Compliance does not equal IT security: HIMSS

March 02, 2016
by John W. Mitchell, Senior Correspondent
In a talk that sometimes wandered into technical language, two data security experts ultimately imparted a simple message: hackers have nothing but time to spot and exploit complacency in hospital security measures.

“Electronic health records security relies on discipline and repeatable processes,” Mac McMillan, CEO at Cynergis Tek told the large audience. He stressed that HIPAA rules to keep hospitals compliant with ensuring patient privacy and protection of health records have not kept up since enacted in 1996. Meanwhile, hackers have evolved very quickly in recent years.

“These attacks cost millions and affect patient care,” McMillan said, citing recent cases of ransomware in which hospitals had to pay hackers to get control back over electronic records and systems. “Many hospitals that have been in the news recently were compliant and had one certification or another to prove it, but were still breached,” he added.

Co-presenter Jay Adams, Director of Information Security at Tallahassee Memorial Health System (TMHS), said no hospital IT manager can watch everything.

”Large hospitals create up to 1.6 million data logs a week,” he said. He stressed that automated systems should be in place to monitor and track movement both in and out of a health care system. Both McMillan and Adams emphasized that people are always the weakest link in IT security. They urged hospitals to adopt ongoing training to educate their employees and medical staff about hackers.

At TMHS, Adams conducts quarterly “fishing drills” in which he sends out emails to entice employees to click on a link or attachment that is configured to resemble malware or other common hacker strategies. When he first started this training, he got nearly a 12 percent success rate in getting staff to launch such simulated attacks.

“Email is a big threat,” Adams stressed. He told HCB News that in order to reduce hacker access through imaging files, they adopted a system 18 months ago that only allows physicians to view image but not move files outside the hospital data system. This “glass pane” measure allows the physicians everything they need to do to manipulate an image, but keeps the door closed to hackers.

Other key points of the presentation included:

Vendor software is often not as secure as it should be. Do not do business with any vendor who claims that installing anti-virus software will impede the performance of their software.

Speedy incident response to a detected data breech is key to minimizing damage. C-Suite leaders should be trained about these threats with a readiness plan to know how they must respond in the event of a known attack.

Encrypting, which scrambles data to hackers, should be used wherever possible. There was discussion about the need for encryption in emails, especially in transferring copies of records to patients, as well as sharing health records in population health management.

All data moving around and out of any electronic health record system should be continuously monitored, and anomalies immediately tagged and investigated.

Some 98 percent of all breech events occur from a known security threat that is at least a year old. About 50 percent of such attacks are rooted in threats that were known by the hospital for at least five years.