White House Turns Attention to Cybersecurity

Cyberattackers and hackers operate in the shadows, lurking away from where conventional law enforcement can easily identify and investigate them. They prefer secrecy and anonymity. But they may not have that luxury any longer – not since the federal government and the White House, specifically, have escalated their focus on cybersecurity. First, President Barack Obama addressed the issue during his State of the Union address earlier this month, declaring, “No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids.” To back up his comments, the president also submitted a budget proposal that allocates funding toward combating cyberattacks. In the initial proposal, the president called for cybersecurity spending to increase by 10 percent to $14 billion – all in an effort to improve detection of and response to the kinds of massive attacks that have plagued both the public and private sector over the last year. Specifically, the budget proposal calls for: Improved data sharing Increased monitoring and diagnostics of federal computer networks More widespread deployment of the EINSTEIN intrusion detection and prevention system Government-wide testing and incident-response training New teams of engineers and technology consultants In the White House’s explanation of these budget items, it said, “Cyber threats targeting the private sector, critical infrastructure and the federal government demonstrate that no sector, network or system is immune to infiltration by those seeking to steal commercial or government secrets and property or perpetrate malicious and disruptive activity.” The cybersecurity community has largely lauded the budget and the government’s increased attention to the issue,...

The State of Healthcare Security Breaches

By Sylvia Rosen Security breaches in are, no doubt, terrible for business owners. But when dealing with the healthcare sector, these breaches intensify in their potential for causing humiliating, or potentially, dangerous ramifications. In 2010, 42,275 people were affected by stolen, paper healthcare records, encouraging hospitals to make the switch to electronic health records. Still, industry experts say that electronic health records are still at risk from security breaches if they aren’t handled with care. Kroll Advisory Solutions found that the frequency of healthcare data breaches has increased steadily over the past six years, and the main cause is a lack of training and awareness among staff. “Human error by employees was a major factor in health breaches, according to respondents [in the 2012 Kroll/HIMSS Analytics Report]. Of the respondents, 79% said security breaches were initiated by an employee, and 56% said breaches occurred because employees had unauthorized access to information.” – Brian T. Horowitz, health writer at eWeek. “Any server or other data warehouse with patient health information must be securely protected. The expanded use of mobile devices offers new operational efficiencies and increased vulnerabilities. Security steps for mobile devices should be included in the action plans so that guidelines are set.” – Lisa Gallagher, senior directory of privacy and security for HIMSS. “Another significant takeaway [from the 2012 Kroll/HIMSS Analytics Report] is that mobile devices might be great for giving clinicians information at the point of care – but they’re not so good at keeping PHI safe. Nearly a third (31%) of respondents indicated that information available on a portable device was among the factors most likely to cause...

Making Mobile Health Possible, Part 2

Earlier this week, we explored the innumerable medical breakthroughs that could stem from mobile health innovations. Today, let’s consider the security considerations to enable this. Security Must Be Paramount Yet, considering how sensitive and valuable medical information is, proper precautions must be taken to secure this data before mobile health can become mainstream. For instance, if hackers or disloyal employees scan or manipulate health data that is sent via mobile applications, the consequences can range from embarrassment to, frankly, death. It’s easy to understand why ensuring these connections are secure is absolutely critical. Mobile health, however, requires special VPN functionality. For instance, it requires both extremely high security and flexibility. After all, a healthcare application might use a potentially insecure public Wi-Fi network to communicate with the IT system of a hospital or a medical office. In order to maintain security in such a scenario, the VPN client must be able to automatically adapt to these security settings. The same requirements apply to smartphones and tablets used by nurses in elderly or outpatient care. Such solutions relay patient information—from homes or hospitals—onto the central database, typically via a VPN connection. And so again, the VPN connection must be able to flexibly adapt to various network connections, given some of amount of unpredictability of the locations. Also, considering that many healthcare workers are not trained in technology, the VPNs must be easy to use, so convenience is not traded for security. There’s no doubt mobile health offers innumerable opportunities to lower the cost of healthcare and infinitely improve efficiencies and convenience. The question is, can we ensure that this is done...

Making Mobile Health Possible, Part 1

It’s no secret that healthcare is going mobile. According to a recent survey of 250 mobile executives from around the world, 78% said they consider the healthcare vertical to have the most to gain from 4G connectivity. Yet, with the increasing dominance of open platforms, like Android, and the huge diversity of mobile devices, maintaining mobile health security will be an ongoing challenge for healthcare organizations. This year, a study by Boston Consulting Group and telecommunications company Telenor found that the implementation of mobile health could lower costs of caring for the elderly by 25%, while potentially reducing caretaking costs for the chronically ill by up to 75%, by reducing the amount of in-person medical consultations. Not only would mobile health significantly lower the number of doctor visits required for care, but it could also ensure an overall more integrated and seamless caregiving process. For instance, consider smartphone apps that can communicate directly with medical personnel or close family members so that vital signs for chronically ill patients can be monitored—and assistance can be offered—in the event of an emergency. This would help lighten the burden on caregivers, enabling them to stay connected with patients and be alerted to any health changes. Beyond this, mobile health has tremendous potential to enable doctors to collaborate on care, accelerate the diagnosis process and much more. But what about mitigating the security risks around mobile health? We’ll look into that in part two – stay...

New Survey Finds that Healthcare IT Pros Most Concerned About Electronic Data Breach

Healthcare IT News recently asked its readers about the healthcare data breaches that worries them the most. Not surprisingly, the vast majority (80 percent) of respondents said electronic data breach/hack, while only 13% worried about hardware theft, followed by 7% concerned about the theft or loss of paper records. This trend is warranted. For instance, a recent article in the Fort Worth Star Telegram highlighted the growing trend of doctors using smartphones, tablets to access medical data. According to the story, hospitals in North America spent $7.4 billion on electronic records in 2010 – and the 2009 stimulus act has earmarked $50 billion to help government and private healthcare providers offer EHRs over the next five years. So what does this look like? Here’s an anecdote from the piece: If a patient of Arlington physician Ignacio Nuñez shows up at the emergency room when the doctor is not at the hospital, he doesn’t have to wait long to start investigating what might be wrong. The obstetrician/gynecologist can call up an expectant mother’s medical records on his iPhone, or even watch the fetus’s heartbeat on the device once the woman is connected to a hospital monitor, wherever he might be at the time. … According to AirStrip, the San Antonio software company that developed the app Nuñez uses, there is only a three- to five-second lag to get information to the physician’s mobile device. AirStrip also makes a version for cardiologists and has an upcoming version that will monitor other critical data in intensive care units and emergency rooms. Groundbreaking, indeed. But what about from a security perspective? We’d like...

Part 3, Conversation with Martin Rosner, Continua Health Alliance, on Consent Management

This week, we feature the final part of our conversation with Martin Rosner, director of standardization at Philips – North America. Rosner chairs Continua Health Alliance security and privacy discussions and contributes to relevant security initiatives within the healthcare industry. Continua Health Alliance is a non-profit, open industry organization of more than 230 healthcare and technology vendors focused on delivering interoperable health solutions. VPN Haus: How can patients manage the sharing of their health data? Martin Rosner: Sharing of health data can be realized only if there are means to prevent unauthorized access to the data and to protect it in accordance with security and privacy regulations. Furthermore, patient empowerment is an important aspect of preventative care—increasing the number of educated patients who have more control over their own healthcare increases the likelihood that conditions will be caught before they become more serious. Soon patients will have more fine-grained control over the dissemination of personally identifiable information as related to health status. Electronic consent that specifies and governs the use of patient health data will furthermore increase consistency, compliance and efficiency for both patients and healthcare providers in this process. VPN Haus: What role does Continua play in this? Rosner: Our architecture addresses several requirements enabling digital consent.  Patients should be able to define and manage their digital consent and privacy policies in a user-friendly manner, such as on an at-home device or online. Digital consent should propagate with patient data and systems of services and care providers should enforce this. Our 2011 guidelines will address the first two requirements, while work has begun to address the third requirement in...