Is DEFCON 1 the new normal for Healthcare?

I remember when I first heard the phrase DEFCON 1 (in the 80s movie, WarGames). These days, I think attributing that to healthcare seems relevant with all of the issues surrounding Privacy and Security. Continuing with my post from last week, it brought to mind that providers may be getting increasingly frustrated about how much they have to deal with over the last few years and how much more they need to focus on security than they did in the past after their clinical applications implementation and the new HIPAA Omnibus regulations. Recognizing that healthcare IT leaders these days have somewhat limited authority, but an enormous amount of accountability, it’s difficult to see why many would want to take that position.

A Healthcare IT leader has to think about so many situations such as how to encyrpt every device, and how to manage and secure data integrity & try to develop multi-layered defense mechanisms for the clinical and operational applications that a provider now has to manage. What about protecting their data center from internal and external attacks?

Will we ever be perfect? With the new issues around Internet Explorer (I’m updating the blog using Chrome by the way), the issue of security, continues to dominate the healthcare headlines. This along with the continued use by many provider organizations of XP after Microsoft said that they will discontinue support for the operating system after April 2014.

What do we do? Is this the new normal? Dr. John Halamka of Harvard Medical & Beth Israel in an interview recently at HIMSS 14 with Healthcare IT News  discussed this (while mentioning that that he had 14 different work streams in his privacy and security efforts) the need for access based on what you do rather than who you are and said that there will always now be some vendor who will announce that there is a new vulnerability that everyone needs to watch out for.

Information Security Officers will need generals defending their provider fortress. With more devices accessible by technologies like blue tooth, a rogue employee walking through a facility possibly wrecking havoc and changing information of patients, there has never been a need for solid fortress-like defenses than ever before. All this as well as providers try to have better, more meaningful engagement with their patient population!

But then again folks, we’re just getting started…

 

 

 

The Rise and Fall (and possible Rennaisance) of Healthcare Information Security

The healthcare IT headlines have been screaming about the lapses and dysfunction of information security. With the reported data breach at UPMC, the reported breach at Cottage Health System last year, the news from Healthcare IT News that “Nashville, TN based Cogent Healthcare also recently reported an incident when a site the organization was using to store patient data had its firewall down, that exposed the PHI of approximately 32,000 patients and the attack recently at Boston Children’s Hospital’s reportedly by the group known as Anonymous, brought to the forefront, the need for a better defense strategy of healthcare’s security infrastructure, protocol & policies across the spectrum.

How many provider CEOs, CIOs, CFOs and VPs of Medical Records think about their organization’s plans for organizational continuity if they should have to defend against hackers or update their infrastructure? H.ow many know of the ability to wipe data off a remote tablet or device? The physicians all want these lighter, “easier to use” devices that can help put in their clinical notes faster and allow them to see their 30 to 40 patients (depending on the physician) a day without lugging around the heavy laptop all day.

I’m sure that not many had really thought about a renowned hacker group trying to hack into and access the medical records of a children’s hospital (until now). I’m quite sure that when sitting in a board room and discussing the investment of time & organizational resources to defend against these possible situations, while it has been taken with the utmost seriousness, the prevailing thinking is “this won’t happen to us” attitude.

Well, it can and it will in this new, cyber age. In Healthcare IT News article, it mentioned  Verizon reported that the majority of data breaches were from the theft or loss of unencrypted devices. Do we need to take healthcare information encryption to a whole new level?

In addition, is two factor authentication enough or do we need to start thinking about multi-factor authentication? When deploying the infrastructure for a healthcare provider in our region we focused on tap badges and deployment of tap badge readers versus fingerprint scans as part of the two factor (something you have, e.g. a badge and something you know, e.g. a password) authentication stipulated by the Ohio Board of Pharmacy requirement. Maybe the time is appropriate to think about a 3rd factor (something that the user is and add their finger print or retina scan…yes, I know, we’re getting into sci-fi realm here). All this will take time to finally get implemented and as costs of security and defense of systems mounts, so will the costs associated with our healthcare. Ohio for instance has probably spent close to a billion dollars taking into account all of the healthcare providers in the state and their implementations over the last few years of EHR and the supporting infrastructure to run it appropriately. This investment will take years to achieve the ROI. Imagine if we need to now, start thinking about further securing our healthcare information and needing new standards for that? Will this kill any push towards the cloud?

While organizations like Microsoft thought this through and are primed for this wave when they acquired Phone Factor in 2012, this latest wave of breaches, penalties and attacks on healthcare infrastructure will surely make more than a few to sit up and take notice, not only about the opportunity to improve in an insightful and cost effective way, but continue to prioritize patient safety through security. With HIPAA notification requirements having become more stringent as of the fall of 2013, care delivery organizations should seriously plan dress rehearsals or “fire drills” to prepare for a new age of information defense. Where’s an “ethical hacker” when you need one?