Privacy & Security

Security needs to be a top priority for healthcare leaders

Passwords alone are not enough to protect online health care information
By Scott Rea
July 31, 2015
06:41 AM

Back in the old days – say, a whole 10 years ago – thieves had to be physically inside a healthcare facility to steal patient information. How times have changed.

Now, with the Internet and the seeming lack of consistent implementation of online security best practices when it comes to patient information, we're making things much easier for attackers. The proof is in the data. Gartner research conservatively estimates close to 40 million health care records have been breached to date. That's likely a conservative figure, given that breaches of fewer than 500 records are not required to be reported.

Avivah Litan, cybersecurity analyst at Gartner, told the Associated Press after the Anthem hack, "The healthcare industry is generally about 10 years behind the financial services sector in terms of protecting consumer information."

This severe security lag causes healthcare organizations to lose credibility and client trus – not to mention having to address the immense financial costs of devastating attacks.

There are several ways in which the health care industry needs to improve security measures, but what huge breaches such as those at Anthem, CareFirst and Premera have taught us is that passwords alone are not enough to protect online health care information. We need consistent use of two-factor authentication.

That extra layer of security on top of traditional passwords must become the new norm. Otherwise, we're almost guaranteed to see more attacks, as evidenced by the more than 1 million records being compromised in the recent hack of CareFirst Blue Cross Blue Shield. Attackers know that with the right technique, combined with a clever phishing campaign, they can coax individuals into revealing administrative passwords and the valuable medical records and patient data that comes with it. Two-factor authentication takes away that ability from hackers.

One of the best ways to create two-factor authentication is through the use of digital certificates on any sort of equipment that accesses patient data. Certificates can be installed and accessed via a token that is connected to a device or computer, or embedded in a trusted platform module of the operating system of a device. Before any device is assigned a digital certificate, the unique device identifier and an administrator responsible for its operation may be verified personally by the Certificate Authority that issues the certificate. This identity binding ensures only authorized individuals and systems have access.

Each time access to patient data is required, the certificate is validated to ensure the device or its user is still authorized to access the information, and the private key associated with the certificate can be used to create an encrypted private channel through which data can be viewed or accessed. This helps assure that only authorized users and devices have access to the networks and data to which they are allowed.

The result? Health care organizations are better protected from both internal and external threats, and patients can trust that their information will be protected even if access to it is being provided over an open network like the Internet. This way, we achieve the convenience of Internet access yet with appropriate security controls. The amount of detailed personal data in medical records can be staggering, and that's why it's so highly sought after by people with bad intentions.

As the federal government contemplates steps to strengthen consumer data protections, the healthcare sector needs to decide to self-regulate or be acted upon. It's time for health care to demonstrate a stronger commitment to patient privacy and security by taking the lead on stronger standardized use of identity authentication and encryption, and application of multi-factor authentication.

We have the tools with technology like digital certificates and multi-factor authentication. We just need to consistently use them to protect patients.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story

Rebecca Herold from the IEEE on AI and cybersecurity
Cybersecurity In Focus
IEEE deep dive: What you really need to know about AI and cybersecurity

Most Read

Alfred Health onboards cancer records to Oracle EHR
Carequality to align interoperability strategy with TEFCA
Finding efficiencies and improving care: Give your healthcare surveillance a clean bill of health
Northwestern Medicine integrates DAX Copilot with Epic, seeking workflow efficiencies
Keep patients digitally empowered and engaged in their care
HITRUST unveils new tool for AI risk management

Research

White Papers

More Whitepapers

Interoperability
Patient Engagement
Interoperability

Webinars

More Webinars

Interoperability
Artificial Intelligence
Artificial Intelligence

More Stories

Hospital administrators in an office meeting
Te Whatu Ora may further cut digital funding
Krishna Duarsa at the Kasih Ibu Hospital Group_HIMSS24 APAC
Bali hospital takes on EMR maturity
Couple holding baby
Owlet wins back compliance with NYSE continued listing standards
David P. Tusa of MD Home Health on RPM
Arizona agency's omnichannel approach to home health includes telehealth and RPM
Hands holding puzzle pieces
AHA concerned over HTI-2 timelines, 'burdensome' requirements
Stethoscope on tablet
HIMSSCast: Is private equity the bad guy in healthcare?
Zafar Chaudry at Seattle Children_Data blocks concept Photo by BlackJack3D1/E+/Getty Images
CIO Spotlight: Zafar Chaudry of Seattle Children's
Monief Eid, senior consultant for the Ministry of Health Saudi Arabia, at HIMSS24 APAC
Building 'solid' medical data exchange...