The recent U.S. stimulus bill includes $18 billion to catapult the health industry toward the world of electronic health records. This is sure to light a fire under every hungry security vendor to position itself as the essential product or service necessary to achieve HIPAA compliance. It should also motivate healthcare IT professionals to learn where their sensitive data is located and how it flows. To be sure, with federal money allocated through 2014 for the task of modernizing the healthcare industry there will be many consultant and vendor businesses that will thrive on stimulus money.
Healthcare is unique in that storage of electronic health records is highly distributed between primary care physicians, specialist doctors, hospitals, and insurance/HMO organizations. Information has to be efficiently shared among these entities with great sensitivity towards patient privacy and legitimate claims processing. Patients want to prevent over zealous employers from performing unauthorized background checks on medical history; claim processors want to prevent paying fraudulent claims arising from targeted patient identity theft. The bill has two provisions which turn this into a tremendously challenging plan, and a daunting task for securing patient data:
- Citizens will have the right to monitor and control use of their own health data. This implies a large centralized identity and access control service, or perhaps a federated network of patient registration directories. Authenticated users will be able to reach into the network of health databases audit use of their data and payment history.
- Health organizations suffering loss of more than 500 patient records must publicly disclose the breach, starting with postings on the government's Health and Human Services website. This allows related organizations to trace the impact of the breach throughout the healthcare network, but care must be taken not to disclose vulnerabilities in the system to intruders.
These provisions alone may cause massive re-architecting of how the healthcare industry manages personal health data. Healthcare organizations need to share confidential patient data when necessary, erase copies of that data and expire access privileges when that need passes, and audit the entire process for intrusions and fraudulent activity. While healthcare organizations should take the long view when planning major projects, HIPAA expenditures can be focused to enhance this effort:
- Build real-time intelligence on the electronic flow of patient data. It is crucial to build actionable intelligence on traffic behavior -- source, destination, data, volume -- for healthcare protocols such as Health Level 7, X12, and even DICOM. Understanding the ebb and flow of health traffic allows security teams to focus removing inappropriate connections, and will make it easier to evolve electronic health record handling. There are network performance products acting on flow data or DLP products operating at application level inspection that can help.
- Minimize distribution of data; maximize view-only access. Challenge the need for affiliated organizations to retain copies of electronic health records. Those copies can only become unnecessary security risks in the future. Use virtualization for display-only access that keeps single copies of sensitive data in the protected data center, or be sure to scrub temporary buffers and files when terminating SSL sessions.
- Study how the credit card industry detects fraudulent transactions. An increase in electronic traffic of health records will surely lead to an increase in fraudulent payments. The credit card industry can teach healthcare how to rapidly detect and trace stolen identities, rogue organizations, and bogus transactions from financially motivated attackers.
The changes in healthcare and HIPAA regulations will cause daunting security challenges for the industry. While I am not convinced that the federal government can or should tell any industry how to protect electronic data, the reality is that they are. Healthcare security teams should move with a sense of urgency to totally understand information flows to be able to reduce the number of data repositories, communications lines, and individuals that must be secured.
Eric Ogren is founder and principal analyst of the Ogren Group, which provides industry analyst services for vendors focusing on virtualization and security. Prior to founding the Ogren Group, Eric served as a security industry analyst for the Yankee Group and ESG. Ogren has also served as vice president of marketing at security startups Okena, Sequation and Tizor. He can be reached by sending an email to firstname.lastname@example.org.