By Robert Grapes
Electronic health records (EHRs) are a prized component of the Obama healthcare reform package; they have received much attention for the purported benefits they can provide the industry. But this increased popularity has also brought a backlash, as pundits allege that potential security and compliance risks may outweigh any possible benefits these solutions can offer.
Following many data breaches in the past year, including several at the Kaiser Permanente group, paper-based records systems have proven error-prone and inefficient. Even so, a recent Ponemon Institute survey indicates more than half of American hospitals fail to take appropriate steps to protect patient privacy - even though 80 percent of responding healthcare organizations experienced at least one incident of lost or stolen electronic health information in the past year. It is now more important than ever for healthcare organizations to understand the steps that must be taken to secure EHRs and prepare for future guidelines and mandates.
When comparing IT budgets, the healthcare industry consistently spends less on security than the financial services industry. The healthcare ecosystem includes a complex value chain with equally complex data linkages. Due to its disparate community of users, distribution requirements, media types, frequency of updates and intensive regulation over the personal health data that they are storing, the healthcare industry faces a far more difficult challenge than the financial services industry.
It's likely that healthcare IT workers would claim that regulations pertaining to data protection are both a hindrance and an effective method to achieve data security. New regulations may have forced some organizations to defer existing projects in favor of new security initiatives, shifting focus to new areas that were perhaps less critical than current projects and may have left current known exposures unaddressed. Many data-protection regulations began by addressing external attack scenarios; organizations used an accurate interpretation of regulations to establish the foundation for an environment that encompassed the appropriate controls for data protection. More recently, regulations surrounding EHR management and protection have evolved to include guidance to help companies defend against insider attacks. While less common, an insider attack has the potential to be far more damaging than an external attack. These insiders possess intimate knowledge of where the important data is stored, know the defenses (or lack of) employed to protect that data, and have ample time to design their attack. They also likely enjoy the inherent trust of their organization and will innocently operate until their attack unfolds.
Insider attacks are typically isolated to a small number of records. But more damaging attacks can compromise a large number of records, affect multiple patients and require significant and expensive damage control by the healthcare organization. In fact, the average cost of a data breach exceeds $210 per patient record. Administrators and developers could inflict this type of damaging attack if the appropriate security controls are not put into place. For example, a system administrator could easily create a denial of service by disabling systems or gaining unauthorized access, while a developer could reuse known accounts and passwords to create additional data access utilities or ad-hoc queries.
So how can individuals in these roles perform their daily tasks without having excessive rights or unmonitored access to the systems and data that are in their charge? A growing number of organizations are turning to Privileged Account Management (PAM) solutions. PAM solutions directly address the issue of controlled and audited access by "trusted" individuals to the critical privileged accounts that are the "keys to the kingdom" for any organization's data. These solutions can authenticate and authorize the access of individuals. A sub-category of the overall identity and access management market, PAM solutions are gaining traction in the marketplace as organizations scramble to achieve checkmarks against the various audit requirements already in place (such as FISMA, PCI DSS, HIPAA and SOX); or as thoughtful and strategic organizations look to reduce operating costs, maintain service levels and improve security, all while striving to achieve compliance with audit criteria.
Integrating a PAM solution into an organization's existing infrastructure can be seamless and deliver multiple benefits. Many PAM offerings leverage existing provisioning, authentication, authorization, database, notification and reporting facilities. PAM solutions can also provide healthcare organizations with a control system to store, manage and release critical credentials and applications without creating another administrative silo that taxes their already constrained resources.
Am I comfortable that my personal health information is being managed and secured appropriately against the most common attacks? Yes. Am I aware of some specific weaknesses that remain in most organizations and do I believe that we will continue to see evidence of malicious data breaches by insiders? Yes. Healthcare organizations must now think from the inside out when considering their security objectives and realize that solving the insider threat often helps alleviate the external threat. Considering the multiple high-profile breaches in the past year, the security concerns surrounding EHRs have proven valid; many early EHR projects were implemented without the proper controls to access data or comply with complex HIPAA regulations.
While healthcare organizations will continue to face a daunting task in relation to security, implementing the proper PAM solution can help ensure sensitive patient data is protected and compliant with new regulations - a solid first step in the security journey.
About the authior
Robert Grapes is chief technologist for Cloakware's data center solutions business. For more information on Cloakware solutions, click here.