Cybersecurity for Case Managers: Background and Impact

Pat Stricker, RN, MEd
Senior Vice President
TCS Healthcare Technologies
 
Cybersecurity is the responsibility of the Information Technology (IT) team, right? Nurses don’t have to worry about that, right?  WRONG!  While IT may be responsible for managing the overall cybersecurity of an organization, each of us has an individual responsibility to be aware of cybersecurity, how it impacts health care and the privacy of our patients, and what procedures we need to follow to assure safe security practices. This article is the first in a series of three that will discuss these topics and how they relate to our individual role as case managers.
 
Working in the medical technology field, I’ve always been very aware of cybersecurity issues, but I became more aware of how relevant it was to the practice of nursing when I attended a webinar entitled "Cybersecurity: Implications for Nursing Professionals" presented by the National Cybersecurity Institute in conjunction with the National Association of Hispanic Nurses. The webinar discussed the growing impact of cybersecurity issues in health care, as well as its financial implications and its impact on patient care. I would like to share some of the information from the webinar, as well as other facts I found while researching cybersecurity.
 
The Healthcare and Public Health Cybersecurity Primer: Cybersecurity 101 describes cybersecurity as the "protection of the cyberspace and related technologies, from records and electronic data to the physical structure of security systems." Cyberspace is the interdependent network of IT infrastructures (the Internet, telecommunication networks, computer systems, and embedded processors and controllers). In simpler terms, cybersecurity is the defensive measures and activities taken to protect a computer or computer system against unauthorized access or attack. It includes infrastructure, data, information systems, databases, hardware components, and software.

While we, as nurses, may not have an in-depth understanding of the intricacies of cybersecurity, it is important for us to understand the evolving role of cybersecurity in health care today and how that affects our role. Threats are becoming more sophisticated while organizations struggle to prioritize and implement more effective security requirements. Unfortunately, the threats usually evolve more quickly than the security measures, so organizations are striving to assure that their measures are dynamic, up-to-date, and include commonly accepted practices.

Over the last 20 years, as computer systems and the internet have become an ever-increasing integrated part of health care, the need for protecting patient information has become much more complex. It used to be rather easy, since records and reports were in hard copies and contained in the patient’s chart, which was in a protected area in the physician’s office, hospital, or health care facility, and only accessible by a limited number of people. Things are very different now. The number of people who have access to patient information is much larger. The information can be sent to multiple people by email, fax, or text and it can be accessed by multiple people from computers, laptops, mobile devices, and smartphones. It can also be stored in numerous places, such as laptops, mobile devices, network drives, CDs, DVDs, thumb drives, and smartphones. While we do have security procedures to try to limit access to only those who have a need to know, ensuring the privacy of patient information is a huge challenge.

The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 to: protect health insurance coverage for workers and their families when they change or lose their jobs (Portability); protect health data integrity, confidentiality, and availability (Accountability); combat waste, fraud, and abuse; promote the use of medical savings accounts; improve access to long-term care services and coverage; and simplify the administration of health insurance.  

Now that we have a better understanding of what cybersecurity is and how the HIPAA regulations are used to protect the privacy, security, and confidentiality of PHI, let’s take a look at some statistics on data breaches (the unauthorized disclosure of information) that show the widespread effect and significance that these cyberattacks have on health care.  
            o Introduction of malware or virus (58%)
            o Outsider unauthorized access/theft of data (42%)
            o Loss/theft of equipment (38%)
            o User error (35%)
 
            o Theft and loss of laptops and other equipment accounted for 46% of security incidents. Health care was the only industry that had theft and loss as a major cause of security incidents (next closest was public administration at 19%). The high percentage was attributed to the fact that encryption was not being done, therefore a notification report had to be done. If lost or stolen devices had been encrypted, they would not have had to report the incident as a breach, because the data would have been considered "secure".

            o Insider misuse by employees or trusted third parties who intentionally or unintentionally damaged a system or stole data accounted for 15% of security issues. Based on the Ponemon Benchmark Study on Patient Privacy and Data Security, 75% of organization considered employee negligence their biggest security risk, although the study also noted that organizations were lax, because they had not conducted audits to identify who was accessing patient data.

            o Unintentional actions that directly compromised patient information in 12% of the security incidents. Examples included: inserting one patient's information into another patient's envelope; provider websites that allow patients' information to be available to the public; and decommissioning computers or medical devices without properly removing patient information ("rendering PHI unusable, unreadable, or indecipherable").

Let’s take a look at some of the factors that make health care data breaches so common. Many health care organizations have old, complex legacy systems, which are harder to patch and easier to exploit, and most maintenance on older systems is done manually, which increases the risk of missing something or making a mistake, opening the system to hackers. Health care organizations also have a large number of different systems that contain huge amounts of data, which makes it very challenging to monitor all the diverse systems for potential vulnerabilities. In addition, many organizations do not have the dedicated resources, time, and money to develop and maintain a realistic, tactical incident response plan and to be able to rapidly mobilize it to isolate an attack, protect critical files, and reduce the amount of information leaving the system.

When looking at the reasons for cyberattacks and the overwhelming statistics related to breaches, one might think we are facing a losing battle to curtail the loss of data. However, there are some encouraging trends that are showing improvement in cybersecurity.  
             o The theft or loss of data from portable devices should continue to decline significantly due to the safe harbor provision in the Breach Notification Rule that states that "Covered entities and business associates must only provide the required notifications, if the breach involved unsecured protected health information." "Unsecured" means the PHI has not been "rendered unusable, unreadable, or indecipherable" (encrypted). Therefore, encrypting devices and data, which is a relatively simple process, should significantly reduce the number of unauthorized breaches.
            o The number of breaches decreased slightly (those reporting more than 5 incidents was lower in 2013 (38%) than in 2012 (45%).
            o The average economic impact of data breaches was $2.0 million, a decrease of almost $400,000 (17%) from 2012.
            o The size of the breaches also decreased (average records per breach in 2013 were 2,150 in 2013 compared to 3,000 records in 2012).  

So....given these widespread incidents of cyberattacks, the cost of breaches, the business disruption, and the effect on patients, what can we do to stop them? While there is no way to totally stop cyberattacks, the risk of cyberattacks can be significantly reduced if organizations: are diligent about continually reassessing their HIPAA compliant infrastructure; implement HIPAA compliant guidelines and best practices; and continually educate (and monitor) employees regarding their role in cybersecurity.  

Health care organizations have a challenging uphill battle to modernize systems and reduce risks, but it can be done. We have had nine years of data breach research, which helped increase our knowledge of the causes, how to identify potential problems, and what needs to be done to reduce or avert risks. Organizations need to assure that IT teams are provided with dedicated staff that has the resources, time, and money to develop, maintain, monitor, and enforce stringent cybersecurity policies and practices. Employee education is also a critical aspect of reducing risk. Continuous education of all system users needs to be done, so they are aware of their responsibilities in maintaining cybersecurity.
Now that we have looked at the causes and impact of cybersecurity, next month’s article will focus on specific, practical things we, as nurses, can do to help improve cybersecurity and assure we are not the individual responsible for a data breach.       

Pat Stricker, RN, MEd, is senior vice president of Clinical Services at TCS Healthcare Technologies. She can be reached at pstricker@tcshealthcare.com.