- For all the talk of new and emerging technological approaches to safeguarding health data, end-users could very well pose the greatest threat to sensitive health information moving forward. “The reason for that is most organizations are getting better at securing their enterprise assets, so the healthcare information system is well secured,” explains Andy Feit, CEO of Enlocked, a developer of secure email solutions. “The patient databases are locked down pretty tight now.”
No matter how seemingly impregnable these health data systems become, they will be without their flaws, and chief among them is the end-user, particularly one whose ignorance or disregard for best practices makes him easy prey for hackers. And with the expansion of access points as a result of mobile, the threat is only going to multiply.
“The biggest hacks historically have always been when someone broke into a giant credit card database,” argues Feit. “We’re going to see attacks become more targeted and less about going after the big data. And part of that is education.”
One area of special concern and promise for healthcare and health IT community is secure messaging. While email is the most convenient form of messaging among providers and patients, it poses security risks under HIPAA, making the two odd bedfellows. “HIPAA’s been around for years now and it’s always said that if you’re going to do any communications, it has to be secured and encrypted. Most people took the approach that means no email. For most users, not being able to email is a big limitation because it is the way they work,” notes Feit.
Making email a viable medium for communicating sensitive health data requires encryption, which has failed to become widespread in its application. Why are encryption programs, such as Pretty Good Privacy (PGP) and GNU Privacy Guard (GPG), not used by the healthcare community despite their ready available? The answer is found in time and expertise necessary to implement them. “Your average doctor and many of the patients, especially you get into elderly care, you’re talking about people who are not tech-savvy and are not willing to take the time and energy to work with it,” adds Feit.
When extended to mobile platforms, these solutions have proven even more cumbersome:
The biggest difference is it’s pretty hard to do for the most part on a mobile device with past solutions. I say that with good experience using GPG, PGP — all those tools. Every platform you want to install it on — you want to put it on your iPhone — you need to go get another app. You need to copy your keys over. There are steps you need to make: you want to send something from that device; getting someone’s public key is difficult. It’s a cumbersome process for most of the things out there.
Whereas large healthcare systems are capable of integrating encryption into their health information systems (HIMs), small providers are limited by resources. “Whether it’s an independent psychiatrist, psychologist, or a five-physician physical therapy site, they’re all subject to HIPAA. They don’t have the resources on the IT side to implement stuff in-house,” says Feit.
Companies like Enlocked are trying to negotiate these barriers to entry (i.e., finances and technical expertise) by laying encryption over existing infrastructure and business practices. Its approach uses PGP to send encrypted email messages securely via a browser or an iOS/Android app and circumvents the need to store messages on a server or device.
In light of the recent HIPAA omnibus ruling, such approaches to encryption will become increasingly necessary for healthcare organizations and providers to remain compliant and avoid costly penalties especially those resulting from health data breaches. “What we’re going to see change in the next year or two are the number of breaches of privacy data that are coming about through more common mechanisms, whether it’s a password breach or an email interception,” Feit predicts.
Although technical advancements continue to identify and repair holes in the security of health data, they are no substitute for knowledgeable and cautious end-users.