The Heartbleed
web security exploit was first publicized a month or so ago. In the
time since then, numerous web-based services have let their users know
(some more clearly than others) whether and how their data security was
compromised by this OpenSSL flaw that has been open for about two years.
This is one flaw, one exploit, but on a scale of 1 to 10, it has
registered as an 11 on our collective consciousness. Fred Trotter notes
in the MIT Technology Review that other similarly worrisome exploits do
not get our attention in the same way, and that more health data leaks are likely
in our future. He also cites others' observations that many health IT
vendors are not currently equipped to respond effectively to such
exploits in a timely manner.
Everyone loves to hate HIPAA
(including those who can't spell it correctly). The core of the privacy
and security protections in HIPAA (including the HITECH Act updates) is
directed at improving the baseline of patient control (over who has the
right to see which pieces of personal health information) so that we
can all have greater confidence in EHR systems and related electronic
systems handling our health care data. Rather than continuing to heap
abuse on HIPAA, I think that critics should turn to addressing the
underlying problems of our worldwide cloud infrastructure that, for all
the benefits it enables, has its warts. Financial and health care data
are regularly stolen on line, and health care records fetch a premium on the black market thanks to the richness of their data. The FBI shares
Fred's perspective regarding the likelihood of additional exploits
targeting the health care sector (particularly given the January 1, 2015
target date for Meaningful Use compliance), so this is not the last
we'll be hearing about large-scale security exploits.
The deadline to transition to EHR is January 2015, which will create
an influx of new EHR coupled with more medical devices being connected
to the Internet, generating a rich new environment for cyber criminals
to exploit. According to open source reporting from SANS, Ponemon, and
EMC²/RSA, the health care industry is not technically prepared to combat
against cyber criminals’ basic cyber intrusion tactics, techniques and
procedures (TTPs), much less against more advanced persistent threats
(APTs). The health care industry is not as resilient to cyber intrusions
compared to the financial and retail sectors, therefore the possibility
of increased cyber intrusions is likely.
FBI Cyber Division Private Industry Notification 140408-010. (Update 5/1/2014: Original PIN 140408-009 was updated to reflect new FBI contact information. A reader provided a copy.)
So what is to be done?
First, come to terms with the fact that
privacy and security are not absolutes. The sooner you do, the happier
you'll be. As a family member of mine used to say, "It is what it is."
Second, keep an eye on The Wall of Shame starting
in early June. Health care data breaches experienced by covered
entities under HIPAA involving 500 or more individuals must be reported
to OCR within 60 days of discovery, and are posted there. (Breaches
including fewer than 500 individuals are to be reported within 60 days
of year-end.) So far, the only Heartbleed breaches we've heard about
involve Canadian social security numbers and a newspaper. Information
about breaches tied to Heartbleed may turn out to paint an interesting
picture of health IT vendors serving covered entities. (I don't think
that the fact that the Heartbleed exploit was available for two years
is, in and of itself, a breach worthy of notification. If it were, OCR
could be deluged with breach notifications.)
Third, don't just give up. Do your part
to ensure that health data are kept as private and secure as possible.
Policies and procedures should be in place -- and should be followed
(yeah, that) -- to minimize the likelihood of a damaging
breach, and the effect of a breach when it occurs. Take warnings to
heart, and act on them in a timely fashion.
In the face of all these questions about inappropriate access to information in health records, concerns about the accuracy of data input into EHRs
was recently identified as the leading concern consumers have about
EHRs. So there are concerns about data coming into the system as well as
concerns about data coming out of the system.
The industry has a lot of work to do to assure stakeholders that data
privacy and security, as well as data integrity, are well in hand.
What are you going to do?
David Harlow
The Harlow Group LLC
Health Care Law and Consulting
photo: flickr cc liamq