2013 significantly changed the context of the healthcare security and privacy conversation. From the Snowden NSA revelations, to HIPAA Omnibus rule, changes in breach characteristics, to connected devices, mhealth, IoT and increasing use of cloud and corporate BYOD policies, one thing is clear: security by obscurity equals no security at all. The burden of protecting PHI is now spread across all data holders, patients, providers and payers alike. Outlined below are some of the unique security issues that will need addressing as healthcare technology moves into a data analytics mindset.
More than 7 million patient records were exposed in 2013 alone, marking a perceived 138% increase from reported 2012 healthcare data breaches. Expect to see a change in how breaches occur, and keep in mind, an uptick in breach notifications doesn’t necessarily imply an uptake in actual data breaches. Everyday PHI breaches of years past went largely unnoticed whereas now technology helps track and log access. 2014 will see a new focus on targeted identity theft and less focus on lost laptops and stolen hard drives. Human error still accounts for 75 percent of all healthcare data breaches, but medical-related identity theft accounted for 43 percent of all identity thefts reported in the United States in 2013.
Federal regulators are planning for a more permanent HIPAA audit program to support the 2013 HIPAA Omnibus rule, and industry can expect increased scrutiny for violations pertaining to inappropriate disclosure of data and denial of patient access. What has not yet been directly addressed is if the NSA has accessed, reconstructed or inferred any personally-identifiable information covered by HIPAA, such as that through Google, Microsoft, Apple, and through mobile games, and how a BAA will hold up in such a data collection scenario. Currently, cases are being heard regarding the warrantless access of state controlled health databases by other federal agencies, and the verdict has been in favor of patient privacy.
Patient Best Practices Awareness
In other sectors, user data purging, and security tools are entering the mainstream. Apps to help consumers navigate terms of services and platform data deletion shortcuts to password managers, and tools to avoid search and web tracking are helping users gain control of their personal information. But when it comes to healthcare, how common is it to leave a credit card on file or how often do patients really check their charts for errors?
The internet of things, and connected reality as it plays into mobile and personal health apps adds another layer to patient security awareness. Malware attacks through network connected appliances such as refrigerators, HVAC and media centers have been of concern recently, and they present an unsuspecting entry into a home network. What used to be as simple as using a WPA key on a home router and not handing out a SSN is now a different conversation. Enterprise security has long favored an onion type approach, or defense-in-depth, but that’s far from the case with personal information security. And the question remains, is defense-in-depth even effective in the personal security space, given its shortcomings in enterprise IT?
PHI in the Cloud
Healthcare IT is finally trusting cloud storage and computing. As of 2013, 30% of healthcare organizations are leveraging cloud technology, and nearly twice that are confident in the future of cloud security. Other industries have proven that cloud computing can be a safe, economical, collaborative and scalable approach to enterprise data management problems. While cloud security will garner much of the spotlight for the next several years, the privacy aspect of distributed data liquidity must be addressed.
Currently, there are no HIPAA restrictions on the use or disclosure of de-identified health data, even though 87% of all Americans can be uniquely identified using only zip code, birthdate, and sex. PHI is currently, and will be increasingly, sold to third-party data warehousers, insurers, pharma, marketers, researchers, and more. Current standards for anonymized data do not prevent positive backwards identification. This is the conversation the healthcare industry, and patients, should be having in 2014 regarding cloud computing.
Sorry, but that cat left the bag 5 years ago. Employees are using their personal devices at work, regardless of policy. The best bet to mitigate BYOD security risks is to address it head on, and support secure solutions that enable user’s workflows. Secure SMS and texting has been solved. HIPAA compliant platform-as-a-service is a thing. There are mobile apps to address medical imaging, rounding, clinical diagnosis, EHR integration, and countless vendors are developing platform-down solutions for providers.
Beyond mobile security, and BYOD policy, the issue will be how breaches on these devices will be reported, and analyzed. Currently, the HIPAA Wall of Shame classifies all mobile device breaches under the catch-all “Other Portable Electronic Device” which as mhealth really enters the mainstream, will be a near useless designation.
Mobile Health Security
In this context, mHealth refers to medical apps used by patients, not wellness/fitness apps nor clinical practice or reference apps. Current efforts in the private sector to certify mobile health applications have failed, largely due to a lack of understanding around mobile health security. Mobile apps and devices come with complex challenges not seen elsewhere in healthcare, particularly around workflow data integration, security and user experience. Two camps have emerged: platform-down apps such as those from athenahealth and Greenway, and independent shops like AliveCor and Glooko who have yet to meaningfully integrate into major vendors. The third obvious play would come from valley tech giants, but despite rumors, nothing of substance has been shipped.
While certain security best practices should never be skipped (encryption, SSL, passkeys, etc), user experience should come first and foremost. Security is nearly insignificant if no one uses an app, and patients will not tolerate poor design. Many questions remain regarding shortcomings of FDA mhealth software regulation. Are medical providers the best individuals to evaluate a mhealth app for security and patient usability, and how may the design, developer and infosec communities better help educate the medical community? It will be important to address provider shortcomings in prescribing and recommending patient-facing mhealth tools, especially around efficacy, privacy and security.
Here are the chat topics I proposed during the #HITsm chat, April 4. I would love to hear your feedback on the topics, or any other related issues, below in the comments.
- Does theft of your electronic health record cause more concern than theft of other private info?
- Should there be different security requirements for govt access to PHI data vs others?
- How can the health IT infosec community help journalists/consumers/patients evaluate mobile apps and enterprise health IT solutions?
- Are docs qualified to RX and recommend health apps? How can mHealth be transparent regarding PHI risks?
- Should patients be allowed to opt out of the sharing of their anonymized PHI data if used for profit? If so, how?
Latest posts by Lauren Still (see all)
- Healthcare Has Missed the Point of Google Fit - June 30, 2014
- Rise of Data Analytics Heightens Need for PHI Security - April 3, 2014
- Special #HIMSS14 Infographic: Growth of Social Media in Health Technology - February 19, 2014