Headlines about Target, Home Depot, and, of course, the mother of all data breaches, Sony Pictures, have drawn unprecedented attention to cybersecurity. Yet, the risks extend far beyond those organizations. Healthcare providers also are increasingly vulnerable to internal breaches or hackers bent on stealing personal health information. Experian’s 2015 Data Breach Industry Forecast projects an increase in healthcare breaches in the coming year. Driving that projected increase is the growing number of EMRs as well as the explosion of health- or fitness-related wearable devices that make sensitive and personal health information increasingly vulnerable.
Compiled by Scott Westcott, Contributing Writer
Health data is becoming a prime target for cybercriminals, and these healthcare providers are stepping up security efforts in response. Are you doing all you can to protect yourself from a data breach?
![]()
Headlines about Target, Home Depot, and, of course, the mother of all data breaches, Sony Pictures, have drawn unprecedented attention to cybersecurity. Yet, the risks extend far beyond those organizations. Healthcare providers also are increasingly vulnerable to internal breaches or hackers bent on stealing personal health information. Experian’s 2015 Data Breach Industry Forecast projects an increase in healthcare breaches in the coming year. Driving that projected increase is the growing number of EMRs as well as the explosion of health- or fitness-related wearable devices that make sensitive and personal health information increasingly vulnerable.
Providers are battling back with advancing technology, increased awareness, and continual education of staffers and consumers in an attempt to stay a step ahead of the hackers and tighten internal security. Three healthcare professionals who are focused on this challenge recently shared the steps they are taking to keep personal health information secure.
Q: What is your biggest challenge related to securing PHI?
![]()
Massengill: As a nonprofit rural health center serving approximately 12,000 patients, we do not have the in-house expertise to address the issues of securing PHI. We have chosen to align ourselves with partners who have the expertise to provide the services for us. Those partners are the company we contract with to provide our IT services and maintain our internal network. We have chosen not to host our EMR on-site and have selected a company with the expertise and sophistication to host our EMR and patient data, and make sure that it meets regulatory requirements.
Conway: The biggest challenge is the need for systems and data to be usable, accessible, and secure. Our users must be able to access their data from many different locations and on an ever-growing number of devices. It is a challenge to both identify PHI across all forms of access and then provide the data to our customers in a useable and secure method.
Q: What steps do you take to regularly assess data vulnerabilities?
Massengill: Our IT vendor monitors our internal network to assure that all of our computers are updated with current antivirus software and updates. We also have recently added a new firewall, which is also monitored by our IT vendor. We assure that all employees are removed from our network immediately after they leave our employment. We have replaced any computers that used Windows XP to assure that all of our hardware has current Windows updates.
Conway: We conduct vulnerability scans and internal audits. We also rely on intrusion detection systems (IDS), intrusion prevention systems (IPS), as well as new tools and methods regarding data loss prevention (DLP).
Kadrich: Part of the risk analysis needs to be an understanding of how PHI is made available to people and devices. A huge problem today is that many EHRs make it entirely too easy to access and upload this sensitive data. Providers need to add controls to their network to manage how PHI migrates off the EHR.
Q: What vulnerabilities have you uncovered and addressed as a result of these risk assessments?
Massengill: We had a piece of critical equipment running Windows XP that we replaced so all of our equipment is now capable of receiving Microsoft updates.
Conway: We prefer not to comment on specific vulnerabilities. Any results gleaned from our various tools or risk assessments that are done aid us in prioritizing risk. From there, we will direct resources or spin up projects to address risks to our organization.
Q: According to HHS data, more than 30 percent of health data breach activity to date is the result of lost or stolen laptops or other portable devices. What steps have you taken to address this threat?
![]()
Massengill: We use tablets as a part of our EMR, but no patient data is stored on the tablets. All patient data is stored on an off-site server. This includes the patient clinical data and their patient demographics/insurance data.
Conway: Several years ago, we had a big push to encrypt our devices — laptops, desktops, tablets, etc. As a result of this effort, we developed a process to ensure all machines are encrypted prior to deployment and maintain a 99.8 percent encryption rate across more than 25,000 devices. This extended to our portable devices, and only approved USB devices utilizing hardware encryption are writeable.
Kadrich: Device encryption is a must, but it is not a magic bullet. It’s also important to add better security controls, such as RFID or source tags, to laptops or mobile devices to gain insight into when these devices leave the hospital. LoJack-type technology can also alert you to when an unauthorized user tries to break into a computer. Kill switches are also recommended. This technology can sense when a computer is no longer on an authorized network and be programmed to automatically wipe any sensitive data off the device when out of range.
Q: What steps have you taken to limit exposure of data due to internal/employee theft due to inappropriate access controls?
Massengill: All of our tablets are stored at the end of the day in a secured area. Staff is given access to certain types of data based on their job description and need to know. All staff undergo a criminal background check before being hired.
Conway: We utilize a leading privacybreach detection suite. This tool set allows us to monitor our applications for access to patient records and data. It also provides smart data mining for varying aspects of patient information.
Q: What steps do you take to protect your data from external threats like hackers? Why have your efforts been effective?
Massengill: We have replaced some older computers. Our IT partner pushes out updates and patches for our system on a weekly basis. They monitor for any viruses or attempts to hack into our network. We have a new firewall that protects our local network. The company that hosts our EMR and patient data has mechanisms in place to make sure our patient data is secure and backed up in another location.
Conway: We’ve taken several steps that have helped us protect data from external threats. Some of those steps include IDS, IDP, email analysis and filters, multifactor authentication across access methods, and next-gen firewalls that perform deep packet inspection and can apply rules based on application rather than just port.
![]()
Kadrich: Security architecture is really the key. Most healthcare providers have many security technologies in place including intrusion detection systems, firewalls, log analysis, intelligence and reputation monitoring, risk analysis, and more. However, there’s often a lack of a cohesive architecture to tie all of these technologies together and produce a meaningful result. In the end, we want our security technologies to tell us when something bad is happening, where it is happening, and how fast it is happening. Enforcing standards is a huge part of creating this cohesive architecture.
Q: How does the cloud play into your security efforts (if at all)?
Massengill: The cloud allows a small company like Benson Area Medical Center to have all of the data security resources of a larger company with a strong internal IT infrastructure of both staff and technology. There are economies of scale in using a cloud-based solution such as having access to more technically trained consultants and engineers and having redundant backup in a second off-site location. The cost of storing our data offsite and providing the security and necessary technical expertise needed would be cost-prohibitive.
Conway: We do have a couple of cloud services, but not for our main medical systems. Our EMR is in-house as are all of our medical applications. The cloudbased solutions that we use are more ![]()
geared to email filtering.
Q: What advice do you have for other healthcare providers when it comes to PHI security?
Massengill: Your business is providing primary healthcare to patients. It probably is not in the IT field. Find IT partners that can support your operations and the IT infrastructure that you need both today and will need in the future to make sure you are adequately protected against the loss of PHI.
Conway: Information security is not reactionary. If you want to secure your PHI, be proactive, and be diligent.
Headlines about Target, Home Depot, and, of course, the mother of all data breaches, Sony Pictures, have drawn unprecedented attention to cybersecurity. Yet, the risks extend far beyond those organizations. Healthcare providers also are increasingly vulnerable to internal breaches or hackers bent on stealing personal health information. Experian’s 2015 Data Breach Industry Forecast projects an increase in healthcare breaches in the coming year. Driving that projected increase is the growing number of EMRs as well as the explosion of health- or fitness-related wearable devices that make sensitive and personal health information increasingly vulnerable.
Massengill: As a nonprofit rural health center serving approximately 12,000 patients, we do not have the in-house expertise to address the issues of securing PHI. We have chosen to align ourselves with partners who have the expertise to provide the services for us. Those partners are the company we contract with to provide our IT services and maintain our internal network. We have chosen not to host our EMR on-site and have selected a company with the expertise and sophistication to host our EMR and patient data, and make sure that it meets regulatory requirements.
Massengill: We use tablets as a part of our EMR, but no patient data is stored on the tablets. All patient data is stored on an off-site server. This includes the patient clinical data and their patient demographics/insurance data.
Kadrich: Security architecture is really the key. Most healthcare providers have many security technologies in place including intrusion detection systems, firewalls, log analysis, intelligence and reputation monitoring, risk analysis, and more. However, there’s often a lack of a cohesive architecture to tie all of these technologies together and produce a meaningful result. In the end, we want our security technologies to tell us when something bad is happening, where it is happening, and how fast it is happening. Enforcing standards is a huge part of creating this cohesive architecture.
geared to email filtering.
