't have anyone on staff who knows how to load the software and encrypt data on the network and on portable devices. And until recently, there was no push for it. It was easy to say, 'it's too expensive or too hard.'"

The encryption that comes with Microsoft Windows operating systems is inadequate, partly because smartphones have three different operating platforms, Gallagher pointed out. Moreover, she said, "Two of the three [mobile phone] design centers don't make it especially easy for you."

The best solution would be to avoid having any PHI on end-user devices, she said. But the technical fixes that have been tried so far are far from perfect; for example, many clinicians have problems with virtualized desktop applications that are not well adapted to mobile devices. But Gallagher expressed confidence that vendors will find better solutions if providers demand it.

Meanwhile, encryption is better than the alternatives that are listed in the HIMSS report, such as physical controls, administrative controls, having staff members sign legal agreements, or educating them on the need to protect PHI. But electronic records are not the only data that needs to be safeguarded. Today, copiers, printers, fax machines, digital cameras, and medical devices all store data, too, and represent opportunities for security breaches, the report observes.

Gallagher acknowledges that there's a growing awareness of these chinks in the security armor and attempts to address them, although she notes that "we don't see a whole lot of breaches there." Medical devices, which are increasingly interconnected with EHRs, are an especially complex area. One reason is that medical devices are regulated by the Food and Drug Administration (FDA), which is looking at the security issue from its own angle.

Clinical, patient engagement, and consumer apps promise to re-energize healthcare. Also in the new, all-digital Mobile Power issue of InformationWeek Healthcare: Comparative effectiveness research taps the IT toolbox to compare treatments to determine which ones are most effective. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Ruby Raley
50%
50%
Ruby Raley,
User Rank: Apprentice
1/2/2013 | 11:19:21 PM
re: Encryption Shortfalls Plague Healthcare Industry
HIPAA regulations have been ignored because some providers think the encryption is too complex. However, by implementing HIPAA regulations and conducting a security risk analysis (the latter being a key component of Meaningful Use Stage 2 requirements), you will help to prevent hackers from leaking your organizationGs private information; empower your organization to run more efficiently; effectively manage your organizationGs internal and external information exchanges; monitor vulnerabilities; and avoid the financial liabilities of a data breach.

--Ruby Raley, Director of Healthcare Solutions, Axway
jaysimmons
50%
50%
jaysimmons,
User Rank: Apprentice
12/26/2012 | 3:41:16 AM
re: Encryption Shortfalls Plague Healthcare Industry
Encryption will play an important part in securing patient education, but as the report states, alternatives such as physical controls, administrative controls, legal agreements and education for those in contact with PHI should also be implemented. ItGs not enough to simply encrypt data if there are still other vulnerabilities. Anyone that is looking to breach security and gather data will do so by the easiest entry.

Jay Simmons
Information Week Contributor
PJS880
50%
50%
PJS880,
User Rank: Ninja
12/24/2012 | 5:08:43 AM
re: Encryption Shortfalls Plague Healthcare Industry
A very simple fix of simply encrypting the data and another fine example of a easy security feature that is not utilized enough. Especially when you are talk ing about data as sensitive as a person's medical records. Those could be as potentially dangerous as your social security number, if one was to manipulate the prescription drug industry. It is obvious that they have done their research right down to finding the cost of what a potential loss could cost them. So they are aware are they currently doing anything to encrypt the data?

Paul Sprague
InformationWeek Contributor
Tina Stewart
50%
50%
Tina Stewart,
User Rank: Apprentice
12/20/2012 | 1:35:36 AM
re: Encryption Shortfalls Plague Healthcare Industry
Ken, with an unprecedented volume of sensitive and regulated PHI and PII proliferating across data center, virtual, cloud and mobile environments, itGs not surprising that the new HIMSS MU Stage 2 rule prescribes that organizations "address" the encryption of data stored in their certified EHRs. Beyond compliance, encryption provides Safe Harbor from reporting data breaches, which can cost up to $200 per record plus fines and brand damage. For resources on using encryption in healthcare see: http://enterprise-encryption.v... @SocialTIS
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18202
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
CVE-2019-18209
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
CVE-2019-18198
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.
CVE-2019-18197
PUBLISHED: 2019-10-18
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclo...
CVE-2019-4409
PUBLISHED: 2019-10-18
HCL Traveler versions 9.x and earlier are susceptible to cross-site scripting attacks. On the Problem Report page of the Traveler servlet pages, there is a field to specify a file attachment to provide additional problem details. An invalid file name returns an error message that includes the entere...