American Association for Physician Leadership

Operations and Policy

Cybersecurity and Device Management

Janis Coffin, DO, FAAFP, FACMPE | Jordan McManus, MBA | Janak Patel, DO, MBA | Seth Huffhines, DO, MBA

April 8, 2020


Abstract:

Medical privacy and data security are essential components of medical practice. Criminal activity related to cyberdata and medical records is growing increasingly complex, because the information stored there provides the obtainer with potential financial gain. Furthermore, electronic medical record (EMR) software and the technology allowing for hospital, office, and mobile access have added complexity to the security problem. Hardware and software maintenance and updates require specific installation and sanitation protocols to ensure patient safety. Mobile devices make public access to the EMR a potential point of physical vulnerability to medical data, and mobile EMR access requires secure visualization and access of medical charts. As medical technologies advance at a seemingly exponential rate, cybersecurity initiatives must remain vigilant to keep pace. Vulnerability can lead to costly damage control from which some practices may not recover. It is critical for administrators and private practice managers to set the tone by prioritizing data security. As a culture, medicine must prioritize cybersecurity in order to “do no harm.”




As evidenced by the Facebook/Cambridge Analytica data breach and the subsequent outcry, people want their data to stay private. Other recent data breaches, such as the Equifax breach of 2017, have resulted in a public demand for increased measures to prevent future data breaches. The frequency of these data breaches is increasing every year, with no discrimination regarding who can be a victim.1 Individuals, large companies, and even entire nations can find themselves on the wrong side of a cybersecurity breach. Healthcare firms are no exception and are frequent targets for those carrying out cybersecurity attacks. Health systems commonly store a patient’s health record, address, Social Security number, and even credit card information. All of these data can be sold on the black market for up to $50 per EHR .1 Most healthcare facilities have thousands of such records, and thus make attractive targets for would-be attackers.

The current state of cybersecurity in the healthcare field has improved somewhat from a decade ago but is overall nowhere near the level it needs to be. Many organizations have now appointed a Chief Information Security Officer (CISO), a position that was unheard of until recently. One report notes that the average healthcare-related data breach would result in a loss of $12 million per incident. Those organizations that have implemented security measures—such as employee training, extensive encryption, appointment of a CISO, and board-level involvement, among other measures—tend to have an average of $7 million loss per data breach. The other side of this is the average of $15 million lost per data breach for those institutions where the data breach involved lost mobile devices, compliance failures, and involvement of a third party.1

A recent survey from the Healthcare Information and Management Systems Society sheds more light on the current healthcare cybersecurity landscape. This survey shows that although 71% of organizations have a dedicated budget for cybersecurity, the amount allocated can vary greatly from one organization to the next. The same survey shows that 80% of organizations have dedicated cybersecurity staff, including 60% who employ someone in a senior level position such as a CISO. Of those organizations surveyed, 51% conduct a risk assessment audit only once a year; of the remainder, some organizations perform such an audit more frequently and others less so.2 The survey also found that those in the acute care setting were more concerned about cybersecurity than those who focus on the outpatient side of medicine. Overall, we can see that the healthcare sector has made steps towards implementing more cybersecurity measures; however, there are some simple steps that we still recommend all healthcare providers follow.

A cybersecurity attack has the potential to affect medical devices, invade patient privacy, and even result in a loss of faith in the patient–provider relationship.

Our first responsibility as healthcare providers is to “first do no harm.” If we truly believe that to be our responsibility, then cybersecurity should become a priority for all healthcare providers. A cybersecurity attack has the potential to affect medical devices, invade patient privacy, and even result in a loss of faith in the patient–provider relationship. A few practical steps have been outlined by the Department of Health and Human Services that we can take as healthcare providers to minimize our risk of becoming victims of such attacks.

Culture of Security

Success at any level can be attributed to the culture of the organization, because that is the foundation that shapes the behavior of employees. Establishing and strengthening an organizational culture that values cybersecurity is essential to protecting patient information and preventing attack. This begins with executive and management positions establishing security as a priority and providing the necessary support and allocation of funding to the issue. From there, all employees must be trained to establish safe and secure computer habits. Such trainings would include annual training for both the information technology team and all other employees to demonstrate innovations and prevent potential issues. The culture also should encourage the reporting of breaches in order to swiftly identify pitfalls and find solutions.1

Furthermore, the healthcare sector is unique in that information and reports regarding security breaches are not normally crowd-sourced. Cooperation among hospital systems and IT corporations would allow for a database of violations. It is critical to identify weaknesses in security and leaks in medical data immediately. Cybersecurity can be compromised in just moments, but it may take months before the breach is detected, damage is contained, and defensive resources are deployed to prevent the same attack from happening again. Data collection regarding breaches across the nation would allow for quicker identification and containment of threats. Research and development would be better equipped to create software updates and produce new security products aimed at current and anticipated weak points. These strategies would cross many different profit lines, including competing hospital systems, EMR companies, and software developers. Prioritizing security and patient safety must trump the drive for continual revenue increases.3

Technology Use Habits

The second step is to maintain good technology use habits. Such habits include, but are not limited to, configuration management, operating system maintenance, and software maintenance. Prioritizing technology security starts with the installation of technologies in a practice. Electronics that are not designed solely for medical use will have customization options and additional features, including photo and file sharing, games, and so on. These features often are packaged within the default settings of the electronics, predisposing clinics to the use of inferior security standards. These features exemplify “back door” access. When not in use, these features receive vendor access to allow for application support and updates. Requesting that this back door access be disabled, or tasking the IT department with this request, ensures that patient and clinic information remains confidential.1

Operating system maintenance includes management of extraneous or outdated information. Turnover of staff requires disabling accounts and denying access prior to termination. Old data or medical records must be archived or deleted, subject to applicable date retention requirements. Furthermore, outdated or unused software should be fully uninstalled. This includes trial versions and old versions of current software.1 If electronic devices are set to be disposed of, guidelines can be found in the National Institute of Standards and Technology (NIST) Special Publication.4 These guidelines address documenting decisions and actions for media sanitization, identifying resources to replace outdated technology, and having critical interfaces with key officials. Similarly, a clinic must provide maintenance for software on all devices. The logistics vary depending on size and the resources of a medical entity. A hospital or large clinic can opt for daily software updates, whereas smaller clinics may automate updates at the end of the week. These updates, usually produced by the manufacturer, address progressive areas of weakness and vulnerability within the system. Continual maintenance ensures that the software security standard be maintained at a high level. Furthermore, operating some outdated systems automatically qualifies as data breach, because the manufacture ceases to provide updates, leaving the information vulnerable.5

Wireless data transfer is another problem that plagues practices. Mobile devices are common to small and large healthcare settings alike. These devices operate within a wireless system and, therefore, make practitioners vulnerable to eavesdropping and data interception. To prevent this, encryption software must be in place that limits access only to authorized users. Medical information should never be accessed on a public network without encryption security, and devices that do not support encryption software should be avoided.1

Physical Barriers

The third step is to both limit access and leverage hardware to create a physical barrier. As technology advances in the medical field, we have seen a rise in mobile access to patient records and medical documents. These advances pose new threats, which involve unique security measures. The single most common way medical information is compromised is via lost devices and theft. Additionally, public use of medical devices must be restricted, and strong authentication guidelines must be outlined.1

Physical security of mobile devices has become almost commonplace, even within everyday usage. Especially when utilizing and accessing medical data, users should employ passcodes to enter the device, facial recognition features, and privacy screens. Companies such as Apple, Google, Microsoft, and MobileIron have provided e-biometrics that have significantly limited physical access to the contents on mobile devices. When these devices determine inappropriate access or prolonged lockdown, they are capable of securely locking the mobile device or clearing all data from a remote location.

Frequently changing a password and requiring multiple identifications provides added security to a mobile medical access application.

Beyond physical security, access within the device can be secured with evolving features. Password generators are capable of producing and securely saving passcodes that do not include recognizable words and also are adequate in length and complexity. Additionally, frequently changing a password and requiring multiple identifications provides added security to a mobile medical access application.

“Virtualization” has presented a growing problem as the use of mobile devices expands. Two models dominate mobile access to medical data: enterprise security and virtualization. An enterprise security model allows for true mobile access without the need for consistent connection to an internet source. The problem here is that the medical data reside in the mobile device, and, therefore, the data are only as secure as the physical device itself. Virtualization requires a strong connection to access information stored in an off-site location.

Lastly, electromagnetic interference is a significant source of data corruption. Health systems need to be aware of the effect electromagnetic interference has on medical devices, the intrinsic immunity of the devices used, and the possible shielding capacity of the walls.6

Conclusion

Computing power has been advancing exponentially for the better part of our lifetimes. This has led to constantly evolving innovative technologies and methods for recording, updating, and sharing patient data with the goal of efficiently serving our patients. Due to continuous updates and opportunities for data to be compromised, the healthcare field must sustain a high level of awareness. Protection comes in various forms and starts with creating a system-wide culture of cybersecurity awareness, followed by employee education regarding appropriate technology habits and physical barriers that promote safety and limit possibility of infiltration. If any of these areas are neglected, a healthcare system makes itself vulnerable to security breach. As with preventative measures in medicine, a significant investment in prevention will go a long way toward avoiding potentially devastating outcomes.

References

1.    Le Bris A, El Asri W. State of cybersecurity & cyber threats in healthcare organizations—applied cybersecurity strategy for managers. https://blogs.harvard.edu/cybersecurity/files/2017/01/risks-and-threats-healthcare-strategic-report.pdf. Accessed April 17, 2019.

2.    2017 HIMSS Cyber Security Survey. https://www.himss.org/2017-himss-cybersecurity-survey. Accessed January 17, 2019.

3.    Snell E. Cybersecurity: How can it be improved in health care? https://healthinformatics.uic.edu/blog/cybersecurity-how-can-it-be-improved-in-health-care/. Accessed November 17, 2019.

4.    Kissel R, Scholl M, Skolochenko S, Li X. Guidelines for Media Sanitation. Gaithersburg, MD: Computer Security Division Information Technology Laboratory National Institute of Standards and Technology. www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/nist80088.pdf?language=es. Accessed January 17, 2019.

5.    Homeland Security Threats. CMS.gov. www.cms.gov/Medicare/Provider-Enrollment-and-Certification/SurveyCertEmergPrep/Homeland-Security-Threats. Accessed January 17, 2019.

6.    Hanada E, Takano K, Antoku Y, Matsumura K, Watanabe Y, Nose Y. A practical procedure to prevent electromagnetic interference with electronic medical equipment. J Med Syst. 2002;26(1):61-65.

Janis Coffin, DO, FAAFP, FACMPE

Janis Coffin, DO, FAAFP, FACMPE, Chief Transformation Officer, Augusta University, Augusta, Georgia; email: jcoffin@augusta.edu.




Jordan McManus, MBA

Fourth-year medical student, Kansas City University of Medicine and Biosciences, Joplin, Missouri


Janak Patel, DO, MBA

Resident Physician, University of Kansas Medical Center, Kansas City, Kansas


Seth Huffhines, DO, MBA

Resident Physician, John Peter Smith Health Network, Fort Worth, Texas

Interested in sharing leadership insights? Contribute



For over 45 years.

The American Association for Physician Leadership has helped physicians develop their leadership skills through education, career development, thought leadership and community building.

The American Association for Physician Leadership (AAPL) changed its name from the American College of Physician Executives (ACPE) in 2014. We may have changed our name, but we are the same organization that has been serving physician leaders since 1975.

CONTACT US

Mail Processing Address
PO Box 96503 I BMB 97493
Washington, DC 20090-6503

Payment Remittance Address
PO Box 745725
Atlanta, GA 30374-5725
(800) 562-8088
(813) 287-8993 Fax
customerservice@physicianleaders.org

CONNECT WITH US

LOOKING TO ENGAGE YOUR STAFF?

AAPL providers leadership development programs designed to retain valuable team members and improve patient outcomes.

American Association for Physician Leadership®

formerly known as the American College of Physician Executives (ACPE)