As we reported recently in this blog, the new HITECH privacy and security update to HIPAA as just been released. This new baseline for handling health information mandates stronger security – along with tougher audits and stronger penalties – for healthcare providers and their third-party partners.
Healthcare organizations also must contend with meaningful use requirements, which are meant to drive improved electronic health record (EHR) data capture and information sharing. Adding the new HITECH privacy and security mandates atop the “MU” requirements might scare some healthcare entities away from addressing MU. Yet the trend is moving inexorably towards patients being able to access their own EHR.
As Adam Levin blogged in the Huffington Post, “To have current, accurate and reliable data about a patient’s medical history just a click away… will save money, time and … lives.” But attacks to steal and sell personal health data “…are also ultimately made possible by the digitization of medical records…”
Against this backdrop, it’s no wonder that, according to the most recent Healthcare Information and Management Systems Society (HIMSS) survey, more and more healthcare organizations are choosing to undertake a risk assessment.
A year-long examination of cybersecurity by The Washington Post shows that health care is among the most vulnerable industries to cybercrime – a big reason being that it has failed to address known problems with outdated systems. As one expert quipped: “I have never seen an industry with more gaping security holes. If our financial industry regarded security the way the health-care sector does, I would stuff my cash in a mattress under my bed.”
No wonder so many government and industry sources have expressed concern that health care presents “… an inviting target to activist hackers, cyberwarriors, criminals and terrorists.” Among the scariest breaches posted by the U.S. Department of Health & Human Services under the HITECH act are these that according to FierceHealthIT will literally “freak you out“:
- A surgical practice in Illinois its server owned and encrypted by hackers, who demanded ransom in exchange for the decryption key. Over 7,000 patients had their names, social security numbers, credit card numbers and various clinical data compromised.
- Medical students at Stanford University and elsewhere, by their own admission were creating bogus identities on Facebook in order to post information about patients. (FierceHealthcare blogged recently on a number of high-profile patient privacy violiations on social media sites.)
- The Veteran’s Administration reported a staggering 173 breaches involving malware-infected medical devices between 2009 and 2011 – these did everything from disrupt patients’ glucose monitoring to cancel patient appointments to shutting down a sleep lab.
- Studies by major medical centers and the Government Accountability Office have noted recently that defibrillators, insulin pumps and other common medical devices are vulnerable to hacking and infested with malware. It’s disconcerting that cyberthugs could deliver a fatal shock via someone’s pacemaker from across the planet.
Georgia Representative Hank Johnson has released draft legislation that proposes a way to regulate how the developers of mHealth and other mobile applications collect personal data. Called the “Application Privacy, Protection and Security (APPS) Act of 2013, it would require developers to disclose how they collect personal data and what parties have access to it. It also proposes informing consumers about what information is collected and how long it could be stored – as well as enabling them to “opt out” from having their data collected and shared.
If enacted, the legislation charges the Federal Trade Commission (FTC) with enforcing the privacy rules.
Healthcare IT Security
Pivot Point Security has the right combination of Information Security/Compliance domain expertise, healthcare industry knowledge and experience, and organizational character to help you define and execute on the best course of action so you can know you’re secure and prove you’re compliant. See how we can help.