We live in an era where technological advancements have grown at a previously unimaginable pace. For all their benefits, it can be hard for IT security experts to keep their knowledge relevant to be able to reduce potential vulnerabilities. Driven by the digital transformation of health care over the past decade, companies have seen measurable benefits in terms of operational efficiency and improved patient care, but at the same time, they are being exposed to a greater number of technological threats.
Black Book Research showcases how over 93% of health care organizations have experienced a data breach of some kind over the past five years. According to reports from Protenus and databreaches.net, 2019 saw health care data breaches triple, impacting on 41 million records, compared to the previous year’s 15 million patient records. 25 million of those patient records were exposed when billing services vendor, the American Medical Collection Agency, was hacked for eight months between 1st August 2018 and 30th March 2019. As a result, AMCA's parent company, Retrieval-Masters Creditors Bureau, filed for Chapter 11 bankruptcy protection in June.
These alarming trends are not specific to any geography and are a rude awakening to the global growing threat posed to health care organizations because they hold decades of precious patient data. Of the 572 reported incidents that took place last year, there was an increase in the number of hacks, more cleverly orchestrated massive data breaches, phishing attacks and finally staff-posed privacy breaches. Just as in the case of financial institutions like Wall Street, health care organizations see employees as responsible for breaching 3.8 million patient records in 2019, up from 2.8 million records in 2018.
With such growing trends and with what is at stake in terms of patient privacy, organizational credibility and financial ramifications, it is essential health care systems put in place measures to secure health care data. This problem cannot be solved if it is only undertaken by a single entity – on the contrary, it should be tackled at a national level. The COVID-19 era is a perfect example, where we see how health care is no longer a privilege, but a right that can have positive or detrimental effects on a country. National guidelines and legislation are essential in order to set the foundation for all health systems to comply and abide by. With an increase in the mobility and access to data through interoperability and automation to support improved patient outcomes and population health, stringent technical guidelines and national privacy and security protocols need to be established. Many organizations such as the US National Institute of Standards and Technology and ISO have provided guidance required to establish these protocols. Some countries and states like California (which passed the California Consumer Privacy Act of 2018) have gone a step further with more stringent data protection legislation. By doing this, patients can know what information organizations are collecting about them, how or when that information is sold or shared, who is accessing their personal data, as well as a veto on how it can be used. Without such checks and balance in place, organizations would be left to define their own methods, which might not guarantee the required level of security.
The second most important aspect would be organizational data governance and policies – a clear protocol around how data is stored, retrieved, maintained, utilized and shared. These policies need to be revisited and revised periodically in order to make sure each organization is taking into consideration the accelerated advancements in technology and factoring those in.
Thirdly, any policy is only as good as it has been implemented and enforced at each organizational level, so it is critical to provide the required training and awareness regularly.
Finally, we have the people factor, which is only as strong as the weakest link. If we were to look deeper into the root causes of this growing trend, besides the process and technological factors, there also is a human behavioral factor, that helps explain why people indulge in such practices. In the Nov 2014 edition of Psychology Today, Andy Yap, a lecturer at MIT's Sloan School of Management argues that it is the environment, and not an intrinsic quality like personality, that abets rule breaking. Other factors that influence could be financial gains, espionage, fun, ideology, grudge and in some cases human error and glitches.
In light of these threats and the factors which must be considered, it is vital to have auditing and surveillance tools in place to identify any breach in policy or protocols that have been implemented by each health care organization. Availability of tools without the right skill and knowledge would be ineffective. Thus, it is essential to establish and invest in a security/forensics team that has been trained and equipped with the resources required to police the system.
P2Sentinel™ is the auditing solution Cerner uses to track user access to confidential patient data in Cerner Millennium® and other clinical solutions and systems. Patient privacy is fundamental in health care cyber-security programs and provides a record of access to patient information within the organization. P2 Sentinel’s intelligent, real-time Complex Event Processing (CEP) engine is designed to rapidly access and analyze the large amounts of data that is available from disparate sources, and provide immediate notification of any actions taken by end users, which would provide us the insights into any data or privacy breach as well as detailed statistical and analytical reports of any security non-compliance when required. It uses recommended workflows to investigate audit events for possible privacy, security and regulatory compliance. Alerts are sent based on a specific event or a threshold which helps with prioritization of review. It also assists in identifying anomalies in interactions between patients and providers. P2Sentinel reports can be executed on demand, allowing security officers near real time auditing for a given time frame or other dimensions, such as provider/patient identifiers, which helps clients comply with industry regulations.
Having adequate auditing tools in place is the first step in combating the problem; however, the next step for organizations is to develop a process to utilize these tools to identify, contain, control and prevent data breaches. An ideal approach would be to use the historical audit logs with Machine Learning algorithms to create a definition of what is ‘normal’ for an individual, department or role. Organizations can then look for anomalies in those behaviors that deviate from the ‘normal’ to try flag and intercept breaches in real time instead of after the breach. This way, instead of only approaching the breaches retrospectively after the damage is done; organizations are empowered to mitigate breaches by monitoring human behavioral patterns against system utilization in accordance with their current role, and departmental responsibilities.
The health care industry has evolved immensely over the years, and much of that change has been driven by technology. Such advancements have led Cerner to improve our understanding of complex medical and physiological issues, as well as decrease the barriers to delivering care directly to patients. In tandem with our health care-focused technology, our data security solutions are helping health care executives develop and embed strong data security strategies.
- https://healthitsecurity.com/news/the-10-biggest-health care-data-breaches-of-2019-so-far
- https://portswigger.net/daily-swig/the-latest-health care-data-breaches
- https://www.fiercehealth care.com/tech/number-patient-records-breached-2019-almost-tripled-from-2018-as-health care-faces-new-threats
For information regarding Cerner’s content and assistance in light of the COVID-19, please click here.