by Lucas Mearian
Over the next four years, the amount of personal medical information online will increase exponentially, opening up new avenues for hackers to expose personal data that, unlike financial information, can result in a permanent violation of privacy.
The U.S. Department of Health and Human Services (HHS) has set a deadline of 2015 for healthcare facilities to being using electronic health records (EHRs), thereby ushering in the digitalization of all patient information. As patient data is aggregated on health networks, it becomes a bigger target for those who want to steal it and exploit it on the Internet, experts say.
According to research firm IDC, about a quarter of all Americans -- 77 million people -- already have an EHR, up from 14% from in 2009. By 2015, IDC expects that figure to rise to 60%, spurred in large part by the Health Information Technology for Economic and Clinical Health (HITECH) Act. That measure, approved by Congress last year, included $19 billion in incentives for health care organizations to adopt EHRs.
Industry experts estimate that the amount of personal health data kept online measures in the terabytes -- and will grow to petabytes of data over the next four years.
It's not so much the quantity of information that could be a problem; it's the different sources of data, its diversity of data and the various network infrastructures on which it resides that could overwhelm the U.S. health system and pose significant risks to privacy, according to Sia Zadeh, director of business development for security software vendor Axway Inc.
According to a recent report by IDC's Health Industry Insights division, health care providers believe it will take a major security scandal to compel organizations to take security seriously.
A major health care data breach is inevitable, said Dr. William Braithwaite. He wrote portions of the Health Insurance Portability and Accountability Act of 1995 (HIPPA) and has since contributed to federal health care regulation.
"As we build EHRs, that puts more information in place, so the risk that someone will go after that information increases," said Braithwaite, now chief medical officer with security software vendor Anakam Inc.. "If we don't understand the threat model we're dealing with, we're leaving the back door open; in fact, there will be no back door because they're already in the house."
HIPAA Security Rule requirements call for data encryption where needed, as well as data access control methods such as automatic logoff. But neither would protect against sophisticated malware attacks that target applications.
Health care information is one of the trickiest types of data to exchange online -- and encrypting it won't protect against Web attacks, according to Dr. Taher Elgamal. He led the development of secure sockets layer (SSL network encryption) as the chief scientist at Netscape, and is now the chief security officer at Axway.
For example, Kaiser Permanente, one of the nation's largest health care organizations, promises its physicians and other members on its Web site that their data will be secure "from the moment your account information leaves your computer to the time it enters Kaiser Permanente's system" because it's encrypted using SSL.
"The fact that you did encryption doesn't mean you've protected medical information, because access control is the real issue," Elgamal said. "New cybercriminals do not do what the old cybercriminals did. They realize you'll be encrypting the data and instead access the application and steal access rights."
SSL does a good job of securing the connection between two nodes at the transport layer, Elgamal said. But protecting health care information requires additional security technologies. For example, SSL cannot determine whether there is sensitive data or not, nor can SSL protect the information inside the network or at rest on a server.
"It is important to identify what 'strong security' means -- but we can only do that after the requirements have been stated [by the government]," Elgamal said.
For example, a physician logging into an online portal via his laptop to access patient data uses an application to read that information; the application has access to the keys to decrypt the information. Hackers write malware that infects applications and waits for them to decrypt data, which then gives them clear access to the health data.
"So the malware sits on the doctors laptop, waits for him to log in ... and the malware is reading the data at the same time the doctor is," Elgamal said. "They did not need to log in on your behalf. They did not need to crack passwords. They did not need to go to the hard drive and decrypt the data. They sat in the middle of the application."
While security practices around handling eHealth data will be beefed up with bigger fines as well as a requirement to adhere to security best practices under the HITECH Act, some believe efforts may be aimed at the wrong target. Under the HITECH Act, fines for data breaches can go as high as $1.5 million per year.
"The penalties are more severe, even for smaller breaches," said Judy Hanover, an analyst with IDC's Health Industry Insights. "It puts a lot more teeth into HIPPA rules with regard to breaches of patient information, and that's leading to a lot more attention on the security of EHRs."
Elgamal said it's good that the federal government is getting more stringent about security, but ensuring that organizations comply "is not a trivial business to do.
"There are way too many participants in these health care data exchanges," he said. "There are participants in the health care industry that you would not think of that get data -- and sometimes lots of it -- and not every participant in the ecosystem is acquiring (EHR) technology at the same time."
Elgamal and other experts say that the applications with access to sensitive data need protection. That means ensuring there are application access controls, audit trails, regularly updated malware protection.
According to the Open Security Foundation, which tracks U.S. data breaches, 27% of all breaches involve stolen PCs and laptops, 16% involve direct hacks and 13% involve malware over the Web. The medical industry currently makes up 12% of all data breach incidents, with general business breaches making up nearly 50%.
Robert Grapes, chief technologist of the security software vendor Cloakware Inc., said IT managers should think of their health records systems as a house, with application access controls as the front door. Those EHR systems also need to track who's in the house and what rooms they've been in. That way, any changes to data are not only authorized, but logged.
"Today the norm is encryption, access control and some data integrity. Those are building blocks of most systems. It's served us well, but as the range of attacks gets more sophisticated, the opportunity for more malicious behavior increases," he said.
Grape also said IT managers must also focus on application renewability, or upgrading software to ensure that if an application is hacked, the intruder will only have access to a limited amount of data.
"For example, take Adobe Reader. If you've not upgraded your version and it's been out there for years, the data created by it is years old. If I can renew my software every month, I'm breaking the attacker's business model.... It makes it harder to get a big reward because the new or patched version of the software is all that's available to him."
Grapes also recommends practicing good encryption key management, including offsite backup of keys in case data must be accessed years down the line.
One incentive for IT managers to improve security involves the HITECH Act's requirement to report data breaches to the public. For example, in Novemberm, health insurer Health Net of the Northeast Inc. reported it had lost a hard drive with seven years worth of personal financial and medical information on about 1.5 million customers. Health Net waited six months to report the data breach.
Under the new HITECH Act, data breaches effecting 500 pwoplw or more will be posted on the HHS Web site for all to see, according to Nagraj Seshadri, a security technologist with security vendor Sophos Plc.
"That's a pretty big incentive for people to keep data breaches from happening," Seshadri said.
© 2010 Computerworld Inc.
