The State of Healthcare Security Breaches

By Sylvia Rosen Security breaches in are, no doubt, terrible for business owners. But when dealing with the healthcare sector, these breaches intensify in their potential for causing humiliating, or potentially, dangerous ramifications. In 2010, 42,275 people were affected by stolen, paper healthcare records, encouraging hospitals to make the switch to electronic health records. Still, industry experts say that electronic health records are still at risk from security breaches if they aren’t handled with care. Kroll Advisory Solutions found that the frequency of healthcare data breaches has increased steadily over the past six years, and the main cause is a lack of training and awareness among staff. “Human error by employees was a major factor in health breaches, according to respondents [in the 2012 Kroll/HIMSS Analytics Report]. Of the respondents, 79% said security breaches were initiated by an employee, and 56% said breaches occurred because employees had unauthorized access to information.” – Brian T. Horowitz, health writer at eWeek. “Any server or other data warehouse with patient health information must be securely protected. The expanded use of mobile devices offers new operational efficiencies and increased vulnerabilities. Security steps for mobile devices should be included in the action plans so that guidelines are set.” – Lisa Gallagher, senior directory of privacy and security for HIMSS. “Another significant takeaway [from the 2012 Kroll/HIMSS Analytics Report] is that mobile devices might be great for giving clinicians information at the point of care – but they’re not so good at keeping PHI safe. Nearly a third (31%) of respondents indicated that information available on a portable device was among the factors most likely to cause...

Making Mobile Health Possible, Part 1

It’s no secret that healthcare is going mobile. According to a recent survey of 250 mobile executives from around the world, 78% said they consider the healthcare vertical to have the most to gain from 4G connectivity. Yet, with the increasing dominance of open platforms, like Android, and the huge diversity of mobile devices, maintaining mobile health security will be an ongoing challenge for healthcare organizations. This year, a study by Boston Consulting Group and telecommunications company Telenor found that the implementation of mobile health could lower costs of caring for the elderly by 25%, while potentially reducing caretaking costs for the chronically ill by up to 75%, by reducing the amount of in-person medical consultations. Not only would mobile health significantly lower the number of doctor visits required for care, but it could also ensure an overall more integrated and seamless caregiving process. For instance, consider smartphone apps that can communicate directly with medical personnel or close family members so that vital signs for chronically ill patients can be monitored—and assistance can be offered—in the event of an emergency. This would help lighten the burden on caregivers, enabling them to stay connected with patients and be alerted to any health changes. Beyond this, mobile health has tremendous potential to enable doctors to collaborate on care, accelerate the diagnosis process and much more. But what about mitigating the security risks around mobile health? We’ll look into that in part two – stay...

Part 2, Conversation with Martin Rosner, Continua Health Alliance About Identity Management

This week, we feature the second part of our conversation with Martin Rosner, director of standardization at Philips – North America. Rosner chairs Continua Health Alliance security and privacy discussions and contributes to relevant security initiatives within the healthcare industry. Continua Health Alliance is a non-profit, open industry organization of more than 230 healthcare and technology vendors focused on delivering interoperable health solutions. VPN Haus: Let’s talk about identity management. What is it and what role does Continua play in this process? Martin Rosner: We’ve included identity management tools in the upcoming 2011 Continua specifications to assure correct association of health information to patients’ identities. A person will typically have different identifiers at each system in a distributed architecture. For example, end users may have different credentials and means to identify and authenticate themselves across all devices deployed. The measurement device may only be able to identify the current user and assign a short and locally unique identifier to them. Such local identifiers must then be mapped to credentials on the Application Hosting Device (AHD) such that the measured data is properly linked with the correct user. Finally, such credentials on the AHD may further be mapped to multiple online systems that require uniqueness in their respective security domains. (See figure above for a diagram of the Continua interoperability paradigm including AHD.) All this implies that linking and cross-referencing identities on AHD, WAN and HRN systems should be possible. VPN Haus: Is cross-referencing these identities necessary? How would it be done? Rosner: Up to now, service providers often created a vertically integrated solution and dealt with this using manual methods,...

Part 1, Conversation with Martin Rosner on Security Aspects of Continua Health Alliance Architecture

This week, we’re featuring  Martin Rosner, director of standardization at Philips – North America.  Rosner chairs Continua Health Alliance security and privacy discussions and contributes to relevant security initiatives within the healthcare industry. Continua Health Alliance is a non-profit, open industry organization of more than 230 healthcare and technology vendors focused on delivering interoperable health solutions. VPN Haus: What is Continua’s role in the telehealth domain? Martin Rosner: Continua’s focus is on standardizing interoperable personal connected health devices and services.  We have a unique architecture that enables electronic communication of personal health information between the consumer and the health management organization. Click on image for larger view VPN Haus: Are there security concerns with transferring this data? Rosner: Often, this sensitive information includes vital signs of the remote patient so security and privacy concerns must be addressed. We’re working to address these concerns by enabling point-to-point and end-to-end mechanisms to ensure confidentiality, integrity, and availability of the communicated health information. VPN Haus: What are you doing to secure data transfer? Rosner: We dedicated a group of pros to tackle this issue, referred to as the End-to-End Security Task Force. This team focuses mainly on identifying appropriate standards to address transaction level security.  In 2009, we issued our Version 1 architectural specifications which addressed security and privacy issues focused on Personal Area Network (PAN) and Health Record Network (HRN) interfaces. We updated that with last year’s release of the Version 2010 guidelines, adding significant security features for the Wide Area Network (WAN) and Local Area Network (LAN) interfaces.  For the most part, this addressed point-to-point security issues thereby ensuring that...

Take Two VPN and Call Me in the Morning: Why Healthcare Solution Providers Rely on VPNs to Avoid IT Headaches

By Robert Dutt For resellers and other IT solution providers supporting healthcare clients, VPN is ubiquitous a tool as is the stethoscope their customers use every day “We will not support a client without a VPN. Period,” says Moshe Birnbaum, director of operations at EZ MSP, a Yonkers, NY-based solution provider. Fellow solution provider Stemp Systems Group, out of Long Island City, NY, considers the technology as an equally important component of its healthcare business. President and founder, Morris Stemp, says the company currently maintains some 750 VPN-based connections to its clients. So, why are VPNs so critical for healthcare solution providers? For one, VPNs are a significant part of the infrastructure these providers deploy and maintain for their customers. And, VPNs are the platform on which to build new applications and solve deep-seeded customer problems. “Part of the Infrastructure” Both EZ MSP and Stemp offer managed IT services for healthcare clients  — from doctors’ offices to hospitals. This means, in some cases, the solution providers act as a completely outsourced IT department — especially for many smaller clients. To successfully do this, solution providers need a VPN to quickly access technology on clients’ networks and to make sure everything is running as smoothly as possible. “We look at [VPN] as part of the infrastructure,” Birnbaum says. “It’s also a service opportunity that’s covered under the company’s support contract with their customers.” Stemp says that with just an IP address, his company can connect to any of its clients in seconds. To maximize uptime for customers’ mission-critical systems, the company rolls out dual redundant firewalls and Internet connections with...