Hack Attack

February 1, 2005

How to protect digital information from attack

When former President Bill Clinton underwent heart surgery at New York's Columbia Presbyterian Hospital last September, several pairs of prying eyes tried to get a look-see at his record. According to the New York Daily News, 17 hospital workers were suspended for attempting to access Clinton's file, including a doctor, several supervisors, a lab technician, and a number of clerical employees.

The incident is more than a testament to the power of celebrity; it's also a reminder of the hazards of online health technology, which go hand in hand with its benefits. Few of the suspended workers at Columbia Presbyterian would have been able to access Clinton's file if it had not been conveniently stored in the hospital's electronic health record (EHR).

Like a host of other e-health technologies, the EHR is credited with making hospitals -- and a growing number of physicians' practices -- more efficient and better able to provide high-quality care. But e-health technologies also make the private information they're built to transmit more vulnerable to disclosure, whether by curious insiders, by accident, or at the hands of professional hackers.

And it seems the healthcare industry is especially vulnerable.
"If your bank had the same security precautions as your hospital or doctor's office, would you keep your money there?" asks Clyde Hewitt, a security consultant with CTG Healthcare Solutions.

The question is meant to be rhetorical but the fact is, most physician practices simply haven't put a lot of thought into security. Experts say that's true even though practices must meet the security requirements of the federal HIPAA rules beginning in April.

Following on the tail of HIPAA's troublesome privacy regulations, the security rule says you must implement safeguards to protect the confidentiality, integrity, and availability of any patient data that is either stored in an information system or transmitted electronically.

Even so, the vast majority of physicians are woefully unprepared to meet the HIPAA standards, according to a 2004 report from URAC, a nonprofit accreditation group. URAC's security audit found that just three of more than 300 healthcare organizations they surveyed had a comprehensive security program in place. One reason, healthcare consultants suggest, is that practices that don't offer electronic services such as online scheduling or e-mail consults feel they're safe from the Internet's many security risks.

 But are they?

Beware of spies

"I think doctors are deluding themselves if they believe they're safe just because their patient database isn't online," says Wayne Haber, director of software development for SecureWorks, one of a growing number of Managed Security Providers (MSPs) that handle security for large healthcare organizations, banks, and utilities. "If they have an Internet connection for Web browsing or e-mail then their information is exposed. Hackers only need one way in."

David Kibbe, MD, director of the Center for Health Information Technology at the American Academy of Family Physicians, warns that the millions of viruses and spyware programs -- to which Web users are often duped into exposing themselves -- pose a far greater danger to physician practices than directed attacks by individual hackers. 

"It's difficult to get physicians, particularly in small practices, to pay attention to security," says Kibbe. "But they'd better get interested in protecting their LANs [local area networks] from worms, viruses, and malicious insults to their computerized systems because they can cause them enormous problems, from damaging the integrity of the data they use to causing downtime and delaying treatment, even impacting clinical care if they can't get the data they need when they need it."

What you can do

Thankfully, physicians can take measures to protect themselves, their patients, and their practices without spending an arm and a leg. Most of the measures suggested by security experts call for investing time, not money. By following them, you'll get the added advantage of meeting most of HIPAA's security regulations.

First, consider that many of your security headaches may already have been cured by your IT vendors. Security experts stress that modern operating systems such as Windows XP and Apple's OSX come with sophisticated firewalls and virus detection built in. And many Internet service providers (ISPs), especially those catering to physicians, take strong security measures.


Say, for example, a practice uses a LAN to connect its in-house computers and gets secure e-mail and a free Web site from Medfusion or MedEm. The LAN comes with a built-in firewall that stops all but the most sophisticated intruders, and the ISP encrypts e-mails through a secure server -- something that even HIPAA doesn't require.

Even if you feel fairly secure, though, it's wise to take a few steps more:

Assign security to one person. HIPAA requires practices to name a security officer as the point person for implementing the regulations. Assigning the task to one individual is a good idea, anyway, says CTG's Hewitt, so long as it's a person of authority -- like a doctor or office supervisor -- and they are given the resources and time to do the job.

The security officer's charge is to oversee a formal security program, which includes conducting a risk analysis, creating procedures and policies, training employees, maintaining deterrence, and ensuring that all computers are kept up to date with security patches.

Honestly assess the risks you face. HIPAA requires practices to conduct a formal risk analysis as a first step to developing a security program. A basic risk analysis consists of asking yourself common-sense questions about how you and your staff currently handle HIPAA-protected health information (PHI). Even if you think you're not transmitting PHI electronically, the risk analysis may turn up things you didn't realize you were doing.

The self-audit can take as little as half a day for a small practice, so unless yours is a large organization, beware of expensive consultants who offer to do it for you. There are several guides to the self-auditing process available online for a small fee. Make sure, though, that the guide you use is scaled to your practice's size, advises Tak Nobumoto, privacy/security officer for University of Buffalo Associates, a nonprofit management service for 18 individual practice plans affiliated with the University of Buffalo.

Develop a policy. Once you've assessed where and how your practice transmits PHI, you can develop a comprehensive security policy that outlines specific procedures your staff must follow to protect patient data. Guides to developing policies and procedures for the HIPAA Security Rule are available from the American Medical Association, the AAFP, and other physicians' associations, as well as organizations such as CAL HIPAA (www.calhipaa.com).

Educate your employees. After the notorious Sobig virus shut down the EMR used by Indianapolis allergist David Patterson, his office had to revert to paper processes for several days.

"Afterwards, we met with our staff and said, 'Look, this is a good time to talk about all the problems we can have with our computers,'" says Patterson. "We have a policy that we don't want them downloading anything they don't know or surfing to sites they don't need to visit."

Sanction violators. Perhaps the biggest security threat practices face is from insiders -- former or current employees. Sanctions for violating the security policy can escalate from verbal warnings to written warnings to unpaid suspensions to firing.

How do you know when someone is guilty of a violation? One important way is electronic auditing, better known as system logs. Ask every IT vendor about the product's ability to create an audit trail to track PHI. Then let employees know the capability is there. But be careful - if you have the ability to track PHI but you don't regularly check the audit trails, you could be held legally liable if a patient files a formal complaint.

Don't forget the obvious:

  • Back up your systems. HIPAA requires a contingency plan in the case of a computer crash, and it's only common sense.
  • Change all passwords frequently and use alphanumeric passwords with at least one uppercase letter. Don't choose obvious passwords (your child's name or your birth date) and avoid posting them where others might read them.
  • Change the security defaults on all your computer programs. Many vendors still use one generic password and user ID for all their installs to make it easier for them to make repairs.
  • Phone vendors to confirm the authenticity of employees who ask for technical information about your systems.
  • Routinely delete from the system the passwords and user IDs of departing employees.

Finally, don't forget that real security includes the physical as well as the digital realm. Louis Carpenito, vice president of information security business strategy for Symantec, says he's more worried about the simple security lapses than the complex ones.

"What really irks me is that I'll be sitting in the doctor's office, waiting for an appointment, and I'll hear conversations on the phone mentioning a patient's name, discussing a health issue, who their payer is," says Carpenito, one of the country's foremost IS security experts. "I could collect a lot of PHI just sitting in the waiting room."

Todd Stein can be reached at
editor@physicianspractice.com.

This article originally appeared in the February 2005 issue of Physicians Practice.