Is an electronic world a safer world?

Buffalo Business First Supplement: The Future of Health Care
October 28, 2016
     
By Jane Schmitt
Contributing writer

Security breaches of electronic health records are the exception, not the rule, insist the gatekeepers of patient data.

They stand tall in the battle against the “bad guys” with greater awareness, detection and prevention strategies and stricter policies in a rapidly changing digital environment.

That’s no small task for organizations that face constant attacks from outside sources.

“I would say in some respects, health records have never been as secure as they are today,” said Drew McNichol, technology director and security officer at HealtheLink, the region’s clinical information exchange.

“Unlike paper records, any time a patient’s information is accessed through HealtheLink, that user leaves what we call an electronic fingerprint. That access is audited to ensure the health information is only being viewed by providers where the patient has given their consent and where there’s a treating relationship,” he said. “We do our best to keep the information safe and secure. As a company, we treat security with the utmost seriousness.”

The nonprofit is a collaboration among the region’s hospitals, doctors, health plans and other providers. Participating doctors can access a person’s medical information such as lab results and medication history through an infrastructure carefully monitored by McNichol and his security team.

Encryption, password protection, the ability to track every viewer and other safeguards help them protect the exchange of information as part of the Statewide Health Information Network of New York, or SHIN-NY.

“As the technology evolves and as the bad guys evolve, we continually measure and improve our programs to keep patient data safe,” McNichol said. “So it’s not one-and-done; it’s a continual thing that we need to address each and every day.”

While advances in electronic management of information are embraced by doctors and patients alike, there are vulnerabilities such as more entry points to an organization’s data. 

Combine that with the speed at which technology changes and it’s clear that ensuring security is a formidable challenge.

Health care providers and insurers are spending more than ever on breach preparedness, with tools and initiatives designed to ensure patient privacy and information security by preventing hacking and other incidents.

“It’s one of the top priorities in this organization,” said Scott Morris, chief information security officer at BlueCross BlueShield of Western New York. “We have regular updates to the board of directors and executives and our staff on how we are doing and the progress we make toward meeting certain control frameworks in cyberspace regulations.”

It’s a scare world out there, with hackers looking for any opportunity to infiltrate companies of every size and in every industry.

Health care is an area of critical concerns: An estimated 91 percent of U.S. health care organizations reported at least one data breach over the last two years, according to the Identity Theft Resource Center, a nonprofit based in San Diego.

“We make every effort to stay ahead of the bad guys,” Morris said. “It’s a constant battle because they are really good at what they do and they’re always finding new ways to try to gain access to our data and make our lives difficult…

“With health care, the data and member records do not have an expiration date,” he said. “Credit card numbers can be changed instantly but your medical history is something that can’t. And as (cyber criminals) continue to build repositories in more detail on members, that information becomes more valuable.”

Indeed, the Identity Theft Resource Center said medical records are worth up to 10 times more than credit cards numbers on the black market for extortion and other scams.

The third annual Data Breach Industry Forecast by Experian Data Breach Resolution, meanwhile, predicted that big health care hacks in 2016 would garner the most headlines but small breaches would cause the most damage.

“We predict that health care companies will remain one of the most targeted sectors by attackers, driven by the high value compromised data can command on the black market, along with the continued digitization and sharing of medical records,” Experian said. “In 2016, sophisticated attackers will continue to focus on insurers and large hospital networks where they have the opportunity for the largest payoff.”

How, then, can organizations thwart criminal attacks?

“It’s important that health organizations not only continue to invest in up-to-date security technologies but also focus on training employees in proper data handling practices on a regular basis,” Experian advised.

Employee education is key.

McNichol of HealtheLink said the workforce must be trained to understand the risk of creating unintentional exposure if they click on suspicious links or attachments. And they must be kept up to speed on security policies and procedures.

“Much of what we do do today revolves around education,” he said. “Educating the users, educating the staff, making sure they’re aware of situations to prevent any adverse effects.” 

View the article here.