We are at a tipping point with electronic health records (EHRs) and the financial incentives to migrate from paper to digital. In the US for example, federal and state requirements for the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH) and the Payment Card Industry—Data Security Standard (PCI-DSS) have all become critical factors in the definition of security architecture strategies due to their requirements for segmentation, auditing and control of data.
| Vishak Raman |
Although similar regulations are currently not widespread internationally, the maintenance of standards on par with the US rules is important because many countries, for example Singapore, Malaysia, Thailand and parts of the Middle East, are aspiring to become medical tourism hubs. HIPAA and related compliance requirements will enable these countries to attract medical tourists from the US and other countries looking for assurance of their privacy. On a more technical level, compliance to these established standards will facilitate a common platform to link up and integrate healthcare institutions in different countries as the industry globalises.
In parallel, networks of the various healthcare organisations, payers, providers and other parties are becoming more integrated. EHR systems are becoming the standard, and patient information is moving digitally and being stored on the healthcare organisation’s network. The use of social media has also increased in the healthcare environment as it enables better communication within and among enterprises and stakeholders, driving business, patient care and charitable foundation work. The BYOD phenomenon and the use of wireless technologies – an important part of the landscape as they help to improve operational efficiency and mobility in today’s hospitals – can complicate the security requirements of networks.
So, in this context, here are some important considerations for healthcare organisations, which are currently assessing or revising their IT security infrastructure:
Attacks from all fronts
Healthcare firms should take into account the following trends:
- Increase of small-scale data breaches
- Vulnerability resulting from lost mobile devices
- Vulnerability resulting from increased collaboration and sharing as well as the use of social networking
- Proliferation of users’ (both healthcare workers and patients) personal devices within the organisation to access information
- Another interesting trend is the potential security breaches associated with medical devices. Insulin pumps and defibrillators, for instance, could be hacked (by breaching improperly secured wireless technologies in these devices) with life-threatening consequences. This phenomenon is coming about due to the rapid increase in the number of intelligent networked medical devices, and the disappearing separation between traditional IT infrastructure and devices (infrastructure and data are merging).
- Medical devices introduce distinct IT security issues, including:
- Network-based attacks by traditional IT malware introduced over a network
- Removable-media attacks, possibly introduced during support or maintenance
- Device-introduced attacks from devices returned after repair, or demonstrator or loaner systems
- Network proliferation- attacks that use a device as a point of entry, then penetrate the enterprise by exploiting similar devices
All these trends are driving for the definition and enforcement of strong controls and policies towards users, devices and applications. Healthcare organisations must now have the power to detect and control the use of applications on their networks and endpoints based on application classification, behavioral analysis and end-user association; and to detect and control web-based applications at a granular level.
Protecting the network end-to-end
Below are some recommendations for healthcare organisations to take into account as they deal with security issues:
Electronic Medical Record Security (EHR/ EMR,) (HIPAA/HITECH)
- Encrypt records in transit from site to site
- Encrypt remote access to EHR applications
Network segmentation
- Segment biomedical devices
- Segment EMR Systems
- Segment PCI Networks
Web filtering/ application control
- Restrict and monitor employees’ web traffic
- Restrict use of web-based applications. For instance, allow access to Facebook but prevent viewing of embedded videos or the playing of games
- Monitor for EHR/ PHI/ DLP. Prevent credit card information, social security numbers and patient identification numbers from being sent to unauthorised individuals.
In each of these areas, healthcare organisations need to eliminate potential blind spots, demonstrate their policy compliance, lower their response times to security incidents, accelerate adoption of best practices and expert systems, and reduce the potential for significant loss to reputation and revenue.
Fortinet advocates that healthcare organisations think about the implementation of a complete IT security strategy while embracing HIPAA and PCI regulations. Healthcare organisations need to segment, monitor and control the various aspects of their operations, including users, behaviour, data, devices, operating systems and applications. The consolidation of security functions into unified threat management devices should be seriously contemplated, as it is the best way that organisations can gain end-to-end visibility and control while decreasing cost and complexity.
About HIPAA and HITECH
Enacted by the US Congress in 1996, the HIPAA comprises two parts to protect health insurance of workers and their families, as well as to standardise the administrative processes in the health care system. It also helps to secure health data and ensure the privacy of the information in the process.
The HIPAA act aims to drive adoption of network security solutions and create a disciplined environment for healthcare organisations to protect the access/ confidentiality of electronic health information. It also ensures that doctors and patients can assess the required personal medical information. Already, this is a step ahead to ensure that there is overarching rules of engagement in the chaotic cyberspace today.
HIPAA holds promise for law and order to take root in the virtual space for the healthcare vertical. It is imperative that the industry takes on a more orderly way to communicate medical information, as globalisation causes patients to travel seamlessly across the world for professional and personal reasons.
In the midst of this evolving landscape lies a not so distant yet only hopeful future when individuals can seamlessly access their own medical records in the event of relocation or moving overseas. This way, medical practitioners can provide a more holistic form of treatment to their patients instead of taking their diagnosis as a piecemeal approach or simply relying on the patient’s ability to safely keep all printed files or plainly grasp his or her own ailment(s) and communicate accordingly to the next available doctor.
On a broader scheme of things, both HIPAA and the HITECH Act are key standards to address the data privacy of electronically protected health information and medical records.
Compliance requires the implementation of technical policies and controls over systems managing such information, allowing access to only people or software, which has been granted access rights.