Securing the PII ‘crown jewels’ of health IT systems


Increased use of electronic health records (EHR) in the public and private sectors can provide a better, more integrated level of care for patients. But these digital records, if not secured properly, can also put health care providers at risk of leaking personally identifiable information.

The Government Accountability Office raised some of these concerns in 2016, when it identified gaps between what the Department of Health and Human Services recommended in its EHR guidance to covered entities – such as health care plans and care providers – and what the Commerce Department’s National Institute of Standards and Technology recommended.

In addition, HHS made recommendations to covered entities to improve the security of their electronic health records. GAO also found the agency did not follow up to see if, in fact, those entities were implementing their recommended actions.

Greg Wilshusen, GAO’s director of information security issues, told Federal News Network that so far this year, HHS has yet to implement the recommendations from the watchdog’s report.

And in the years since GAO first issued that report, the threat of health IT data breaches has only increased.

HHS’s Office of Inspector General, for example, maintains through its breach portal a list of health IT data breaches that impact 500 or more people. The portal, which dates back to February 2018, includes more than 600 breaches that meet those criteria.

“We have found several threats to this type of data, because it does contain personally identifiable information … that can, if not adequately protected, lead to such adverse impacts as identity theft, insurance fraud, as well as the loss of personal privacy and potentially even blackmail of the individuals whose information may have been compromised,” Wilshusen said in an interview.

When migrating electronic health records, Wilshusen said agencies should inventory the devices on their network, identify where PII exists on the network and who has access to it.

“The first step is to identify your crown jewels, so to speak, for this medical information and any sensitive information that the agency may have, and then assess the risk associated with that information,” he said. “What are the key threats? Who might be interested in gaining access to that information that shouldn’t have access to it?”

From there, Wilshusen said agencies should manage access to the PII and devices on the network through identity management tools like multi-factor authentication.

“Agencies are taking identity management and authentication very seriously, and I think there is a movement for moving towards more of a zero trust approach,” Wilshusen said. “In some instances, particularly with the movement to cloud computing, it may be a bit further along, but that’s something that we will be looking at going forward.”

In addition to preventing unauthorized access to electronic health records and avoiding data breaches, Wilshusen said agencies and industry also face challenges mitigating threats to Internet of Things-enabled medical devices.

IoT medical devices can provide a more complete picture of a patient’s health and identify particular problems or trends that a health care provider can address. These devices can especially benefit rural communities that have limited access to nearby health care facilities.

“There [are] a lot of benefits with using these types of devices and using the internet to help transmit medical information about an individual, either to the medical facility or providing that information to the patient,” Wilshusen said.

But IoT medical devices also face a slew of cybersecurity challenges. In many cases, these devices can’t easily update their software, making it difficult to patch known IT vulnerabilities.

“They need to be updated to help address those security threats on the software and often there’s not a meaningful way of doing that,” Wilshusen said.

In addition, agencies and industry also need to secure data in-transit to prevent malicious actors from intercepting that data to commit identity theft or even modify the data to cause harm to the medical device user.

On a related note, the public and private sectors have worked together on steps to secure the supply chain of health IT product to reduce the cybersecurity threats baked into devices.

Wilshusen said agencies could better ensure the safety of these products by integrating their cybersecurity requirements into the acquisition process and the contracts they hold with vendors.

“When you are considering different contractors or suppliers, conduct your due diligence to ensure that they have the appropriate controls in place,” Wilshusen said.

Those controls can include having vendors conduct background investigations on their personnel and robust quality control testing of the products – including software vetting and documentation to assure there aren’t malicious bugs in the software code.

Comments

Sign up for breaking news alerts