By Lindy Benton
The headlines are endless and ever growing: Healthcare data is at risk. There’s a danger of exposure because scores of people worldwide are illegally trying to benefit from the information, because that information is being lost, because it isn’t being protected properly, or because of some other sort of breach. However, despite continued efforts to address security loopholes across the healthcare sector, simply “taking action” to mitigate damage is not an effective strategy – and it won’t work long term.
Take, for example, the recent announcement of hackers breaching HealthCare.gov. According to Medicare officials, as reported by the Wall Street Journal, while no personal information was accessed, test servers where affected. Apparently, the breach exposed the fact that the manufacturer’s default password on the server had never been changed, the server was not subject to security scans and the test servers were mistakenly connected to the Internet. Typically, these are commonsense approaches to security protocols and should be when personal health information is concerned.
Healthcare data also is becoming increasingly targeted. According to an Identity Theft Resource Center report from early 2014, healthcare accounts for 43 percent of major data breaches, overtaking the business sector for the first time. The organization claims that the recent jump in healthcare breaches could be the result of tougher reporting requirements. “It is more difficult, perhaps, for that industry to brush something under the rug and want to chance not disclosing it because the ramifications for being found out are pretty significant,” the authors claimed.
Breaches come in a variety of forms and are not simply classified by a loss of patient record or identity theft. A breach can be as simple as a lost laptop or other mobile device that contains patient data or even a loss of a physical patient record. The recent news that Chinese hackers stole nearly 5 million medical records from Community Health Systems shows that breaches are only going to increase because the information contained in these records include valuable information, like Social Security numbers.
Since federal reporting requirements kicked in, the U.S. Department of Health and Human Services’ database of major breach reports (those affecting 500 people or more) has tracked 944 incidents affecting personal information from about 30 million people. A majority of those records are tied to theft (17.4 million people), followed by data loss (7.2 million), hacking (3.6 million) and unauthorized access accounts (1.9 million), according to a Washington Post analysis of the data (these numbers don’t include the Community Health Systems data breach).
Also, take a look at the results of a recent Forrester study. According to the Wall Street Journal, Forrester conducted a survey of 2,134 health IT pros and found that only 59 percent of healthcare IT professionals said they encrypt devices like laptops, smartphones or tablets. Forrester analyst Chris Sherman told the Journal that 39 percent of healthcare security incidents since 2005 have included a lost or stolen device. “Endpoint data security must be a top priority to close this faucet of sensitive data,” he said.
As breaches continue to occur and sensitive patient data becomes more highly sought after, some organizations are beginning to look to the cloud and mobile storage solutions to protect their data, while others continue to maintain more traditional approaches of keeping their information “safe” onsite. The move to the cloud is supported by the belief that health information can be stored remotely in a secure and protected manner, where there’s no need for the transfer or collection of data on laptops, portal hard drives or other mobile and physical devices.
The cloud isn’t invulnerable to hacking – the Healthcare.gov story proves that. However, in some cases, hospitals and practices are identifying HIPAA-compliant secure cloud storage methods that allow them to safely transfer documents, in addition to storing them. For the most part, they are finding that these solutions require minimal time and training to implement, and less to maintain and manage their on-premise counterparts.
To proponents of cloud-based storage solutions, while the data needed to power a practice is off-site, at the same time the data is secure in the event of a catastrophe, for example, and the information is easily exchangeable and retrievable. Additionally, records can be loaded or attached and sent as required; for example, attaching records and documents to support claim verification and adjudication at the request of payers.
Despite the flexibility and ease of the cloud solutions, one question remains: “Is the cloud as secure as a dedicated, on-premise infrastructure?” This question was recently addressed in a RackSpace report. According to the report, the cloud is no less secure than on-premise solutions. Cloud solutions are typically created with built-in security controls and features. Worth noting, though, is that the number of attacks is increasing for both cloud and on-premise solutions, so there is equality no matter the solution. “From 2012 to 2013 vulnerability scanning attacks jumped from 27 percent to 44 percent for cloud-hosted environments, and from 28 percent to 40 percent for on-premise datacenters,” the report noted.
Hospitals and healthcare organizations moving to the cloud are likely to face similar threat levels as if their data and technology were stored onsite. At this point, it would be foolish to proclaim that the cloud is less safe than on-premise solutions or that on-premise solutions are impenetrable to breach.
In fact, on an un-related note, the cloud is creating better information backup options for health organizations in the event that they lose data or their systems crash (which also supports the call for organizations to rely on more than one mechanism for data backup). This is a dense-of-depth approach.
Organizations can’t rely on a single approach to security nor can they expect that they’ll always be in control of their data. However, just because data is on site doesn’t make it safer and just because it’s in the cloud doesn’t make it more vulnerable to breach. Though this little fact won’t bring the headlines to a halt nor will it help protect data in any way, this insight may help health leaders realize there are alternative approaches or solutions to where data can kept and how it is secured and managed.
They need to take the steps to secure the data, using commonsense methods and establishing partnerships with others who can do some of the heavy lifting protection when it’s needed.
Lindy Benton is CEO of MEA|NEA (www.mea_fast.com), a provider of electronic attachment, health information exchange and healthcare cloud storage solutions for hospitals, health systems and medical practices.