It seems like a scene from a heist movie. As unsuspecting patrons roam a Las Vegas casino, their personal information is mined and exploited by nefarious villains in a hidden room. But this scenario looks a bit different in real life.
At the Def Con 2014 Hackers Conference, a crew from Aries Security discovered that wearable health devices (like Nike FuelBand or Jawbone) are extremely susceptible to hacking. Brian Markus, Chief Executive of Aries Security, told Techly that harvesting personal health information from mobile devices was much too easy. After just hours of looking at wearable tech users in physical range, including other tourists outside on the Vegas strip, Markus said, "We saw several hundred users exposed since we started looking."
The exploitation of wearable devices is just one example of health security concerns in 2015. Health IT is growing rapidly and changing the lives of millions of people with innovative, accessible solutions. However, that quick rate of development also means new technologies are susceptible to hacking or misuse. According to CNN, in 2012 and 2013, 90% of health care organizations had lost or exposed patient data. Records are compromised hundreds of times a year.
What are the biggest threats to health security in your practice? What are patients' concerns in regards to their information? We're here to discuss the ways health tech is constantly changing the game of health security.
Why is health information so valuable?
Last August, the FBI released a statement to healthcare firms following a security breach into hospital group Community Health Systems Inc. According to the FBI, health information hackers could be trying to access patients' bank information, steal intellectual property from medical device companies, use patient records for identity theft or insurance fraud, or even obtain prescriptions. There's a broad range of uses for stolen health information, and the onslaught against health companies is overwhelming.
Just this month, insurer Premera Blue Cross was hit by a cyberattack that involved 11 million customers. Anthem, one of the nation's largest insurers, was also struck by a cyberattack recently. Experts agree that the comprehensive information required in healthcare makes the industry a gold mine for identity thieves. Medical information can be up to ten times the value of simple financial information on the black market. Katherine Keefe of Beazley Group, an insurance company specializing in cyber risk management, told the New York Times, “The value to a criminal of having a full set of medical information on a person can go for $40 to $50 on the street."
New risks, clever solutions
Wearable technology is just one of the new medical technologies that is susceptible to security breaches. Telemedicine presents a risk when physicians don't use HIPAA-compliant systems, and video calling systems like Skype have a history of breaches. Additionally, mobile devices have become ubiquitous, and many assume their technology is fail-safe. Patients and staff can increase cyber risks for your practice just by connecting to your network. Many devices now have wifi embedded, which provides quick connectivity, but increases risk at spreading viruses. Healthcare IT News recommends Network Access Control (NAC) measures to recognize and neutralize threats from individual sources. Keeping your NAC updated is vital for your practice and your patients.
However, health tech also presents new solutions in the war against hackers. Biometrics are quickly becoming the preferred method to guard patients' private information while also deterring fraud. According to David Batchelor, LifeMed ID’s chief executive, biometric IDs will also stave off fraudulent billing and duplicates in patient records. Batchelor told Fortune his technology eliminates 92% of the error rate in keystrokes for patient registration. That's reassuring for patients as well as practice managers.
Keep all staff updated on HIPAA compliance, technology changes, and risk analyses. A survey by NueMD revealed practice managers, care providers and other staff have startlingly low confidence in their practices' HIPAA security.
In many ways, the best way to prevent breaches is by following HIT security news very closely. Since health tech changes quickly, so do systems' weaknesses, attacks, and solutions, which makes keeping on top of security news crucial. Viruses like HeartBleed are all over the news when they first appear, but many tech users don't keep up with new patches, which made Community Health Systems vulnerable to attack in 2014. Treat computer viruses like the flu: if you don't update your protections for each new strain, you're in trouble.
How can you reassure patients?
According to a study by Software Advice, a collective 45% of patients are moderately or very concerned about HIPAA security breaches, with identity theft being the most looming fear. The same study reports that following a compromising breach, 54% of patients would likely change healthcare providers.
To reassure patients, first take steps to secure your practice. Evaluate your EHR system, insuring that you know how to use it properly and securely to protect patients. Make sure your operating system isn't preventing you from receiving crucial security updates. Then, you can explain your privacy standards to your patients.
The Software Advice study also revealed that most patients rarely or never read their healthcare providers' Notice of Privacy Practices (NPP), and very few read NPPs all the way through. Explaining the NPP to new patients is a crucial step in reassuring patients that their information is secure. Casey Quinlan, a health care advocate who has written about her experiences with breast cancer, says explaining NPPs is a huge component of strong patient engagement. "You sign it so the practice will deal with you, but half the time you don’t even know what you’re signing," Quinlan is quoted in the study. Informed consent is just as vital to patients' information security as it is to their health.
Utilize your patient portal to familiarize patients with your NPP. When you onboard patients to your portal, provide them with an explanation of your privacy and security standards. Having an easily accessible record will make them more likely to ask for help if they have concerns. Keep your patients updated on state laws regarding health information as well, since this can vary, and if you make changes to your procedures, keep them in the know. In the same way that portals give patients agency over their health, keeping patients informed on your security tactics gives them control over their private information.