In 2009, the United States enacted the HITECH Act, otherwise known as the Health Information Technology for Economic and Clinical Health Act – but that’s a mouthful. Part of this act requires the US Department of Health and Human Services to maintain a running tally of breaches of unsecured protected health information affecting 500 or more individuals.
On May 19, 2015, I posted a blog mentioning this report. At that point, it listed 1,219 breeches since its inception in 2009. According to my calculations, this came out to about one major security breach every other day.
Today, I revisited the report, and the total now stands at 1,389. What does this tell us? It tells us that in just the past six months (184 days to be exact), we’ve had 170 breaches. In other words, we’ve increased from security breaches every other day to breaches almost every day!
Wall of Shame?
So, yes, we have a problem here – one that’s clearly getting worse rather than better. Given this, I suppose it’s inevitable that the government’s breach report has come to be known as the “Wall of the Shame” for healthcare IT.
But I have to say that I find this name to be a bit snarky. After all, the IT groups I’ve worked with are doing whatever they can, under particularly challenging circumstances, to help their hospitals succeed. In addition to security and compliance, the job of healthcare IT today is to help hospitals cut costs, increase efficiency, drive better patient engagement, and improve the quality of patient care itself.
Helping IT Win
At RES, our goal is to help healthcare IT teams win on all of these counts. On the security front, we do this in surprisingly simple ways that can even be explained to people outside of the cyber security field. In fact, we’ve had healthcare IT customers who have been able to illustrate to the hospital how they can prevent breaches in dramatic yet easy-to-understand ways.
Healthcare IT 1, Malware 0
Take for example, one of our customers who rolled out RES ONE Workspace across multiple facilities. In the middle of this rollout, the hospital got hit with a phishing email that included an attached executable designed to launch and spread malicious code. Sure enough, a number of unsuspecting employees clicked on the file. In no time at all, the code launched, took over email servers, and blasted out solicitous emails for disreputable products.
Interestingly, this bug only worked on legacy sites not yet touched by the RES rollout. Where RES was installed, natively integrated application-based security kicked in. In this case, it was our whitelisting technology, with rules that defined which files were allowed to be executed, that protected employees from opening infected files. RES environments, in other words, prevented users from executing the malicious executable whereas the legacy environments just let it through. For IT, this was a clear and unambiguous demonstration to the hospital of its ability to protect patient data moving forward.
Another RES customer – this one facing ransomware attacks – had a similar experience. Ransomware – an increasingly difficult problem for hospitals everywhere – involves malicious code from a phishing email that encrypts sensitive data and demands ransom in return for the decryption key. For this customer, of course, paying up was not an option. Instead, the IT team would spend an enormous amount of time recovering and restoring the data manually.
During the middle of the RES rollout at this hospital, the IT team hired a cybersecurity expert to perform a “pen test” (penetration test) across all facilities. As with the previous example, RES helped the IT group. For physical computers or endpoints running RES-based virtual workspaces, there was no problem. For other endpoints not yet reached by the RES rollout, however, the test code made its way through. Here again, IT looked particularly good.
Better IT + Better Security = Better Hospitals
These are just two examples. I could go on because across a wide range of customers RES helps healthcare IT teams protect patient data and comply with data security regulations. When clinicians need to print patient records, for instance, RES uses follow-me-printing to identify the closest printer so that patient information doesn’t fall into the wrong hands.
With context-aware information access, IT can grant access to patient records when it’s requested on the relevant unit, but then block it when access is requested from the coffee shop down the road. And with automated employee onboarding and offboarding, new employees get quick access to the data and apps they need based on what their profile allows while exiting employees are automatically blocked from accessing patient data and hospital files of any kind from the moment they leave.
The point is this: At RES we love healthcare IT, and we respect the teams who deliver it. And while security seems to be a formidable challenge, we think there are proven ways to address and simplify this challenge. We certainly don’t want to put anybody on a wall of shame. We’d rather see our customers on a wall of fame – where the world can see how healthcare IT can work to improve care on a consistent basis for hospitals everywhere.