The health care industry has had its share of cybersecurity breakdowns over the years. The vast majority of health care organizations have suffered at least one data breach within the last two years, according to a Doctor’s Lounge article, but the article goes on to say that the number of organizations with five or more breaches has decreased. That’s good news, I guess, but you have to wonder why these health care companies are having so many breaches.
Earlier this year, the Identity Theft Resource Center revealed that the health care industry suffered 43 percent of all the breaches that occurred in 2013. It’s not hard to figure out why health care is targeted so often. These organizations hold massive amounts of intensely personal data.
As Jason Fredrickson, senior director of enterprise application development at Guidance Software, said to me during a conversation we had last week, the personally identifiable information (PII) is only one part of the data breach equation. It is the one that tends to get all of the attention, and to be honest, the majority of data breaches involving health care involve patient records. However, Fredrickson said there is a much bigger and scarier security breach looming within the health care industry:
What’s the first thing they do to you in a hospital? They hook you up to a bunch of machines that measure things, very personal things like your heart beat, your blood cell count. That’s about as personal as information gets.
All of those machines are hooked up to computer systems. Many of the machines and systems in a hospital help to keep people alive as they recover from serious illness or surgery or an accident. And like any computer system, security steps need to be taken. Fredrickson added:
We need to use encryption and protection to prevent unauthorized access. We want to make sure the machines are connected to the network so doctors and nurses are able to see what’s going on with a patient, but we need to make sure that systems are secure so unauthorized people can’t see the data or mess around with the controls that would administer a massive overdose, for example.
So what can be done to protect these machines? Fredrickson suggested we need to implement a protective layer in the software. Except, that’s easier said than done. He explained that the moment you add encryption, it puts a load on the processor, which slows down the machine’s performance. In turn, a slower machine could put a person’s life in jeopardy. Fredrickson stated:
We have a problem with the intersection between protection and performance. There is risk to life and there is monetary risk. Security within the health care industry is very complicated.
The result is that the security focus turns to protecting the data, rather than the devices themselves. According to Fredrickson:
It’s almost like we’re saying that if we can’t protect the device itself, at least we can protect patient records. But it is also more than just the records. It’s how the records are used and who controls the records – remember it isn’t just doctors and nurses but insurance companies.
After listening to Fredrickson, it isn’t very difficult to understand why the health care industry is so vulnerable to data breaches. But isn’t it time we started to consider better security options?