Gaining a Clear View of IT Security in a Health Care Organization

There is much in the booming health care industry to entice an acquisition or integration. The boom has been accompanied by vast amounts of data digitized as electronic health records and myriad other formats. This data adds great value to health care organizations. Because of its value, data merits exacting protection from loss of any kind. The person keeping a finger on this particular pulse is the organization’s CIO.

Vulnerability Has Increased Along with Data   

IT and data security is the prime responsibility of a health care CIO. The CIO is in charge of the controls over collection, maintenance and safeguarding of all data relating to patients, treatments, operations, purchasing, billing, HR and compliance. In today’s world, everything that goes into running a health care organization is digitized for accessibility. Accessibility brings convenience for use and analysis, but is also susceptible to harm through carelessness and theft. While employee mistakes — carelessness in sending or storing data, and losing laptops and cellphones — are still much to blame for loss of data security, cybercriminals are posing the most imminent danger.

Adding to this is the fact that the focus of much of the key personnel in health care organizations is on patient care, not on business. In taking care of patients, including handling emergencies, professionals might forgo even simple actions like locking their computers. Additionally, many health care organizations don’t have up-to-date computer systems with the security features that other industries have instituted; this leaves them open to attack. And health care systems are being attacked in great numbers. A Ponemon Institute study reports that data breaches in health care due to criminal activity have increased 25 percent over the past five years.[1] The sad fact is that in 2014, health care was the leading industry for breaches (42.5 percent) compared with other sectors, e.g., business (33 percent), government/military (11.7 percent), education (7.3 percent), and banking/credit/financial (5.5 percent).[2]

The reason for the escalation is that the return on health records is big money. Reuters reports that health records are worth 10 times more than credit card information on the black market.[3] David Reitzel, national Health IT leader in Grant Thornton LLP’s Health Care Advisory Services practice, has seen the activity’s disastrous ends: “Criminals discover a veritable treasure trove. Family and other personal information, always included in a medical record, can be used to answer security questions to gain entrance into myriad ‘protected’ spaces.”

As the dollar costs add up, the cost to reputation adds up as well. The results of data breaches affect business value; estimates must be examined during the performance of due diligence.

IT Security Is a Key Factor in Due Diligence

The market — how it is managed and maintained — has changed significantly over the past five to 10 years. In looking into deals, the only thing people had been worried about was email. Now, with everything digitized and part of data centers that might not be on site, it’s much more complex from a technology standpoint. Someone from the CIO’s office needs to be at the table for two reasons: to understand the implications of change being discussed by the bankruptcy/restructuring professionals, and to explain the IT and data security status of his or her organization.

Appropriate due diligence examines the state of the organization’s risks and the cybersecurity measures in place. Done properly, this means working closely with the CIO to understand both risks and measures.

If you’re a health system looking into acquiring physician practices, and you are potentially buying an entity that doesn’t understand its cyberrisks, you have a major problem. The acquisition could be a liability if you don’t have vital information about whether they’ve been breached, how well the applications have been managed, and whether their technology safeguards are in place and managed. You must also have answers to their basic questions around cybersecurity and breach policies, and you have to know whether they have active breach and penetration management, as well as defined indicators and points of compromise, and whether they’re finding out what their issues are.

An essential data security element is compliance with the Health Insurance Portability and Accountability Act (HIPAA). Well-known to provider and payor organizations, HIPAA is intended to protect personally identifiable information. HIPAA compliance is imperative to the ongoing business operations of health care organizations. Failure to be HIPAA compliant and follow this rule may not only result in regulatory actions such as fines, but may also cause business loss from lawsuits, damage to reputation and drop in credibility with communities and providers.

It was recently reported that two health care organizations agreed to settle charges that they potentially violated HIPAA rules by failing to secure thousands of patients’ electronic protected health information held on their network. The monetary payments of $4.8 million include the largest HIPAA settlement to date.

With the potential for high costs in a poorly monitored IT environment, we advise requiring organizations to provide descriptions of their current state. The CIO should be expected to provide an explanation of how the three major components of IT and data security — people, processes and technology — are addressed. All must be understood and embraced by those within IT, and made an integral part of operations.

This checklist can assist in analyzing the thoroughness of the CIO’s security measures:

• Risk
  • Management of technology used within the physical domain, including connections to Wi-Fi
  • Knowledge of assets (e.g., biomedical monitoring devices, physicians’ wireless devices)
  • Procedures keeping pace with evolving resources and threats
• Culture
  • Awareness that care of patients includes protecting their privacy
  • Clarity about personal responsibility (e.g., not sharing passwords or bringing unauthorized devices to work)
• Business of IT/standards
  • Use of common frameworks such as those established by the Health Information Trust Alliance or the National Institute of Standards and Technology
  • Staying current with training, as well as technology
• Depth of security
  • Policies for security of physical space, from network to computer to applications to devices that access applications
  • Policies specifically for everyday security (e.g., making sure doors are locked, ID badges are used, unfamiliar people are questioned)
  • Procedures for controlling the network (e.g., onboarding of new vendors)
  • Teaming with compliance, privacy and general security officers
• Applications
  • Governance model for purchases of applications (i.e., consensus of decision-makers rather than selection by individuals)
• Legal aspects
  • ​Procedures to confirm that proper instruments are in place (e.g., business associate agreements and physician contracts to manage access)

A clear picture of controls should emerge, with the three major security components — people, processes and technology — each making a strong appearance. Only then can a true assessment be made of the health of the potential acquisition or integration.