By Doug Coombs / Special to Healthcare Facilities Today

As I was on my way home from the recent Healthcare Information and Management Systems Society (HIMSS) conference, two things on my mind were ogres and onions. 

One of the sessions I attended reviewed Florida’s system for evaluating eligibility, and managing access for healthcare and other government benefits. The key insight, for me, was the number, breadth, and sophistication of criminals targeting healthcare, and the increasing demand for stolen patient records. Estimates vary, depending on the source, but all estimates show black market value of a stolen healthcare record is many times that of a stolen credit card number. 

Although I already knew the risks, I had never spent time considering the situation end-to-end.  Beyond very private medical information — insurance, credit cards, bank accounts, SSNs, and contact details for patients and relatives are a gold mine for criminals, and all are contained in health records. 

A summary of the individual devastation that results from a lost patient record can include empty bank accounts, maxed credit cards, consumed limited lifetime insurance benefits, hindered ability for the patient to get credit and jobs for years to come and inaccurate and dangerous information in permanent healthcare records.

In healthcare, we often think about the impact of breaches in terms of various fines. As actual damages from lost records escalate, is it time we give added consideration to the potential risk of civil and/or class actions? 

As I sat, staring at the Atlantic, I remembered a fantastic CISSP class, presented by Dr. Bill Hancock. He described how effective security, like ogres and onions, has layers.

I realized how much lip service is given to security vs. action because security is mistakenly considered a toggle  —  more on this later. 

Today, when securing patient records, we need to understand the motivation behind stealing them to anticipate our adversary. Although records contain private clinical details, these items generally have little financial value. 

Consider that in the US, nearly 3 trillion dollars per year is spent on healthcare. To put this into perspective, the healthcare economy in the US, exceeds the GDP of every country in the world except China, Japan and Germany. This fiscal reality is so significant that everyone from physicians and pharmacists to organized crime syndicates are targeting healthcare, often through the use of stolen patient records and identities.

What does this have to do with ogres and onions? 

Dr. Hancock related a story about a security audit he did for an organization. Paraphrasing the dialog as I remember it, the CSO of the organization assured Dr. Hancock, within the first few minutes of their meeting, that "security is our absolute top priority".  Dr. Hancock’s response was “where are your dogs?” 

Confused the CSO responded "we don’t have any dogs." "Why not?" asked Dr. Hancock. "Well, they would have to be fed and cared for, they could create risk to employees and visitors and create liability." Dr. Hancock responded "you just named a few of the things that you consider more important than security." 

Dr. Hancock’s point wasn’t that the company should have dogs; his point was that security should not be considered binary. It is never an instance of are we secure or we are not secure. Instead, it is something that we incrementally work towards in appropriate layers, knowing we will get better, but never perfect.   

In healthcare, as in many other industries, breaches often occur when data is being inappropriately stored (often unencrypted) on a laptop that is then stolen or lost. Data is also accessed through a device that is not physically secured and/or accessible by current or past employees, vendors or other individuals who should not currently have access. 

This isn’t surprising. Two of the weakest points in security are 1) users, who tend to underestimate security risk and are susceptible to social engineering and 2) endpoints that are relatively difficult to secure because, in many cases, they can’t be physically secured while continuing to provide needed value. 

Implementing software that provides a unique layer in your security strategy is a good strategy for healthcare organizations looking to minimize security risks start by learning how to improve security by using context (physical location, device type, time of day, role and many other key data points). You can get more advanced by instantly and automatically managing access to data, drives, applications, USB Storage and other IT Services based on that context. 

Every part of securing healthcare is getting harder. There are more, and more sophisticated attempts to break your security, and the financial risks are greater than ever.  

If you would like to dive into healthcare fraud, the National Health Care Anti-Fraud Association is a good place to start. 

Doug Coombs is director of healthcare strategy at RES Software, responsible for developing IT strategies for healthcare organizations.