Is the health of your health records at risk? In our quest to make personal health data easily available to medical professionals and reduce the number of paper files, many countries have mandated the use of electronic medical records (EMR). The challenge is that these records are typically not well protected leaving the door wide open for cyber-thieves to steal this very sensitive information.
New York Time editor Nicole Perlroth captured this sentiment well in her recent article covering the security challenges of EMR. We all know the importance of a layered security approach, but I believe it becomes even more important as we begin to store data with this level of sensitive information. If this information is compromised and used by a fraudster to claim and receive payment for medical services that were never rendered, it can leave the unsuspecting patient with a fraudulent condition that could have ramifications long after the fraud has taken place. Not to be fatalistic, but the last line of the article: “Breaches are going to be one of the big challenges as more physicians and hospitals adopt electronic health records. We’re entering a brave new world” reminded me of the quote by Sony’s CEO Howard Stringer after Sony’s breach, except that Mr Stringer’s words were even bleaker: “It’s not a brave new world; it’s a bad new world.”
The issue becomes all the more pressing when you consider that in the U.S., the federal government provides incentive payments for doctors and hospitals to adopt electronic health records. As Nicole highlights, “some 57 percent of office based physicians now use electronic health records, a 12 percent jump from last year.” To add some context, Gemalto delivered its 100 millionth e-healthcare card in 2007.
So how do we address this critical issue? I have often talked about the merits of strong authentication as a way of providing high assurance of identity in access control. And I will continue to promote this as there are some concrete examples where strong authentication could have potentially prevented data breach. The article noted an example of a non-profit, Massachusetts eHealth Collaborative, that had a laptop stolen resulting in data loss of 13,687 patient records. This loss cost the non-profit $300,000 in legal, private investigation, credit monitoring and media consultancy fees almost bankrupting the practice. In good conscience I cannot say for certain that having strong authentication would have saved all of the fees associated with this type of loss, but I know strong authentication would make it significantly more difficult, if not impossible to access the data on the stolen machine.
With connected portable devices becoming common globally, the need to lock down access to portable devices using strong authentication is no longer an extra security measure – it is mandatory. Healthcare is an industry that deals with extremely personal information. So as doctor’s work to provide better care by leveraging a broader set of data points with a more complete view of all medical records, IT security professionals working in the healthcare industry need to prescribe the right solution to ensure health records are healthy and secure and only accessed by those whose identity can be verified through two or more factors of authentication.