Ensuring Security and Privacy In a Data-Driven Healthcare Setting
Security and privacy have long been THE big worry and a major impediment to widespread adoption of digital medical information sharing. Many of us are well versed in the Health Insurance Portability and Accountability Act (HIPAA), which was created to address these concerns and to enable portability, and yet so much emphasis has been placed on privacy that the market has been slow to enable the sharing of information. HIPAA, like other security and privacy standards, is more expensive, onerous, and complex than it needs to be, and there is significant room for improvement. But, as is, HIPAA does work well enough to move forward.
In my last blog post, we discussed the value of being able to “push” data between clinicians and other members of the care team, as a compliment to “pulling” data from central repositories (e.g. EMRs or HIEs). A push approach would enable healthcare to catch up with the financial industry for example, which benefits from both the rapid movement of data, as well as from high security standards.
But many people have made valid points that the healthcare industry’s business structure is different than the “near-normal” market structure of most other industries. For example, there are market drivers and incentives for:
- Duplicating tests and other work (especially if done by competitive care groups);
- Driving available care instead of the best or most efficient care;
- Selling procedures, tests, bandages and more; and
- Holding back or even blocking some kinds of information sharing.
So, while we are working towards a capitated, quality-driven care delivery model across the country, improved digital communications could be driving better results.
Security, Privacy, Compliance
I have long thought that the HIPAA standard itself, especially the security standard, was pure genius in its appropriateness and deploy-ability. Fundamentally, it calls for the encryption of data, good knowledge of the identity of the people sending and receiving information, good user logging, assurance through a (contract) business associate agreement (BAA) that the sender and receiver will protect the information, and a risk assessment to address other potential concerns.
Because of the Risk Assessment requirement, HIPAA should be the most “evidence-driven” compliance regime, but because of its openness and lack of a “checklist” or prescriptive implementation method, and because it is fundamentally a self-certification, organizations working to be compliant often engage lawyers and consultants who come up with differing opinions. This leads to more lawyers, more consultants, more angst, more money and more time.
Making security standards more evidence-driven (focused on the areas of the greatest risk) would not only improve security and privacy, it would significantly reduce cost. Three examples are:
Patching of Applications and Operating Systems – This is an important countermeasure against software vulnerabilities that are widely exploited in cyber-attacks. For more than a decade, security experts, auditors and industry publications emphasized the need to quickly create and deploy patches to protect against the dreaded ‘zero-day attack’. Yet the 2015 DBIR, which is regarded as the most comprehensive investigative data set of >80,000 cyberattacks, shows that 99.8% of successful attacks that leveraged a vulnerability, were against those that were more than a year old – with the majority having patches that were developed more than four years prior. The data show that biggest risk is finding and updating PCs and servers that are essentially never patched, not spending more effort to improve already adequate patch deployment regimes.
Encryption of Data at Rest – HIPAA explicitly requires addressing encryption both in transit and at rest. Encryption of data in transit addresses the threat of sniffing attacks – in which the “bad guy” eavesdrops on digital traffic in real-time. Although sniffing is real, and has been commonly deployed in successful cyber-attacks both in healthcare and in other industries, the vast majority of all known sniffing attacks have been deployed inside the enterprise, on the LAN, or in the data center. Except in state-sponsored espionage, almost none have been known to occur on traffic over public Internet segments – or on a private connection outside of an enterprise. The security standards? Data encryption is required for Internet segments but typically not inside the enterprise or data center – exactly the opposite of what the evidence tells us.
Secure Identity – This is an important aspect of both security and privacy. Identity has two basic components:
A. Identity Proofing is the initial work of prooving that a person is whom they claim to be. It typically involves assessing government issued documents, such as driver’s license, passport, etc. along with actions such as checking for alignment of financial information. For more advanced identity proofing, a background check and/or biometrics may be used.
B. Authentication is the shortcut used for each login classically including either something you know (like pins and passwords), something you possess (a token or cellphone, for example) or something you are (biometric, like fingerprint or retinal scan). Using passwords alone is called single factor authentication, which fails miserably and often. More than 85% of all successful cyber attacks over the past 10 years exploit the weakness in password-based logins – usually by the theft and replay of hundreds of millions of stolen passwords. Long, very well constructed passwords with multiple data types are stolen just as easily as short, simple passwords. So despite our long-held beliefs, data show that complex passwords provide almost no incremental strength against today’s most damaging and common cyber attacks. Two-factor authentication, in which a possession factor or biometric factor is added to the mix, reduces this risk by many orders of magnitude.
Despite the disparity between standard authentication and secure identity proofing, most assessments and remediation recommendations, and the advice of our standards bodies, is to increase the identity proofing quality for doctors and others accessing PHI (to NIST 80-63 LOA3 quality), but to leave the day-to-day authentication as single-factor authentication (password only). As demonstrated above, this is exactly the reverse of what the evidence tells us. If we are to strengthen Identity, we must implement stronger authentication.
I’ve been fortunate to work across several companies in which ensuring strong user authentication was critical to success. Please drop me an email, and let’s discuss your current challenges and opportunities.