Healthcare is sure to be a hot topic in 2015 in the United States as the long delayed employer mandate kicks in. For most Americans, this will the first time they are directly affected by the health care reform initiative.
A less noticed and not as controversial aspect of health care reform is the government effort to promote the digitization of medical records. For most industries, the conversion of paper to bits and bytes was completed in the mid 1990’s. According to AmericanMedical.com, by 2010 only about 22 percent of doctors and only 10 percent of hospitals nationwide had converted to digital patient records.
Easy access to a person’s healthcare data could have enormous benefits. Digitized data can provide easy access and sharing of information that is difficult or impossible with paper. Clearly, if you are brought unconscious into an emergency room you would want the doctors and staff to know everything about your medical history, what you are allergic to, what meds you are on, etc.
Just as clearly, there is potential for abuse and serious security concerns. Healthcare and medical records include personal information that hackers treasure for use in financial fraud. Obviously, social security and payment information is prized for financial fraud. However, criminals also use medical information to target and exploit victims. A person in the early stages of Alzheimer’s and prone to confusion would be a prime target for fraud. Details about substance abuse or sexual issues can be blackmail material in some cases.
According to a 2013 study by the Ponemon Institute study, a staggering 94% of healthcare organizations have experienced a data breach in the in the prior 2 years. Examples of medical related breaches abound.
According to a July 2014 regulatory filing, Community Health Systems (CHS), who operates over 200 hospitals in 28 states, disclosed that its computer network was compromised by a criminal cyber-attack they believe occurred in April and June of 2014. The breach is believed to have compromised sensitive patient identification information leaving approximately 4.5 million patients and customers of CHS at risk of identity theft and financial fraud.
CHS and its forensic expert, Mandiant, believe the attacker was an “Advanced Persistent Threat” group originating from China. The attacker was able to bypass the company’s security measures and successfully copy and exfiltrate data outside the company.
In April of last year, the Utah Department of Technological Services reported that 780,000 Medicaid patient claims records were stolen by a hacker operating out of Eastern Europe. The breach was blamed on a mis-configured test server deployed with a weak password. In the same month it was reported that a former state employee in South Carolina had stolen 228,000 Medicaid participants’ personal data records. He was caught sending the data by email!
The remarkable thing about most data breaches is that they are utterly preventable. A study last year by HIMSS Analytics and Kroll Advisory Solutions said that when health care data breach victims were asked what factors contributed to the breach:
- 45% cited a lack of staff attention;
- 31% cited the use of mobile devices to store health information; and
- 28% cited the sharing of health information with third parties.
These factors can be closely related. The lack of staff attention to the subject of data security can contribute to the misuse of mobile devices and unnecessary data sharing. The age of mobile computing and BYOD is challenging for all organizations and health care data is a particularly rich target. All it takes is a momentary lack of attention and a laptop can disappear. Just last week we learned that 4,000 patient records from the Oregon Health and Science University were compromised because a surgeon lost his laptop while on vacation.
According to a Verizon study in 2012, most data breaches occur because the victims did not do the basics and obvious steps to protect their data. All computers that connect to an organizations network need to have Antivirus scanning and a personal firewall. A significant problem is that many small and medium organizations simply do not view every “end point” computer and network device as a network computer. Retail operations do not apply antivirus and firewall protection to point of sale systems. I have no doubt that health care organizations are equally lax with the many new devices used in medicine that communicate across networks. They would be wise to take advantage of end point management software that manages security software and ensures updates are correctly applied.
Regardless of the industry, to protect endpoints and data breached, you should rely on Comodo software such as Endpoint Security Manager and SecureBox, engineered with the most advanced containerization technology that allows computers to operate safely in the most hostile threat environment.
