According to a recent study performed by the Ponemon Institute, nine out of 10 hospitals in the United States have suffered from an intrusion or data breach at some point in the last two years. As a result of dramatic changes in patient information management and security risks, today’s healthcare IT industry has drastically transformed. Government regulation and technology advances have fueled explosive growth in creating and storing protected healthcare information (PHI). To prepare for the new threat landscape that is targeting patient data, healthcare organizations must understand the risks of noncompliance and how verified, secure, and cost-effective technologies will help meet Health Insurance Portability and Accountability Act (HIPAA) requirements.
The Risks of Noncompliance
The healthcare industry is well prepared for many types of emergencies and problems, according to the 2012 National Preparedness Report conducted by the Federal Emergency Management Agency. However, the same study found that by and large, healthcare providers are not ready to face a cybersecurity attack.
According to the report, cybersecurity “was the single core capability where states had made the least amount of overall progress.” Only 42 percent of state officials believed that they were adequately prepared. According to the same report, just under two-thirds of all U.S. companies have sustained cyberattacks over the past six years and, between 2006 and 2010, the number of reported attacks in the U.S. increased by 650 percent. At the Aspen Security Forum in May 2012, Keith B. Alexander, head of the National Security Agency and the new United States Cyber Command, stated that the U.S. has seen a 17-fold increase in attacks against its infrastructure between 2009 and 2011.
In this tumultuous environment, compliance with HIPAA requirements is a top priority. Prior to 2009 and the signing of the Health Information Technology for Economic and Clinical Health (HITECH) Act, there was a general consensus in the healthcare industry that HIPAA had not been rigorously enforced. Under HITECH, healthcare providers may now be penalized for “willful neglect” if they cannot demonstrate reasonable compliance with the Act. These penalties can extend up to $250,000, with fines for uncorrected violations of up to $1.5 million.
Under some circumstances, HIPAA’s civil and criminal penalties may also now include business associates. While an individual cannot sue a provider, the state attorney general may bring an action on behalf of state residents. Additionally, the U.S. Department of Health and Human Services (HHS) is now required to conduct periodic audits of covered entities and business associates. This means that healthcare providers must have systems in place to monitor business practices and relationships to assure consistent security for all medical information.
In addition to these penalties, providers face significant risks to their business if information systems are accessible to attack. In the healthcare industry, such threats may take a variety of forms. The Kern Medical Center in Bakersfield, CA, was attacked by a virus that crippled its computer systems. The hospital took about 10 days to get doctors and nurses back online. During an attack on a Chicago hospital, a piece of malware forced the hospital’s computers into a botnet controlled by the hacker—and the hospital was still dealing with the consequences of the attack a year later. In addition, the DoD is facing a multi-billion-dollar lawsuit based on the theft of a computer tape containing unencrypted personal health information from an employee’s car. The Veterans Administration (VA) waged a two-year war against intrusions into medical device and wireless networks, including picture archiving and communication systems (PACS), glucometers and pharmacy dispensing cabinets.
By having secured management of medical information, patients will be protected against identity theft. At the same time, information needs to be made available quickly when needed, such as to emergency personnel. The resulting benefits are critical for keeping the business competitive:
- Better quality of care for the patient
- Improved patient outcomes
- Increased productivity and workflow efficiency
- Better information at the point of care
- Improved and integrated communications between doctors and patients
Encryption as the Key to Compliance
Encryption tools convert the information in a file or document into an unreadable format before being sent, and then decrypt the content at the other end so authorized personnel can use it. To meet the HITECH Act requirements, encryption must be implemented within both the main service provider network and its associated partner networks. Successful use depends upon the strength of the encryption algorithm and the security of the decryption “key,” or process, when data is in motion (moving through a network, including wireless transmission) or at rest (in databases, file systems, or other structured storage methods).
To achieve compliance with the HIPAA standard, healthcare providers are increasingly turning to verified, certified network security products and architectures. The HHS recommends products certified by the Federal Information Process Standard (FIPS) 140-2 encryption standard to protect healthcare data. Already mandated by the U.S. Department of Defense (DoD) for encryption, FIPS 140-2 is a powerful security solution that reduces risk without increasing costs.
According to the Federal Information Processing Standards Publication, FIPS-140 is “applicable to all agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106.”
Fully FIPS-140 compliant technologies provide organizations with a security level that will remain compliant even after 2030, unlike older cryptographic systems.
Instilling a New Level of Confidence
Organizations with completely closed networks that have no outside access may not be required to implement encryption, but they will need to thoroughly document their justification for not doing so. However, closed networks these days are almost nonexistent—any office at least has Internet access. With increased use of electronic transactions in healthcare, including e-prescribing and electronic communication, most medical organizations are using open systems and need to implement encryption tools.
Technology vendors can easily assert that a system is secure by claiming that it uses the highest encryption technologies available. However, given the public visibility of breaches of trust, there is no reason for organizations to risk the exposure with technology systems that do not meet the FIPS 140-2 standard for information encryption. Without this validation, the network’s cryptography function has demonstrated a less than 50 percent chance of being implemented correctly. This means there is a 50 percent chance that cryptography can be subverted. The FIPS validation process gives healthcare providers a new level of confidence in the security of their critical data, allowing them to reduce risk without increasing costs.
Tony Jeffs is Director of Marketing for Cisco.