Recently, I spent some time with several US physicians discussing the Obamacare requirement that forces doctors and hospitals to store patient data electronically. All were unanimous in this statistically invalid survey: there's cyber security trouble ahead.
But there's strong--statistically valid--evidence supporting the alarmism:
Issue #1: Security mandates are vague. The government has put in place some general requirements that leaves a lot of interpretation. PCI should be the standard given its specificity and success. Has anyone in the government read page 62 of the Verizon Data Breach Report which states, "Similar to past reports, most organizations (89%) suffering payment card breaches had not been validated compliant with PCI DSS at the time of the breach."
It gets worse. Just today, the Center for Democracy and Technology writes:
...many people – and, it appears, legislators – seem to assume that all health information is protected under HIPAA. This is incorrect, however, and the assumption that health information is already fully protected in commercial contexts may be leading to its exclusion in proposed data breach bills currently circulating in Congress. Not only do the bills fail to protect health data, but the preemption clauses in some of the bills would prevent state legislatures from enacting their own health privacy safeguards. As a result, if any of the data breach bills introduced in this Congress pass as currently written, a commercial entity that loses, say, your full name and a list of your medications would not be obligated to notify you.
Issue #2: Security won't get attention until something nasty happens. This month's Health Data Management has a feature article entitled Unraveling Data Breaches. The article highlights a key point those of us in security know all to well:
Privacy and security officers, often ignored and unfunded before a breach, suddenly find themselves to be appreciated and getting substantial budgets after a major breach...
Getting medical records will be very attractive to both insiders and hackers. Last month, UCLA medical center had to pay $1M in settlements when celebrity health information was leaked. Victims included Drew Barrymore, Arnold Schwarzenegger, Tom Hanks, Leonardo DiCaprio, Farrah Fawcett and others.
And patients are aware of the risk. Last week, Harris Interactive has released a survey which showed that consumers are worried about their health data being stored electronically. 78% were nervous about hackers accessing their EHR. 64% were concerned about the loss of the data, and 62% were worried about the misuse of data.
But some get it, even if Washington doesn't. Christopher Burgess, a member of the External Advisory Board for the Mayo Clinic Center for Social Media, was just interviewed on this topic. Here he presents his recommendations on keeping health data secure:
Question: What would you say, for the medical community, are the top two or three things they should be doing to improve security?
Burgess: They should absolutely make sure that the digital environment that is hosting the patient data records is accessible to only those with a need to know, the concept of least privilege access. If I'm a doctor, I need to be able to access my patients' records. If I'm a nurse on a ward, I need to access my patients' records, but do I need to access all patients of that hospital? So you construct on the basis of least privilege access. Then you make sure that you're data at rest is secure and that those who have access to that environment are also on the need to know with auditability and track records, so that you're able to tell who's touched the data, why, and when.