Best practices to help medical organizations mitigate security breaches

By German (John) Baron, CBET, BSBME, CSP

In previous articles I wrote for 24×7 Magazine, I mentioned that the security of medical devices needs to be prioritized as it is associated with risks, which may range anywhere from business financial loss to compromised sensitive patient information and patient safety. Hence, a collaborative team approach is one of the best ways to minimize risks within our healthcare community.

According to a February security report in the HIPAA Journal, the causes for the major healthcare data breaches include unauthorized access/disclosures, hacking IT incidents, loss/theft incidents, and improper disposal of electronic protected health information (ePHI).1

In this article, I will analyze some of the possible causes of these data breaches and make reference to security controls, which may help to address the identified vulnerabilities. The intent is not to claim a “one-solution” methodology, but to provide references and encourage the collaborative approach needed to address these security issues. The security controls reference is the National Institute of Standards and Technology (NIST SP 800-53 r5, Security and Privacy Controls for Information Systems and Organizations.2

Before we begin, it is important to note that the surge of the Internet of Things (IoT) in healthcare—such as patient monitoring devices that connect to the Internet—means that all of these technologies must be included in the healthcare organization’s security/privacy risk management program. Attacks against any loT device can yield the same aforementioned negative consequences. Hence, it is important to include the IoT technologies in your comprehensive security program based on guidelines from industry experts and government organizations, including the U.S. FDA and the NIST.3

Now, back to the causes of the major healthcare data breaches reported to the Department of Health and Human Services (DHHS) Office for Civil Rights in February 2018. The report first identified unauthorized access/disclosures—of which 135759 records were exposed—and subsequently cited network servers, eHealth records, and other portable electronics and IoT technologies as other possible technologies included in the breaches.

Protecting Precious Documents

A study conducted by researchers from the University of Central Florida College of Health and Public Affairs discovered that paper and films were the most common location of breached data in 65 hospitals. The main causes? Theft, improper disposal, and unauthorized access.18  

To thwart such incidents, healthcare facilities must follow federal requirements for the storage of healthcare records—in addition to considering the implementation of technical and physical security controls, which incorporate access controls.19 Also, IT/security vendors may be able to incorporate their technical access control technologies (i.e., multi-factor authentication) to work with the existing paper document filing systems.20

But to help you on your way, consider following these best practices for protecting paper documents:

  • Fitting doors and windows in all offices and records storage areas with strong locks
  • Keeping filing cabinets and other records storage areas locked whenever they’re not in use
  • Labeling all files, folders, and boxes so that their contents, dates, and extent are clear
  • Regularly equipping offices and storage areas with fire and security alarms
  • Conducting regular security and facility inspections for all work spaces or records storage areas
  • Transferring records with ongoing value to the United Nations Archives and Records Management Section (ARMS), according to records retention schedules
  • Securely destroying obsolete and superseded records as soon as they are no longer needed
  • Maintaining full documentation of all records destroyed or transferred to UN ARMS21

 Hacking IT Incidents

Last November, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) revealed in their Cyber Security News Letter that current and former employees across many industries cause data breaches. Thus, the OCR recommends implementing effective identity and access management tools in order to minimize such risks.22

To add to the OCR’s recommendations, the implementation of a system life-cycle risk management program—which addresses security and privacy controls—may help to strengthen your healthcare organization’s security posture. For this, your healthcare organization can follow the National Institute of Standards and Technology (NIST) Special Publication 800-37 (Risk Management Framework for Information Systems and Organizations—A System Life Cycle Approach for Security and Privacy)23 and NIST Special Publication 800-53 r 5 (Security and Privacy Controls for Information Systems and Organizations).24 The Healthcare Information and Management Systems Society (HIMSS) and its associates also provide some excellent risk management tips at www.himss.org.25

Like HIMSS and the OCR, the U.S. Department of Health and Human Services (DHHS) also provides tips for protecting secure information via the Health IT.gov link. 28 Below are the DHHS’ security recommendations concerning mobile devices, of which they discovered 1,827 records were exposed during loss/theft incidents.

  • Use a password or other user authentication: Authentication is the process of verifying the identity of a user, process, or device. Mobile devices can be configured to require passwords, personal identification numbers (PINs), or passcodes to gain access to them. And the password, PIN, or passcode field can be masked to prevent people from seeing it. Mobile devices can also activate their screen locking after a set period of device inactivity, which helps prevent an unauthorized user from accessing them.
  • Install and enable encryption: Encryption protects health information stored on and sent by mobile devices. Mobile devices can have built-in encryption capabilities, or you can buy and install an encryption tool on your device.
  • Install and activate remote-wiping and/or remote-disabling: Remote-wiping enables you to erase data on a mobile device remotely. If you enable the remote wipe feature, you can permanently delete data stored on a lost or stolen mobile device. Further, remote disabling enables you to lock or completely erase data stored on a mobile device if it is lost or stolen. If the mobile device is recovered, however, you can unlock it.
  • Disable and do not install or use file-sharing applications: File-sharing is software or a system that allows Internet users to connect to each other and trade computer files. But file-sharing can also enable unauthorized users to access your laptop without your knowledge. By disabling or not using file-sharing applications, you reduce a known risk to data on your mobile device.
  • Install and enable a firewall: A personal firewall on a mobile device can protect against unauthorized connections. Firewalls intercept incoming and outgoing connection attempts and block or permit them based on a set of rules.
  • Install and enable security software: Note: Security software can be installed to protect against malicious applications, viruses, spyware, and malware-based attacks.
  • Keep your security software up to date: When you regularly update your security software, you have the latest tools to prevent unauthorized access to health information on or through your mobile device.
  • Research mobile applications (apps) before downloading: Before you download and install an app on your mobile device, verify that the app will perform only functions you approve of. Use known websites or other trusted sources that you know will give reputable reviews of the app.
  • Maintain physical control: Although mobile devices offer numerous benefits, particularly portability and convenience due to their small size—they come with various security challenges. For one thing, mobile devices are easily lost or stolen. There is also a risk of unauthorized use and disclosure of patient health information. Fortunately, you can limit an unauthorized user’s access, as well as thwart tampering or theft of your mobile device by physically securing it.
  • Use adequate security to send or receive health information over public Wi-Fi networks: Public Wi-Fi networks can be an easy way for unauthorized users to intercept information. You can protect and secure health information by not sending or receiving it when connected to a public Wi-Fi network, unless you use secure, encrypted connections.
  • Delete all stored health information before discarding or reusing the mobile device: When you use software tools that thoroughly delete (or wipe) data stored on a mobile device before discarding or reusing the device, you can protect and secure health information from unauthorized access. HHS OCR has issued guidance that discusses the proper steps to remove health information and other sensitive data stored on your mobile device before you dispose or reuse the device.

Moreover, per the DHHS, the HIPAA Privacy Rule requires that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI) in any form. Here are two of their top tips concerning the improper disposal of ePHI, of which they discovered 9,956 records were exposed:

  1. For PHI in paper records, shred, burn, pulp, or pulverize the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed.
  2. For PHI on electronic media, clear (using software or hardware products to overwrite media with non-sensitive data), purge (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains), or destroy the media (disintegrate, pulverize, melt, incinerate, or shred it).29

Finally, I hope this article provides you with quick references to mitigate vulnerabilities and strengthen the security posture of your healthcare organization. After all, sharing information and working collaboratively will help to protect our sensitive healthcare data and enhance safety for all involved—especially our patients.

German (John) Baron, CBET, BSBME, CSP, has more than 35 years of experience in the biomedical arena, including military medical specialties and clinical experience, and 15 years in the IT security arena. Questions and comments can be directed to 24×7 Magazine chief editor Keri Forsythe-Stephens at kstephens@medqor.com.

References:

  1. https://www.hipaajournal.com/february-2018-healthcare-data-breaches/
  2. https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/draf
  3. https://pdfs.semanticscholar.org/1627/0313881e30b0b78e56829cbf8e1d378b5e79.pdf
  4. https://www.mdiss.org/about
  5. http://www.himss.org
  6. http://www.aami.org/productspublications/ProductDetail.aspx?ItemNumber=3729
  7. https://industries.ul.com/medical-and-laboratory/cybersecurity-for-network-connected-medical-devices
  8. https://csrc.nist.gov/CSRC/media//Publications/sp/800-53/rev-5/draft/documents/sp800-53r5-draft.pdf
  9. https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf
  10. https://www.emergobyul.com/blog/2017/11/encryption-fips-140-and-medical-devices-frequently-asked-questions
  11. http://www.24x7mag.com/2017/10/fips-140-2/
  12. https://www6.gemalto.com/ppc/wp/database?_bt=193771489622&_bk=db%20encryption&_bm=p&_bn=g&gclid=EAIaIQobChMIhrH1h92N2gIVEbnACh31ZwlJEAAYASAAEgI6P_D_BwE
  13. http://www.monitis.com/blog/cc-in-review-the-key-differences-between-sql-and-nosql-dbs/
  14. http://blog.bluetooth.com/bluetooth-security-101
  15. http://www.24x7mag.com/2013/07/the-medical-device-security-life-cycle/
  16. https://safenet.gemalto.com/data-encryption/network-encryption/
  17. https://safenet.gemalto.com/access-management/
  18. https://www.healthcare-informatics.com/news-item/cybersecurity/paper-records-films-most-common-type-healthcare-data-breach-study-finds
  19. https://www.truevault.com/blog/hipaa-compliant-file-storage.html
  20. https://safenet.gemalto.com/multi-factor-authentication/authenticators/pki-smart-cards/
  21. https://archives.un.org/sites/archives.un.org/files/uploads/files/Guidance%20Secure%20Records.pdf
  22. https://www.hhs.gov/sites/default/files/november-cybersecurity-newsletter-11292017.pdf
  23. https://csrc.nist.gov/CSRC/media/Publications/sp/800-37/rev-2/draft/documents/sp800-37r2-discussion-draft.pdf
  24. https://csrc.nist.gov/CSRC/media//Publications/sp/800-53/rev-5/draft/documents/sp800-53r5-draft.pdf
  25. http://www.himssconference.org/sites/himssconference/files/pdf/MD3.pdf
  26. https://hitrustalliance.net/hitrust-announces-hitrust-csf-roadmap-including-new-simplified-program-small-healthcare-organizations-nist-cybersecurity-framework-certification
  27. https://www.us-cert.gov/sites/default/files/c3vp/framework_guidance/HPH_Framework_Implementation_Guidance.pdf
  28. https://www.healthit.gov/providers-professionals/how-can-you-protect-and-secure-health-information-when-using-mobile-device
  29. https://www.hhs.gov/hipaa/for-professionals/faq/575/what-does-hipaa-require-of-covered-entities-when-they-dispose-information/index.html