Tag Archives: medical

Keeping Mobile Health Data Secure

October 9, 2012 by jaredwilliams1234 Comments Off on Keeping Mobile Health Data Secure

Making the Most of Encryption, Other Precautions

By October 8, 2012.

Breaches involving lost or stolen unencrypted mobile devices, especially laptops, continue to grab headlines. Of the 498 major breaches tracked by federal officials since September 2009, about 54 percent have involved lost or stolen unencrypted computers or storage media (see: Stolen Devices a Persistent Problem.)

Given all the publicity about these breaches – and the fact that the loss or theft of an encrypted device doesn’t have to be reported as a breach – why isn’t the encryption of mobile devices more widespread?

For starters, identifying and wrangling all corporate and personally owned mobile devices used in a healthcare setting that are candidates for encryption isn’t simple.

And then there’s the challenge of addressing misperceptions about encryption. That includes concerns about high costs (the price has come down substantially in recent years), difficult implementation (sometimes it’s as easy as turning on a factory-installed setting), and adverse impact on device performance (which some experts say is no longer a major issue).

“I’ve found that there is much misinformation and misunderstanding about encryption throughout the populations of doctors, nurses and other healthcare providers,” says security consultant Rebecca Herold, who heads Rebecca Herold & Associates.

Some provider organizations, including Beth Israel Deaconess Medical Center in Boston, have determined that to energize efforts to encrypt mobile devices, they must launch a high-profile campaign. And a growing number of providers, including Henry Ford Health System and the Department of Veterans Affairs, are turning to mobile device management systems to help prevent breaches involving mobile devices.

In addition, minimizing the data that gets stored on mobile devices also can help prevent breaches.

Encryption Strategy

When it comes to new devices that come equipped with encryption capabilities, making sure those settings are turned on before allowing network access should be made a matter of policy, Herold says.

“Current encryption solutions exist for mobile computers, such as laptops, and for storage devices, like USB drives, that are transparent to the user, don’t noticeably impact response time and are very easy to use, in addition to being comparatively inexpensive,” Herold says.

Encryption costs are small when compared with the cost of a breach, which “could ultimately cost an organization over $1 million” just for federal penalties for HIPAA non-compliance, she notes.

Putting encryption into practice soon will become easier, thanks to a rule for Stage 2 of the HITECH Act electronic health record incentive program, says Mac McMillan, CEO of CynergisTek, a data security and privacy services firm. The software certification rule requires that EHR software be designed to encrypt, by default, electronic health information stored on end-user devices.

“This forces encryption; you’d have to consciously turn it off,” McMillan says.

A High-Profile Effort

For many healthcare organizations, especially larger ones, identifying devices that lack encryption and then making sure they’re actually encrypted is proving to be a tall order. To help with the effort, Beth Israel Deaconess Medical Center is taking extraordinary steps to call attention to its encryption effort.

After an unencrypted laptop was stolen this spring from a physician office at Beth Israel Deaconess Medical Center in Boston, the organization put into place a mandatory encryption program for institutionally owned and personally owned mobile devices (see: Laptop Theft Spurs Encryption Ramp Up). In recent months, the medical center has set up several encryption depots on its Boston campus so that employees can bring their mobile devices in to ensure the gear is encrypted and up-to-date with anti-viral software and patches.

The medical center expects to complete encryption of all institution-owned mobile devices used to access patient information by the middle of this month, says John Halamka, CIO.

“In the next few weeks, we will be sending out a list of institutionally owned devices that have been encrypted to each manager and asking the manager to attest these are the only institutionally owned mobile devices in use within their area of responsibility,” he says.

For personally owned mobile devices being used for medical center business, Beth Israel Deaconess will provide advice and assistance on initial encryption, Halamka says. “For the most part, the encryption solution of choice will be whatever is native to the device’s operation system, for example Filevault or Bitlocker. If nothing native is available, we’ll suggest Truecrypt, an open source product,” he says. “We will require attestation of mobile device encryption when passwords are renewed.”

Mobile Device Management

Besides encryption, some organizations are also turning to mobile device management systems to help prevent breaches involving portable devices.

For the last year, Henry Ford Health System, which operates five hospitals, a medical group and health plan in Michigan, has been using a mobile device management system from AirWatch. The MDM requires all mobile devices that access the organization’s e-mail systems to have a screen lock with password protection that is triggered after a few minutes of inactivity, says Michael Starosciak, manager of client technical services.

Also, if a mobile device is lost, it’s “unenrolled” from AirWatch, preventing further access to the organization’s e-mail system and automatically erasing e-mail data from the device, Starosciak explains.

In addition, the health system requires employees to report a lost device immediately, so carrier service to the device can be stopped. The MDM system then remotely wipes all sensitive data from the device. If a personal device, such as a smart phone used on the job, is lost, the same policy holds.

For mobile devices that are shared among users, such as clinicians on different shifts, users can unenroll from AirWatch after their shift ends so that data is erased from the device before it’s used by someone else.

Among the other organizations that are turning to mobile device management systems is the Department of Veterans Affairs. The VA this month awarded a $4.4 million contract to FirstView Federal Technology Solutions LLC, for an MDM system that will eventually support 100,000 VA-owned and personal devices.

Additional Steps

Beyond adopting encryption and implementation of an MDM system, other steps organizations can take to help prevent breaches involving laptops and other mobile devices, Herold says, are:

  • Storing as little protected health information on mobile computers as possible;
  • Having well-written policies and supporting procedures for keeping mobile data secure;
  • Using GPS or some other type of tracking mechanism to help locate a device if it’s lost or stolen;
  • Installing remote wiping software;
  • Conducting regular security training and ongoing awareness communications;
  • Performing spot audits of laptops to make sure they are up-to-date with software patches and anti-viral software;
  • Updating a complete inventory of all laptops and other mobile devices.
News
, ,

Hackers Encrypt Health Records And Hold Data For Ransom

August 21, 2012 by jaredwilliams1234 Comments Off on Hackers Encrypt Health Records And Hold Data For Ransom

By Jordan Robertson – Aug 10, 2012 12:00 PM CT

As more patient records go digital, a recent hacker attack on a small medical practice shows the big risks involved with electronic files.
The Surgeons of Lake County, a medical facility in the northern Illinois suburb of Libertyville, revealed last month that hackers had burrowed deeply into its computer network, infiltrating a server where e-mails and electronic medical records were stored, Bloomberg.com reported on its Tech Blog.
Unlike many other data breaches, the hackers made no attempt to keep their presence a secret. In fact, they all but fired a flare to announce the break-in, taking the extreme step of encrypting their illicit haul and posting a digital ransom note demanding payment for the password.
The doctors turned the server off and notified the authorities, refusing to pay.
“This story is so ironic — most people worry that their health records will be spread all over their local newspaper,” said Dorothy Glancy, a professor at Santa Clara University’s law school who specializes in digital privacy. “But in this case, the doctors — in fact, nobody — can access these records.”
The Surgeons of Lake County isn’t the first health care provider to be targeted by extortionists. The incident, which was spotted by privacy blogger Dissent Doe in a federal database of health-related breaches, showcases an unsettling new strain of opportunism that is emerging as criminals try to exploit the industry’s shift to digital medical records.

Data Breach

The attackers’ choice of tactics, particularly the use of encryption, indicates a level of sophistication and targeting that suggests they knew what they were doing, said Rick Kam, president of ID Experts, a Portland, Oregon-based company that makes data-breach prevention technology and specializes in health care.
Based on the number of practices moving to electronic health records, “many more” of these types of breaches should be expected, Kam wrote in an e-mail.
Until now, medical-data blackmail has been a niche crime, largely because of the difficulty and risk involved. Spam and online bank fraud are easier ways for fraudsters to make money.
One case involved Express Scripts (ESRX), the large prescription- drug benefits manager, and a threat it received in 2008. Someone sent the St. Louis-based company personal information on about 75 of its members, including identification numbers and prescription records, and demanded an unspecified sum. The company refused to pay, and eventually told 700,000 customers that their information could have been exposed.

Patient Confidentiality

In 2003 and 2004, health care facilities came under fire for outsourcing their transcription chores when several California hospitals were blackmailed by their own workers in India and Pakistan.
The spiraling cost of health care and lack of insurance for millions of people have made medical identity theft a growing risk. Security and privacy risks are also emerging with the creation of “health information exchanges,” vast databases that states are setting up to handle electronic medical records.
It’s unclear whether the Illinois surgical center’s records were backed up or have been recovered. The organization declined to comment.
“Safeguarding every patient’s personal information is a top priority at the Surgeons of Lake County,” Scott Otto, the center’s president, said in a statement. “We are devoting significant people and technological resources to help protect patient confidentiality.”
For all of the benefits of making health records electronic, this incident highlights a downside, said Santa Clara University’s Glancy.
“This is a warning bell,” she said. “Maybe they’re the canary in the coal mine that unpredictable things can happen to data once it’s digitized.”

Articles
, , , , , , , , , , , , ,