Healthcare industry group builds cybersecurity threat center

Health Information Trust Alliance wants Cybersecurity Incident Response and Coordination Center to battle cybersecurity problems

Looking to address growing cybersecurity threats in the healthcare industry the Health Information Trust Alliance today said it has established a centralized Cybersecurity Incident Response and Coordination Center where organizations can report incidents and get help remediating electronic medical security problems.

The 5-year-old HITRUST group -- which is led by an amalgamation of healthcare and computing industry giants such as WellPoint, Kaiser Permanente and Cisco -- said it created the center with an eye toward helping the U.S. healthcare industry battle cyberattacks with timely alerts and by sharing of relevant cybersecurity threat and event information.

IN PICTURES: High-tech healthcare technology gone wild

MORE: IBM exposes top future networked healthcare devices

"The group will focus on cybersecurity threats and events targeted at healthcare organizations in areas, including, but not limited to, networks, mobile devices, workstations, servers and medical devices. This sharing of information is crucial for organizations' preparedness, protection and crisis management," the group stated.

"The center is working initially with 14 leading industry organizations, representing health plans and health systems, and the U.S. Department of Health and Human Services to share various security incident information. The center will collaborate with HITRUST and others to identify and remediate incidents, and will also obtain and synthesize cyber threat and response information from numerous other sources to make the information more readily available to center participants. HITRUST will also lead the center's participants in evaluating appropriate tools and related security mechanisms to support the center's efforts," the group stated.

The HITRUST organization has already established what it calls a Common Security Framework that can be used by any and all organizations that create, access, store or exchange personal health and financial information.

"As the healthcare industry continues its conversion process to full patient electronic medical records, it will most certainly become a more frequent target of cybersecurity attacks, and having such a system in place in the near future will be key to collaboratively responding and preventing such attacks," said Jorge DeCesare, chief data security administrator of Dignity Health, in a statement.

A recent Network World story helps define the cybersecurity problems healthcare organizations are facing. The article noted that a biannual survey of 250 healthcare organizations shows the percentage experiencing a patient data breach is up. And with the growth in electronic records-keeping, more of those problems are originating from laptops and mobile devices rather than a human slip-up in handling paper documents.

"Use of new technologies, in particular mobile devices in the workplace, has skyrocketed, creating new operational efficiencies and security vulnerabilities," noted the survey report, entitled the "2012 HIMSS Analytics Report: Security of Patient Data." The organization Healthcare Information and Management Systems Society also pointed out, "As mobile devices proliferate in exam rooms and administrative areas, so do the associated vectors of potential attack. Adding to this are the risks from employee negligence and organizational policies that have not kept pace with ever-changing technology."

The survey, commissioned by Kroll Advisory Solutions, asked chief information officers, health information managers, chief privacy officers and chief security officers working at 250 hospitals and medical centers about the number of data breaches they knew about over the past 12 months.

The survey found 27% of the respondents had at least one security breach over the past year, up from 19% in 2010 and 13% in 2008. The survey found 79% were attributed to employees, while most others were chalked up to actions from outsourced or contract employees.

While misuse of paper records, including their "improper destruction," was blamed over 40% of the time, the survey did show that computer-based security issues are multiplying fast, with the source of data attributed to actions or loss related to a laptop or handheld device about 22% of the time, up from 11% in 2010. Problems with data breaches related to third-party vendors storing healthcare data is also growing, reported this year at 10%, up from 6% in 2010. In contrast, network breaches attributed to outside attacks was about 3%.

The report went on to state that the vast majority of healthcare institutions conduct formal risk analysis, relying mainly on federal guidelines such as CMS Meaningful Use requirements and the National Institute of Standards and Technology. The goal is to comply with the mandates of the American Recovery and Reinvestment Act of 2009, which includes funding for healthcare records, and the HITECH Act, which contains penalties for security lapses related to misuse of patient healthcare information.

Follow Michael Cooney on Twitter: @nwwlayer8 and on Facebook.

Copyright © 2012 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022