A few great weeks on the road have just come to an end; and with a chance to breathe, comes a chance to reflect. Two things I found myself thinking about on my plane ride from HIMSS were ogres and onions. Keep reading…it makes sense.
The Value of Stolen EHR
One of the sessions I attended at HIMSS reviewed Florida’s system for evaluating eligibility, and managing access, for healthcare and other government benefits. A key point for me was the number, breadth, and sophistication of criminals targeting healthcare; and the increasing demand for stolen patient records. Estimates varied, depending on the source, but they all show the black market value of a stolen healthcare record is many times that of a stolen credit card number.
Although I already knew the risks, I had never spent time considering the situation end-to-end. Beyond very private medical information – insurance, credit cards, bank accounts, SSNs, and contact details for patients and relatives are a gold mine for criminals, and all are contained in health records.
- The individual devastation that results from a lost patient record can include:
- Emptied bank accounts
- Maxed out credit cards
- Consumed limited lifetime insurance benefits
- Hindered ability for the patient to get credit and jobs for years
- Inaccurate and dangerous information placed in permanent healthcare records
In healthcare, we often think about the impact of breaches in terms of various fines. However, as actual damages from lost records escalate, is it time we consider the potential risk of civil and/or class action suits?
Effective Security, Like Ogres and Onions, Has Layers
As I sat, staring at the Atlantic, I remembered a fantastic CISSP class, presented by Dr. Bill Hancock. He described how effective security, like ogres and onions, has layers. I realized how much lip service is given to security vs. action because security is mistakenly considered a toggle (more on this later).
Today, when securing patient records, we need to understand the motivation behind stealing them to anticipate our adversary. Although records contain private clinical details, these items generally have little financial value.
Consider that in the US, nearly $3 trillion per year is spent on healthcare. To put this into perspective, the US healthcare economy exceeds the GDP of every country in the world except the US, China, Japan and Germany. This fiscal reality is so significant that everyone from physicians and pharmacists to organized crime syndicates are targeting healthcare, often through the use of stolen patient records and identities.
What does this have to do with ogres and onions? Dr. Hancock related a story about a security audit he did for an organization. Paraphrasing the dialog as I remember it:
The CSO of the organization, within the first few minutes of their meeting, assured Dr. Hancock that “security is our absolute top priority”.
Dr. Hancock’s response was “Where are your dogs?”
Confused, the CSO responded, “We don’t have any dogs.”
“Why not?” asked Dr. Hancock.
“Well, they would have to be fed and cared for. They could create risk to employees and visitors and create liability”.
Dr. Hancock responded, “You just named a few of the things that you consider more important than security.”
Dr. Hancock’s point wasn’t that the company should have dogs, but that security should not be considered binary. It is never an instance of secure vs not secure. Instead, it is something that we incrementally work towards in appropriate layers, knowing we will get better, but never be perfect.
The Source of Risk
In healthcare, as in many other industries, breaches often occur when data is being inappropriately stored (often unencrypted) on a laptop that is then stolen or lost. Data is also inappropriately accessed through a device that is not physically secured and/or accessible by current or past employees, vendors or other individuals who should not currently have access.
This isn’t surprising. Two of the weakest points in security are:
- Users, who tend to underestimate security risk and are susceptible to social engineering
- Endpoints, which are relatively difficult to secure because in many cases, they can’t be physically secured while continuing to provide needed value.
RES Software provides a unique layer in your security strategy. Learn how to improve security by using context (physical location, device type, time of day, role and many other key data points), then instantly and automatically manage access to data, drives, applications, USB storage and other IT services based on that context.
Every part of securing healthcare is getting harder. There are more and more sophisticated attempts to break your security with the financial risks greater than ever. RES Software really can provide greater security, while improving clinician experience; all while solving problems that will deliver a demonstrable ROI.
Work Toward Your Appropriate Layers
To learn more, or discuss your security with RES Software, visit www.ressoftware.com
If you would like to dive into healthcare fraud, a good place to start is The Challenge of Health Care Fraud by the National Health Care Anti-Fraud Association.