Health Care: HIPAA, Legal, Security – A Call to Action

eClinicialWorks to pay $155 million to settle suit alleging it faked meaningful use certification

Electronic health records (EHR, aka electronic personal health information ePHI) are very sensitive and valuable to eCrime criminals and espionage actors.  4D5A Security has been working closely within the health care field and HIPAA regulated environments for years and has seen some serious – egregious at time – challenges for this sector:

  • Most practices are managed by a doctor who then outsources office management, IT, security, and hosting of EHR.
  • Computer security is generally considered an expense cutting into the bottom line, not a core business operating cost and requirement.
  • EHR is managed more from a liability perspective than trying to ensure it’s secure and optimized.

Outsourcing introduces third parties and their staff which are commonly not evaluated or tested for their security.  For example, are background checks performed on staff during the hiring process?  What secure technologies are used for sending and receiving of email, remote login, and other common solutions?  How is physical access to a contracted facility managed, etc.  Each time outsourcing is performed – albeit cheaper – a certain risk is inherited beyond that of a generally more trusted internal managed solution.  When everything is outsourced – yes everything operationally – it’s entirely upon the practitioner – a busy doctor usually – to provide governance and oversight.  Of course that doesn’t really happen unless there is a problem.

EHR provisions are even more complex.  It’s not uncommon for a doctor’s office to have a national host provider like that of eCW mentioned in the link for this blog.  Upstream from the EHR provider may be another host provider for backups of server and log data, again outsourced.  Let’s not forget the technicians that help set this up and manage it…remote, outsourced…you get the picture.  As a security expert I don’t think i could effectively manage any such heavily outsourced architecture for a business.  I’d have to give up, say I accept all the risk, throw away my phone and go fishing so that I wouldn’t have to be bothered with all the calls I know I’d get.

Security is always a balancing act.  Too heavy and it becomes unbearable, breaks, and is annoying and resented.  Too light and we have major breaches and accept massive risk.  The health care industry is under attack right now from many actors all around the world, including Carbanak (very mature, innovative, global).  If you’re outsourcing everything figure out how to get balanced.  When you do outsource ensure you’ve performed due diligence into assessments for security for each and every company.  Don’t blindly accept risk and waive off liability – we are all responsible even if we don’t end up in court.