The 2013 year significantly changed the context of the healthcare security and privacy conversation. From the Snowden NSA revelations, to HIPAA Omnibus rule, changes in breach characteristics, to connected devices, mhealth, IoT and increasing use of cloud and corporate BYOD policies, one thing is clear: security by obscurity equals no security at all. The burden of protecting PHI is now spread across all data holders, patients, providers and payers alike. Outlined below are some of the unique security issues that will need addressing as healthcare technology moves into a data analytics mindset.
Breach Characteristics: More than 7 million patient records were exposed in 2013 alone, marking a perceived 138% increase from reported 2012 healthcare data breaches. Expect to see a change in how breaches occur, and keep in mind, an uptick in breach notifications doesn’t necessarily imply an uptake in actual data breaches. Everyday PHI breaches of years past went largely unnoticed whereas now technology helps track and log access. 2014 will see a new focus on targeted identity theft and less focus on lost laptops and stolen hard drives. Human error still accounts for ¾ of all healthcare data breaches, but medical-related identity theft accounted for 43 percent of all identity thefts reported in the United States in 2013.
Federal regulators are planning for a permanent HIPAA audit program to support the 2013 HIPAA Omnibus rule, and the healthcare industry can expect increased scrutiny for violations pertaining to inappropriate disclosure of data and denial of patient access. What has not yet been directly addressed is if the NSA has accessed, reconstructed or inferred any personally-identifiable information covered by HIPAA, such as that through Google, Microsoft, Apple, and through mobile games, and how a BAA will hold up in such a data collection scenario. Currently, cases are being heard regarding the warrantless access of state controlled health databases by other federal agencies.
Patient Best Practices Awareness: In other sectors, user data purging, and security tools are entering the mainstream. Apps to help consumers navigate terms of services and platform data deletion shortcuts to password managers, and tools to avoid search and web tracking are helping users gain control of their personal information. But when it comes to healthcare, how common is it to leave a credit card on file or how often do patients really check their charts for errors?
The internet of things, and connected reality as it plays into mobile and personal health apps adds another layer to patient security awareness. Malware attacks through network connected appliances such as refrigerators, HVAC and media centers have been of concern recently, and they present an unsuspecting entry into a home network. What used to be as simple as using a WPA key on a home router and not handing out a SSN is now a different conversation. Enterprise security has long favored an onion type approach, or defense-in-depth, but that’s far from the case with personal information security. And the question remains, is defense-in-depth even effective in the personal security space, given it’s shortcomings in enterprise IT?
PHI in the Cloud: Healthcare IT is finally trusting cloud storage and computing. As of 2013, 30% of healthcare organizations are leveraging cloud technology, and nearly twice that are confident in the future of cloud security. Other industries have proven that cloud computing can be be a safe, economical, collaborative and scalable approach to enterprise data management problems. While cloud security will garner much of the spotlight for the next several years, the privacy aspect of distributed data liquidity must be addressed.
Currently, there are no HIPAA restrictions on the use or disclosure of de-identified health data, even though 87% of all Americans can be uniquely identified using only zipcode, birthdate, and sex. PHI is currently, and will be increasingly sold to third party data warehousers, insurers, pharma, marketers, researchers, and more. Current standards for anonymized data do not prevent positive backwards identification. This is the conversation the healthcare industry, and patients, should be having in 2014 regarding cloud computing.
Corporate BYOD: Sorry, but that cat left the bag 5 years ago. Employees are using their personal devices at work, regardless of policy. The best bet to mitigate BYOD security risks is to address it head on, and support secure solutions that enable user’s workflows. Secure SMS and texting has been solved. HIPAA compliant platform-as-a-service is a thing. There are mobile apps to address medical imagining, rounding, clinical diagnosis, EHR integration, and countless vendors are developing platform-down solutions for providers.
Beyond mobile security, and BYOD policy, the issue will be how breaches on these devices will be reported, and analyzed. Currently, the HIPAA Wall of Shame classifies all mobile device breaches under the catch-all “Other Portable Electronic Device” which as mhealth really enters the mainstream, will be a near useless designation.
Mobile Health Security: In this context, mHealth refers to medical apps used by patients, not wellness/fitness apps nor clinical practice or reference apps. Current efforts in the private sector to certify mobile health applications have failed, largely due to a lack of understanding around mobile health security. Mobile apps and devices come with complex challenges not seen elsewhere in healthcare, particularly around workflow data integration, security and user experience. Two camps have emerged: platform-down apps such as those from Athena and Greenway, and independent shops like AliveCor and Glooko who have yet to meaningfully integrate into major vendors. The third obvious play would come from valley tech giants, but despite rumors, nothing of substance has been shipped.
While certain security best practices should never be skipped (encryption, SSL, passkeys, etc), user experience should come first and foremost. Security is nearly insignificant if no one uses an app, and patients will not tolerate poor design. Many questions remain regarding shortcomings of FDA mhealth software regulation. Are medical providers the best individuals to evaluate a mhealth app for security and patient usability, and how may the design, developer and infosec communities better help educate the medical community? It will be important to address provider shortcomings in prescribing and recommending patient-facing mhealth tools, especially around efficacy, privacy and security.