Thank you for reading this article, the first in a 3 part series on practical security for physicians.
In this first article, we’ll try and get you thinking like an attacker.
I hope to challenge you and would love to hear what you think.
My name is Danny Lieberman. My firm and I specialize in helping health tech and medical device companies harden their products with strong software security in order to prevent patient data breach and comply with the HIPAA Security rule. We’ve taken the lessons we’ve learned over the past 10 years and applied them to our latest venture; Pathcare, the private social network for doctors and patients. Pathcare is a minimalistic, easy-to-use application for private messaging and content sharing that helps make physicians as effective as possible in their patient relationships, reduce stress and improve trust.
Why should I care about patient data security?
The past 10 years have seen threats to patient data morph from loss of computer tapes, to trusted insider theft, to hacking and malware; which is now responsible for almost 80 percent of data breach events (according to the Verizon Business 2011 Data Breach Investigations Report. Data breaches are often caused when sending data to colleagues in other organizations – transmitting backdoors and keyloggers on the way and exposing patient data at both ends of the data transfer.
If you are a small to medium-sized provider, you are at risk.
Attacks on small to medium-sized private medical practices, nursing homes and local hospitals are on the rise.
If you run a small to medium-sized healthcare business (up to 500 employees is medium-sized) you can’t afford the information security management expertise of the big healthcare institutions. If you have to ask how much it costs, you can’t afford it.
Small to medium-sized medical practices use packaged software for CRM and EHR management. Off-the-shelf applications that run on Windows is particularly vulnerable since they are often developed by low-cost inexperienced .NET programmers, without a secure software development methodology and using standard components – with vulnerabilies that are well-known to hackers and amenable to mass-production automated attacks.
Standard HIPAA compliance check lists by IT vendors also make life easy for attackers, since an attack can be mounted on places that the standard doesn’t cover at or doesn’t cover very well.
Which brings us to passwords.
Weak passwords, default passwords, stolen passwords, passwords on Post-ITs make walking off with your patient data a piece of cake for a hacker or trusted insider that wants to make a quick buck on brokering patient data.
Then there is the issue of you and your people using your business password for adult sites, often a convenient and attractive vector for malware.
Are you drinking the security coolade that your IT vendor is selling?
You know the joke about the cement factory in Poland. Every day, a worker leaves the factory at closing time with a wheel-barrow of sand. After a month of this, the guard finally asks the worker; “I know you’re stealing something, I just can’t figure out what the heck it is”. The worker replies “I’m stealing wheel-barrows”. That’s data loss : unauthorized transfer of patient data in broad daylight.
Don’t forget physical security.
Attacks on your patient data are mounted by trusted insiders, poor data handling practices and criminals.
Trusted insiders are your employees, your suppliers and your customers. Employees may be a programmer that was fired or a customer service rep that sells patient data for the right price to a private investigator.
Suppliers may be the DHL courier that flirts with the receptionist and walks out with a couple of notebooks in his bag, the night security guard that copies documents or the programmer that copies your entire EHR data set to a flash drive.
People steal patient data because of anger and greed.
Emotions are a powerful motivator and anger at being terminated will cause a person to act quickly and irrationally. A supplier trying to collect money may view copying a file of patient data or billing data belonging to his customer as a way of “taking a hostage” that will ensure receipt of payment.
Employees are aware that data loss can be traced when they use their office line or cell phone and in may prefer to use alternative channels such as instant messaging or P2P that are readily available in most offices, yet cannot be traced or tapped with conventional network facilities.
With smartphones and tablets and high-capacity flash drives – stealing patient and billing data from a medical practice has never been easier.
Data governance policy: Do you have one?
Do you have an acceptable usage policy that your staff understands and has signed? More than 2 pages – and for sure, they don’t understand.
Do you have contingency plans for how to manage a situation when data is leaked?
Many businesses do not report data loss to law enforcement agencies out of fear of the negative publicity and of competitors taking advantage of the bad news.
Have you taken the time to estimate the cost of a patient data breach to your medical practice? When you consider the challenge of patient data protection, you must first gauge the damage to a valuable and hard-earned brand and not the risk touted by your IT vendor or consultant. Your value at risk may be much higher than you think.
2 Examples of patient data breaches
In order to understand how bad things happen to good people, consider the following 2 examples:
Data conversion – the speedy data conversion vendor
A healthcare provider outsourced conversion and transfer of patient data from an old IT system to brand-new EHR application.
Since the business was under a tight timetable to finish the conversion, the VP of information systems demanded that all the data conversion and custom programming work be done onsite. Haste often makes waste, and in the middle of the project the customer fired the supplier. The customer didn’t pay their bill and one of the supplier’s developers thoughtfully took a backup of the entire patient data set on his iPhone the last day on the job. Exposure to to investors was on the order of $3 million and was resolved after time-consuming and costly legal intervention between the parties. Yes – the healthcare provider paid their bill.
The friendly P/I
A large healthcare provider with over 4 million customers operates an off-site call center. Private investigators working divorce and custody (often celebrity cases) are seeking personal health information that will strengthen the case of their clients. They mingle and social-engineer data out of customer representatives on their breaks outside the building. On any given day, a file of personal data is leaked.
Data loss happens in your office and during normal business hours. When an attacker needs a username and password, she may deploy social engineering to get the information. When a business development executive decides to move on, he may copy his entire file of contacts in his last few hours at work to a disk-on-key device or over a secure VPN connection right under your nose.
In part II – we’ll suggest some best practices for protecting patient data and survey technology requirements for data loss monitoring.
In part III – we’ll review the current state of legal and statuatory requirements in the US and in Europe and show how check-lists are minimum but not necessarily sufficient requirement for patient data security.
- Just between us - Private messaging 1 on 1, group message from doctor to patients.
- Sharing that is so simple - Share your files, your guidance, your experience, your comments.