Health care organizations see cyberattacks as growing threat

Another pressure on health care organizations: Surprise HIPAA security audit from the feds

Health care organizations feel under increasing attack from the Internet, while security incidents involving insiders and disappearing laptops with sensitive data are piling up. On top of that, there's now the prospect of a surprise audit from the federal government agency in charge of overseeing the HIPAA security and privacy rules.

Health care organizations are stepping up efforts to protect electronic patient information as they witness increased attacks against hospital networks, mindful how a data breach could hurt patients and their own reputations.

"There is definitely an uptick in attacks," says Dr. John Halamka, CIO at both Beth Israel Deaconess Medical Center and Harvard Medical School in the Boston area. "Privacy is the foundation of everything we do. We don't want to be the TJX of healthcare." TJX is the Framingham, Mass-based retailer which last year disclosed a massive data breach involving customer records.

Dr. Halamka, who this week announced a project in electronic health records as an online service to the 300 doctors in the Beth Israel Deaconess Physicians Organization, acknowledges computers in health care are sometimes compromised as spam relays or to host unauthorized content such as porn.

"It gives attackers a means to distribute it," says Halamka. While he has seen no evidence of attackers targeting health care networks to steal patient data for financial gain, other security experts say that dangerous trend is well under way.

"Health care organizations store a lot of valuable personal, identifiable information such as Social Security numbers, names, addresses, age, in addition to banking and credit-card information," says Don Jackson, researcher at Atlanta-based security services firm SecureWorks.

SecureWorks has recorded an 85 percent increase in the number of attempted attacks directed toward its health care clientele by Internet hackers, with these attempts jumping from 11,146 per health care client per day in the first half of 2007 to an average of 20,630 per day in the last half of last year through January of this year.

SecureWorks believes that some of the most sought-after information is from patients who are members of preferred medical network plans, which hackers turn around and sell as credentials to criminals specializing in illegal immigration.

"Credentials information is usually stolen via targeted cyberattacks," says Jackson, adding he's seen several cases where health insurance credentials were sold to criminals in the counterfeit document racket, especially in Central and South America.

Insider attacks are also a worry. Tenet Healthcare, which owns more than 50 hospitals in a dozen states, last month disclosed a security breach involving a former billing center employee in Texas who pled guilty to stealing patient personal information. He got nine months in jail.

And in an identity fraud case in Sarasota, Fla., last month, an office cleaner who gained access to the patient files of an anesthesiologist who rented an office at HealthSouth Ridgelake Hospital pled guilty to fraud for ordering credit cards on the Internet with stolen patient personal information. He got two years' jail time.

Lost and stolen laptops have also been a problem, with disclosure of missing personal information related to patients or employees at Duluth, Minn.-based Memorial Blood Center, Mountain View, Calif.-based Health Net, Sutter Lakeside Hospital at Lakeside, Calif., and the West Penn Allegheny Health System revealed just within the last three months.

The HIPAA surprise audit
Besides the loss of confidence such security incidents provoke, the specter of government regulatory probes is looming related to the federal security and privacy rules in the Health Insurance Portability and Accountability Act (HIPAA).

The U.S. Department of Health and Human Services (HHS), which oversees HIPAA compliance, has contracted with the firm PricewaterhouseCoopers (PWC) to conduct surprise audits of hospitals this year, says Gartner analyst Barry Runyon.

"It's complaint-driven," says Runyon, noting that Tony Trenkle, director of the Centers for Medicare & Medicaid Services at HHS, last month publicly said the first 10 or so reviews will be at hospitals where CMS received complaints about security. In visiting the health care organization, the government regulatory probe will focus on security risks associated with remote access to data and portable storage concerns, with security managers expected to answer a lot of questions.

CMS plans to publish the results of these audits on its Web site but not the organization's name, unless it uncovers major lapses, which could result in fines or other penalties as defined under the HIPAA guidelines. Last month, Atlanta's Piedmont Hospital was revealed by HHS to be the first unannounced HIPAA security audit.

Health care, heal thyself
IT managers indicated they're taking proactive steps to secure external network access while also ensuring that authorized network users are limited to seeing only what they rightfully should.

At Mount Sinai Medical Center in New York City, the policy there is very strict about employees even looking at patient records without reason. "It's the curiosity factor," says Jack Nelson, CIO at Mt. Sinai, who notes that employees are told when hired they can be fired for online peeking -- and some have been.

"It's one strike and you're out -- and that's [for] clinicians as well," says Nelson, noting that the hospital's systems are generally role-based and keep track of every single access to a record.

Nelson says his biggest concern is not hackers trying to break in but sensitive data flying out over the network, including Mt. Sinai's voluminous clinical-lab test documentation. So Mt. Sinai recently installed Symantec data-loss prevention software on client computers to monitor outbound traffic.

HIPAA isn't the only set of security and privacy regulations that Mt. Sinai cares about. "When you have a data loss of about the magnitude of 10 patient records, you have to report that to the New York State Dept. of Health," says Nelson. "That's a serious violation."

Like Mt. Sinai Medical Center, Miami-based health benefits company AvMed Health Plans is also making use of data-loss prevention monitoring equipment to make sure sensitive data related to health claims is transferred appropriately.

Some e-mail communications with physicians' offices and hospitals must be encrypted under the HIPAA guidelines, notes Charles Hibnick, chief systems security architect at AvMed. The Palisades PacketSure monitoring equipment deployed since last October provides a way to determine that policy is being followed since it flags errors that might occasionally occur, such as someone forgetting to encrypt an e-mail's content.

"People sometimes say thank you when we catch this," says Hibnick. The monitoring is increasingly important since about 80 percent of health claims at AvMed are electronic, rather than predominantly fax, as they were just five years ago.

The prospect of an unannounced HIPAA audit by the government is an event that could shake anyone up, but in the final analysis, the federal probes are probably good for the health care industry, says Mark Jacobs, director of technology services in the datacenter operations at Pennsylvania-based WellSpan Health.

"HIPAA did help in some regard, getting the health information community to do audit, logging, and secure messaging and encryption," Jacobs notes, adding HIPAA has propelled his health care organization into new practices, such as adopting a security governance framework, single sign-on, and password provisioning.

This story, "Health care organizations see cyberattacks as growing threat" was originally published by Network World.