It was déjà vu for data security expert Michael "Mac" McMillan when he heard a hacker had tried to extort money from an Illinois medical group whose patient records and e-mail messages the intruder had accessed and encrypted.
"This is classic," McMillian said. "We saw this countless times in the 1990s with community banks. They would get access to the accounts with people's data and send the bank director a ransom note."
McMillan is the founder and CEO of CynergisTek, an Austin, Texas-based security consulting firm serving the healthcare industry.
He hasn't heard of another incidence in the healthcare industry in which encryption was used to hold a provider's data hostage—at least not yet—but "it doesn't surprise me that it's happened," he said.
When other industries computerized their business processes, security trailed, McMillan said. "They all went through these phases, where the big guys at the top did it first and the little guys dragged their feet."
In healthcare, "with all this digitization and data-sharing, you become more and more vulnerable to threats from the Internet," he said.
The hack job on the computer system of three surgeons in Libertyville, Ill., a northwest suburb of Chicago, was discovered in June but wasn't publicly revealed until recently. The investigation was turned over to the Secret Service—an agency most widely known for its work protecting the U.S. president, but that possesses other skills, too.
"The Secret Service is the organization within the federal government that has executive agency over computer security crimes," McMillan said. "Typically, when they get involved, there is some form of interstate extortion or threat or something big that can cross state lines or international boundaries."
Read more »
Permalink | Post a Comment
Encryption is a standard security procedure for moving patient information over the Internet, but not so much for patient records just sitting there on a computer not going anywhere.
So one thing that jumps out in the CMS' new Stage 2 meaningful-use rule is the increased emphasis on encryption for so-called data at rest—that is, patient-identifiable records on servers, hard drives and portable devices.
Under Stage 1 rules, providers are required to perform a risk assessment, as they are required to do under the security provisions of Health Insurance Portability and Accountability Act.
Now under Stage 2, they must give serious consideration to encrypting that data (PDF, see pages 132-136).
Why the change in emphasis?
Read more »
Permalink | Post a Comment
HHS certainly backed up the old regulatory dump truck and pulled the lever, spilling out 1,354 pages of legalese in three separate health information technology-related rules.
One was the CMS' long awaited Stage 2 meaningful-use final rule affecting providers, running a sumo-sized 672 pages.
Another was a companion rule from the Office of the National Coordinator for Health Information Technology, coming in at a hefty 474 pages and targeting IT developers on certification criteria for electronic health-record systems.
Finally, the third rule, also from the CMS and weighing in at a comparatively svelte heavyweight 208 pages, does three things. It pushes back to 2014 the compliance deadline for ICD-10, tweaks an earlier rule on the national provider identifiers, and—after 16 years—establishes a set of health plan identification numbers first called for in the Health Insurance Portability and Accountability Act of 1996.
Like many of you, I'll be spending the weekend poring over the new rules, and I'll be giving you my take on them in the coming weeks.
A few things come to mind right now, one being that perhaps the feds got a few things right, based on the mixed criticism that quickly emanated from healthcare industry leaders tracking—and lobbying—the federal rulemakers.
For example, the American Hospital Association quickly fired off a summary, praising the feds and the CMS in particular for "a shorter meaningful-use reporting period for 2014," but quickly adding expression of disappointment "that this rule sets an unrealistic date by which hospitals must achieve the initial meaningful-use requirements to avoid penalties." The AHA also said that CMS "complicated the reporting of clinical quality measures and added to the meaningful use objectives, creating significant new burdens."
Read more »
Permalink | Post a Comment
"IT Everything" is on vacation Aug. 20-27.
To read Joseph Conn's latest "IT Everything" posts, click here.
Permalink | Post a Comment
Personal health records and health record banks are nothing new.
Then again, neither are data breaches, consumer surveys saying people want their privacy rights respected and provider surveys indicating, within limits, that they'd like to respect their patients' privacy desires.
Read more »
Permalink | Post a Comment
As medical records breaches proliferate, most folks in the health IT security community think of encryption as a defensive measure, not a technology to be defended against.
Better think again.
A unit of the Homeland Security Department—created to investigate attacks on critical national infrastructures—is on the cyber trail of a hacker who cracked into the computer server of three northern Illinois surgeons, locking them out of more than 7,000 of their patients' medical records by encrypting them and demanding payment for the decryption key.
Read more »
Permalink | Post a Comment
Healthcare providers, if I'm wrong, you can taunt me with this in 2013, but I'm going to predict that in a year's time, without government intervention, patients are going to jackhammer their way into your electronic health-record systems with data from their Apple or Android phones and tablets.
Read more »
Permalink | Post a Comment
