The Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules are the national standard for safeguarding protected health information (PHI). Patient data must be protected during electronic transmissions among hospitals and healthcare providers. The authors of this blog raise questions about serious gaps overlooked by information technology (IT) departments conducting HIPAA-required enterprise-wide risk assessments.
Few things are more private than information about our health. When entering a hospital or a doctor’s office, we typically focus on matters of personal health rather than on how our health information is going to be shared or on who has access to information about our medical conditions. When seriously ill, we aren’t worried about the sanctity of our information. We expect doctors to heal us and certainly don’t want to think about individuals or organizations that would benefit from stealing our private health data.
On the medical practitioner side, doctors and healthcare providers are adopting new technologies at an unprecedented rate. Healthcare companies use technologies to track patient conditions, physician prescription preferences, and other health-related information. Hospitals are making significant investments in cutting-edge technology, like the latest imaging devices and surgical robots, all to help ensure the health of their patients. These technology enhancements, no matter how time-saving and beneficial, cannot distract from patient care. Doctors must focus on the important challenge of healing; they don’t have time to think about who the bad guys are or who is looking to steal patient health information. The unfortunate truth, though, is that many bad guys are out there. The very complexity of the medical world means that data is flowing everywhere, ripe for the taking. A modern hospital, or even a doctor’s office, has evolved to become an ecosystem. In many ways, it resembles an IT company, employing technology specialists to deploy and maintain new technologies; in this case, they also ensure the organization follows HIPAA regulations, particularly regarding the security and privacy of PHI.
Protecting PHI is a daunting task since the IT staff must also bridge the gap between “the way things are” and “advancing the organization with the latest and greatest.” Unfortunately, as these new technologies are deployed, technology specialists sometimes focus on the near term and miss important tenets related to the overall mission of protecting patient information:
- The challenge of securing an organization increases with its scale and the number of different technologies called upon to serve its mission.
- The security or privacy of any particular piece of information is governed by the security of the weakest technology that touches that information.
- Organizations typically carry many legacy technologies upon which their members lean for familiarity and convenience.
- The overall technological landscape is rapidly changing, offering new tools to hackers and entities interested in acquiring PHI.
One should look at the organization’s entire technology ecosystem when considering the protection of PHI. Will that remotely controlled, surgical robot share information with another system that has not had the latest patches? How are geographically separated doctors sharing pre-surgical information with each other? Are the administrative staff members interacting with doctors and patients using technologies that prevent information from being seen by others?
How is new technology affecting hospitals and patient data?
Wireless technologies, which have been around for decades and are key enablers of the next generation of medical devices, are essential to hospitals because they are tetherless. Using wireless devices, doctors and nurses can roam anywhere within their organization, accessing patient records from a smart device, and remain on call while at a remote location. Wireless technologies are now integrated into pacemakers, inpatient vital signs monitoring, and insulin pumps, featuring new sensors that collect data and monitor patient well-being remotely in real-time.
Unfortunately, for various reasons, wireless technologies are the weakest link in PHI protection. First, many wireless-enabled devices are being used without careful consideration of their security and privacy implications. In fact, wireless technologies are so convenient that one forgets to think about their security. Second, wireless signals do not have the trait of physical protection. With the right tools, their signals can be gathered beyond the confines of the organization’s building—hundreds of meters away (or more!). In fact, technological advancements have made it easy and affordable for adversaries to record and decode wireless signals. Third, many wireless devices, such as the new generation of wireless-enabled medical sensors, will be power-limited and might not be able to employ security mechanisms.
Today, anyone with a modest software programming background can acquire a wireless device, known as a software-defined radio, and program it to monitor wireless signals transmitted in the vicinity. For example, using a USRP X310 software-defined radio with a UBX RF daughtercard connected to a Linux laptop and running the publicly available GnuRadio software library, we found many wireless communications coming from a nearby hospital. The good news was that the internal Wi-Fi networks were all secured (using WPA2). The bad news was that some signals were not secured. In particular, zooming in on the 929 MHz band revealed many wireless signals (see figure).
This band is particularly important as it corresponds to one of the paging bands often used by the medical community. The actual communications are being sent using FLEX, a popular paging protocol developed by Motorola. FLEX transmissions are currently unencrypted, and understanding the communication signals is easy because publicly available code for the USRP can translate them. What one finds is alarming: full patient and physician names, dates of births, social security numbers, medical conditions and diagnoses, phone numbers, and room numbers are all being transmitted in the clear!
How do I know if my organization is leaking patient data?
The paging system is one of those legacy technologies that have hung around because of their convenience. Doctors have used paging technologies for decades, and they may not be on the list of technologies that a hospital or doctor’s office IT staff tracks. They should be—so what can be done to protect PHI, in this case and in general?
- First, medical organizations should assess whether they are using any paging technology and then transition to a more secure paging alternative, such as cellular messaging or even “secure” paging apps that operate on smartphones.
- Next, they should take a broader inventory of technologies used by their employees—the latest and legacy. These should all be tested to see whether any form of security is being used to protect them.
- In cases where the technologies themselves do not use encryption or more generally are not secure, the IT staff should identify secure alternatives and work with the organization’s executives to compose a road map for adopting these secure alternatives.
A little extra diligence can go a long way because many leaks can be easily fixed—such as by using a privacy filter (a useful item to install on most screens in hospitals) to prevent shoulder surfing attacks. Diligence needs to be exercised across the nation at all levels of the medical community, from small medical practices to large hospitals.
Ultimately, raising the bar for the casual hacker by plugging the easy security holes will help organizations return their focus to deploying new technologies that advance healthcare and permit doctors to dedicate their attention to healing patients.