The near-constant stream of naked celebrity photos appearing online is forcing healthcare providers to face a chilling reality: No matter how much they try to protect health information, their best efforts will be useless unless the consumer plays his or her part.
And that's not going to happen anytime soon.
"It' not a technical issue any more," says Mario Duarte, director of security for GoGrid. "It really comes down to the user."
Faced with a proliferation of mobile devices in and outside the enterprise, providers are scrambling to make sure devices that they can control – tablets and laptops within the facility and those used by doctors and nurses – are secure. But when business uses collide with personal uses (as in doctors and nurses bringing their own devices to work) or when the consumer gets involved in health information exchange, those protections fall short.
In short, using your e-mail address as a user name and your mother's maiden name as a password isn't going to cut it any longer.
[See also: What auto encryption in Android Lollipop and iOS 8 mean to healthcare.]
"As we move a lot of these health services down to the consumer level … I think one of the things we're going to need to do is educate them (and) make them partners" in protecting their sensitive health data, Duarte said. "Ultimately, we have to get the consumer involved."
David Holtzman, vice president of compliance for Cynergistek, added that "providers are protecting themselves, but consumers need to take that added step of protecting themselves, too."
Following the embarrassing breach of celebrity accounts, Apple reactivated two-factor authentication for iCloud (it had been disabled in June). With two-factor authentication, users enter their password, then are sent a message with an extra identification code to gain access; services like Google, Twitter and Facebook use a randomly generated, one-time-only four-digit code.
Another encryption finding favor is the use of longer passwords, including entire sentences. Instead of signing on with the name of your cat Fluffy, you'd be typing out something like "Fluffy likes big fat mice."
"With consumers, I don't think one approach is going to be the best solution," said Duarte. "And in healthcare, the reality is that it's never been just one person or group in control of the data. A lot of people need to be involved."
While providers might not be able to keep tabs on information stored by their patients, they can make sure the data they have is protected. This includes health information stored offsite in the cloud.
David McHale, senior vice president and chief legal officer for The Doctors Company, which bills itself as the nation's largest physician-owned medical malpractice insurer, said the cloud can be appropriate for healthcare providers looking to store health records and information – if those providers conduct due diligence.
"Telling a vendor that they must be compliant and secure in handling data is not the same as actually being compliant and secure, and whether a vendor actually complies is a different matter," McHale said. "As with many new technologies, the level of safety of the cloud, and whether it’s appropriate for use, depends entirely on the vendor. The recent publicity around the hacks of public cloud storage websites should be a sobering message for healthcare practices that utilize the cloud to store the personal health information (PHI) of their patients."
McHale offers four suggestions for providers eyeing the cloud:
- Identify all areas of vulnerability and develop secure office procedures, such as sign-in sheets that ask only minimal information, procedures for the handling and destruction of paper records, and polices detailing what devices are allowed to contain PHI and under what circumstances those devices may leave the office;
- Encrypt all devices that contain PHI and train all staff on how to identify and protect PHI;
- Audit and test all physical and electronic security polices and procedures regularly; and
- Make sure you have the proper insurance in case of a breach.
Jason Wang, CEO of TrueVault, notes that a cloud vendor that identifies itself as being HIPAA-compliant might be only partially complaint, or not at all (or even exaggerating to get more business).
"How are they HIPAA-compliant? HIPAA has multiple safeguards," Wang said. "There are multiple check-boxes that need to be checked. The burden is on the providers to ask those questions."
Related articles:
How Apple Pay could change healthcare security
New class of startups homes in on providers
Want to slash Medicaid waste? Reach those patients
