LAS VEGAS -- What's more valuable to a hacker than someone's credit card information? Their protected health information [PHI], according to , a healthcare security consultant.
"If you go out on the 'deep web' [where people sell stolen goods], a credit card valued at $1 to $2," Barney said. "But your PHI can sell from $20-$200 on the deep web.
"Your Social Security number, if I had that, and I was an attacker, I could continue to use it again and again ... This is why many entities are coming for your PHI," Barney, of the firm SecurityMetrics in Orem, Utah, said here at Tuesday at the .
When it comes to unsecured PHI, there are two types of data: "data you know about and data you don't," he said. At one company Barney visited, "I found a maintenance closet; it had no key, no video, no lock. As we walked into the closet ... We found a little over 6 million individual [paper] records in that room."
The notion that protected healthcare information isn't very valuable is just one of the misconceptions that many healthcare business executives subscribe to, he said. And often, these same executives subscribe to many myths when it comes to complying with the security provisions of the Health Insurance Portability and Accountability Act (HIPAA).
Many Vulnerabilities
For example, they may think that having a "firewall" to protect their healthcare software is enough. "Maybe your firewall is doing a good job, but that's just one layer" of security for PHI, said Barney. "It's important to look at healthcare security as defense in depth."
"Most organizations have many vulnerabilities ... administrative, physical and technical. Most people think 'firewall,' a hacker coming through, but there are many different areas."
Firewalls should be updated and reviewed every 6 months, he pointed out. "It's very common that we see [a company's] firewall administrator leave, but when we look at the firewall, that [administrator's log-on] is still there. It's a very dangerous thing to do."
In addition to firewall issues, some healthcare organizations think HIPAA doesn't apply to them, Barney said.
"You'd be shocked how many entities [think that] -- they'll say, 'We're not touching [health] data in any way so it doesn't apply. That oftentimes is very false." For instance, someone may have a shared network folder with PHI to which a marketing person has access privileges, Barney said.
"Or they'll say they're too small -- maybe they are a one- or two-provider shop. Or 'I store my data in the cloud and the cloud provider does everything for me.' But HIPAA applies to just about everybody."
Another frequent response is, "Our IT department and attorneys have us covered," Barney said. "The IT professionals typically tell me they have a privacy officer and they're working toward [security] compliance ... but they don't know, they haven't [read the regulations in depth] ... odds are they aren't helping you gain HIPAA compliance."
As for the attorneys, Barney said he had to tell one company that its attorney was "taking care of nothing in the security realm. If you know of an attorney who is taking care of it, call me, because you have successfully captured a unicorn."
Some organizations think their business associates will take all the liability. "But remember, liability is always going to be a shared responsibility between the two of you," he said. "And the business associates likely have vulnerabilities, risks and threats that will put your systems at risk."
Beware of Moles
Social engineering -- people who integrate themselves into your workplace to steal data -- are another threat healthcare organizations don't often think about, according to Barney. "We spend a lot of money on really awesome products, but the biggest weakness in your organization is always going to be your people."
And it's not necessarily the IT department either. "If I were social engineering you, I wouldn't come in as IT, I would come in as janitorial," he said. "They have keys to everything, and they come in at night when no one is looking."
Addressing these many potential HIPAA security breaches "is all about time," Barney said. "If you're a small organization, you're looking at 200 hours annually, and that's very conservative. A large organization, I don't know the number of hours -- probably 800-plus annually."
He recommended a few steps for healthcare organizations to follow:
- Perform a risk analysis. "This should be done annually; it will identify many things."
- Send weekly security tip reminders. "Get the staff excited about what they're doing wrong; explain how this impacts patients."
- Maintain individual user accounts for everything. "Just because an electronic health record forces a username and password doesn't mean we're compliant. What's the accountability at the network level? What if malware is uploaded?"
- Update systems and applications. "I get older and fatter, and systems are the same way; they need to be updated. Critical updates should be put in within one month of release."
Often organizations have a communications gap -- executives believe one thing is happening but the IT department is doing something totally different, Barney said. Organizations need to ask themselves, "What can we do to bridge that gap and fix these problems?"