Consumer apps are a new headache for IT security in healthcare organizations.
“Most of the companies developing these apps aren’t regulated by HIPAA, so we have to expect that the apps will be another attack vector for cyber criminals looking for ways to get into healthcare systems,” says Sensato CEO and cybersecurity expert John Gomez. “As with medical devices, we have to protect networks with the vulnerability of these external and mobile devices in mind.”
Healthcare organizations can’t, out of an abundance of cybersecurity caution, simply refuse to interface with consumer apps like Apple’s EHR, Kareo, MDLive, MyTeleMed or others.
Under guidance from the OCR (Office of Civil Rights) division of HHS (Department of Health and Human Services), patients have the right to access their own medical data. This reflects the medical record release regulations outlined by HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act).
This is a situation that has the AHA (American Hospital Association) sounding alarm bells.
So, how can a healthcare organization stay in compliance with both patients’ rights to access their own healthcare information while also saying in compliance with the security requirements outlined in HIPAA and HITECH?
It sounds like an impossible task, but there are a few key components of good cybersecurity hygiene can help keep your network and electronic patient healthcare information protected:
Segmentation—creating secure, segmented networks can help you limit users, traffic, applications, and data flow to highly sensitive systems and patient information. This can help you catch a breach more quickly, and cut off all access to critical systems and information.
Encryption—encrypting data to protect patient medical records and personally identifiable information, using advanced methods like AES (advanced encryption standard), 3DES (triple data encryption standard), or Twofish.
Multi-factor Authentication—requiring user identity verification of at least 2 steps, preferably 3, may not be possible for all devices, but should be used as much as is possible without impacting patient care.
Honeypot—employing a honeypot with AI or machine learning capabilities turns the tables on attackers, cutting detection time, giving you a front row seat to the attacker’s activities, and allowing you to launch a counter-attack.
Planning—developing an incident response plan that includes a full inventory of everything that is on or connects to your network, top priority assets, response team and contact information, response protocols, and other guidelines is essential to minimize the time between breach detection and incident response.
Training—don’t ever forget your best defense: the walking, talking human “firewalls” who work for you. Train and drill for your worst possible day, so it won’t be.
The fallout of an attack on a healthcare organization can range from inconvenient and expensive to catastrophic and unrecoverable. An organization may face hefty fines and even legal action if HIPAA and HITECH regulations weren’t being followed.
Connected medical devices like insulin pumps and pacemakers were already known attack vectors for cyber criminals looking to get into healthcare organization networks.
Symantec found a 600 percent increase in attacks on IoT devices in 2017—and noted that mobile devices are fast becoming higher risk.
Healthcare organizations also know and should expect to face a barrage of attacks. In 2017, there was an average of nearly 32,000 intrusion attacks per day per organization. Companies in other sectors averaged 14,300.
Now add in the dizzying number of health apps available today—more than 300,000—and the enormity of the problem becomes staggering.
While companies like Apple provide excellent encryption, there are no HIPAA-type regulations on healthcare apps. That’s why the June 2018 HIMSS Healthcare and Cross-sector Cybersecurity Report warns that APIs (application programming interfaces) will be exploited by attackers to gain access to healthcare systems.
Yet, spending in the healthcare sector on cybersecurity languishes at about 6 percent of IT budgets, or even lower, according to Ponemon Institute. That’s about half of what organizations in other highly regulated sectors like banking and finance currently allocate for cybersecurity.
HIPAA: The Health Insurance Portability and Accountability Act of 1996 required the Secretary of HHS (the U.S. Department of Health and Human Services) to develop regulations protecting the privacy and security of certain health information. To fulfill this requirement, HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule.
The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called “covered entities” must put in place to secure individuals’ e-PHI (electronic protected health information).
Within HHS, the OCR (Office for Civil Rights) has responsibility for enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties.
HITECH: The Health Information Technology for Economic and Clinical Health Act of 2009 incentivized providers to adopt EHR (electronic health record) systems. HITECH also expanded security and compliance requirements, allowing HHS to expand its enforcement of HIPAA requirements with the aim of increasing provider vigilance and consumer confidence in how patient data is handled and secured.