Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    The various security issues inherently unique to the healthcare sector is an area that I have been following pretty closely over the course of the past couple of years for a few reasons.

    First—and thankfully—there appears to be increasing concern in the healthcare industry that the recent spate of security breaches could bleed over into the healthcare sector and could have an adverse effect on the already-troubled industry. As reported in The New York Times on Monday, there is a renewed emphasis on the protection of patient medical data in the face of an onslaught of consumer privacy data breaches.

    As stated in The New York Times article, “… in the last two years, personal medical records of at least 7.8 million people have been improperly exposed, according to government data.”

    These numbers seem to grow with time and it is especially troubling that these “improper exposures” have not received the same notoriety that similar data breaches have received in other industries.

    I think that number may be somewhat misleading or may only deal with “improper disclosures” since a still-unidentified party hacked into the online systems of the Virginia Prescription Drug Monitoring Program in a 2009 incident allegedly stole approximately 8.3 million patient records and demanded a US$10-million ransom.

    Especially troubling is the apparent push to move to electronic health records (EHRs) for patient medical data without proper security mechanisms in place, which can arguably make theft and/or misappropriation of medical data even easier. I won’t go into all of the issues surrounding EHRs but there are arguments on both sides of the issue for cost savings, ease of use (including mobility), and privacy.

    It is time to deal with these issues and to ensure that adequate security frameworks are put in place, whether through regulatory- or compliance-based means (more on that later), and start to penalize organizations and individuals who violate these regimes through willful negligence, ignorance, or malice.

    Second, the current regulatory and compliance regime—the Health Insurance Portability and Accountability Act (HIPAA) of 1996—is woefully inadequate to deal with the current technical landscape in the healthcare industry. It has been almost 16 years since the HIPAA was created and as The New York Times article points out, the HIPAA needs to be updated to reflect the current complexity and technical reality in the field.

    Added confusion in this area arrived earlier this year with the Health Information Technology for Economic and Clinical Health (HITECH) Act, which deals with privacy and security issues involving EHRs.

    The news is not all bad. It was reported today that the U.S. Health and Human Services Department is looking to strengthen privacy disclosure rules under the HIPAA to allow patients to learn who actually access their EHRs. This is certainly a move in the right direction.

    In fact, I think the renewed attention in this area is very good news indeed since there seem to be certain gaps in the regulatory, compliance, and auditing framework in the healthcare industry.

    There are many areas in the healthcare security landscape that deserve much more detailed discussions but which I will not go into in this blog post. Having said that, however, please watch this space for a series of blog posts over the next few weeks where I will examine several of these issues in more detail.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    • Pingback: In e-Healthcare, Privacy and Security Regulations Do Not Always Equal Actual Security | Simply Security()

    • Pingback: Trend Micro Asia Pacific News Library - In e-Healthcare, Privacy and Security Regulations Do Not Always Equal Actual Security()

    • Pingback: In e-Healthcare Privacy; Security Regulations Do Not Always Equal Actual Security | Simply Security()

    • Pingback: Trend Micro Asia Pacific News Library - Electronic Health Records: A Ticking Time Bomb?()

    • Steve Gaus

      Yes we've seen this movie before and we know how it ends.
      Another good idea that gets through Congress and lands in some agency of government for administration and it moves of off original intent; it undergoes mission creep & budget bloat and then the tax payers and businesses in the USA fund the program and struggle with the other costs of compliance.
      Never mind the Tea Party our founding father's would be scratching their heads over how large and over reaching we have allowed government to grow.
      HIPAA needs to protect PHI so that americans are not discriminated against and if everyone had access to coverage then in theory everyone would have a source for medical insurance.
      We need to write our Congressman & Senators and ask them to represent us not govern us!

    • Marian

      Just be sure before you write your follow up posts that you inform yourself fully of the measures HHS is taking with respect to securing EHRs. Don't just assume, as many uninformed opinionators do, that nothing is being done or that the government is too stupid to know what to do. Contact, the director of communications for the office responsible for this aspect of HITECH.

    • Monica

      Chris, I couldn't agree more. In saving that money we might have more money to aid those who don't have insurance (another boo word!). With HIPAA I was under the impression that the idea was to protect personal information that could lead to discrimination of the patient, i.e.: HIV/AIDS, mental health treatment, etc.- basically things that were almost taboo when the big rush to get HIPAA compliant or be penalized in 2002/2003 was being undertaken. The patients were not being properly informed, and thus had no idea that the release they signed for that prospective new employer to gain access to their medical information also contained their mental health evaluation done back when they were a rebellious college student (or whatever)back in the 80's, so THUNK- they would not be hired and would generally not even know why. I am a firm believer that in some cases those issues are critical in treatment of the patient. If it is swept under the rug that the patient has HIV/AIDS,for example, how will the treating physician, lab tech., nurse know to take extra precautions to avoid that ominous needle stick? The patient, however, has the right to decline that that information be disclosed to any one else who should request his/her records. That may be okay for prospective employers or banks, etc., but not in the coordination of and administration of that patient's care. Also the medical practices were being slammed with lawsuits about wrongful disclosure of such things, so it does benefit them in covering their own – unless they don't follow guidelines. Insurance companies and the government make the money on that lawsuit! Too much to say about healthcare, insurance, reforms, HIPAA causing me to receive privacy policies from everyone…ugh!

    • Chris Creel

      The original intent was to stop discrimination which the new health care law addresses. There is no inherent value in electronic medical records except to the care collaborators and the patient/member. Note that in the hacking instance sited the hackers didn't sell the information or in any other way benefit. They simply held it for ransom because the only people that thought the information was valuable were the people terrified of HIPAA.

      HIPAA violations are victimless crimes. Instead of being updated it should be thrown out and the original intent addressed if it is not already. The amount of money spent by everyone in the health care industry on protecting PHI (shrieks of terror all around) is out of control. Want to save money in health care? Repeal HIPAA.


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice