Tag Archives: HIPAA violations

blockchain healthcare data security

Is Blockchain Right for Healthcare?

You may have heard that blockchain is “the next big thing.” And while “next big things” seem to rain from the sky in the tech world, there may be some truth in this particular case.

Blockchain came on the scene in 2008, the brainchild of a still-anonymous person or team of people called “Satoshi Nakamoto.” Despite these tantalizingly mysterious origins, blockchain is well understood and implemented as a distributed ledger to both protect and disseminate important information.

But how does this apply to healthcare?

Does blockchain really have the opportunity to upend how medical computers, EMR, and even clinical studies operate?

What is Blockchain?

The “block” portion of “blockchain” refers to encrypted vaults of information, while the “chain” refers to the connections with other, similar blocks of data.

Blockchain, at its heart, is a way to safeguard digital data by sharing it with thousands of users simultaneously.

The basic idea is that blockchain keeps data safe by keeping it encrypted and redundant, not unlike how iCloud or Dropbox protects files by storing them in multiple locations.

The data is difficult if not impossible to corrupt, because it’s being compared with the same version of the file hosted on every other computer connected to the block. And this checking occurs nonstop, confirming the authenticity of each alteration and transaction.

This is where the term “distributed ledger” comes into the equation. Since everyone can see the changes and transactions done to any data in the block — and who made those changes —  the ledger is secure. It’s like having your own team of perfect, robot accountants auditing your EMR computer hundreds of times a day.

Why is Blockchain Needed in Healthcare?

Primarily, blockchain can help healthcare providers avoid the avalanche of HIPAA violations that have fallen on the industry as of late.

The number of breaches appears to be growing, and with it the price tag of the fines being levied. In 2014, Columbia University and New York Presbyterian Hospital settled a fine for a data breach to the tune of 4.8 million dollars, which at the time was the highest fine ever handed out.

In 2017, Memorial Healthcare System, a Florida-based healthcare group, suffered a data breach that compromised over 115,000 patient and staff records. They were forced to pay a $5.5 million settlement.

But in 2018, Anthem, one of the largest healthcare groups in the world, forked over a record-obliterating 16 million dollars in fines after 78.8 million member records were compromised by hackers.

Either hackers are becoming more adept, IT systems are falling behind, or the amount of digital information in unsecured storage has increased. In all likelihood, all three of these factors are responsible for the rise in both data breaches and ensuing fines.

Since laws and regulations around the country — and indeed, around the world — are only forcing more patient data to be digitized and shared, there’s only one way to securely move forward and protect both patient information and hospital liability: an encrypted, incorruptible distributed ledger like blockchain, with access availability right on the nearest medical cart computer in any exam or patient room?

Implementing Blockchain

Integration with EMR systems and EMR computers is priority one.

As it stands, many healthcare groups are on different EMR programs and standards, making transfer of medical data difficult. This transfer is also a common breach point for hackers and data thieves.

Electronic Medical Records

Unsecured transfer of data is an easy target, which is what makes blockchain so useful. Because data is encrypted, copied, and stored on every computer in the block, there’s no transfer to scoop up. There’s no single vulnerable point that can be hit by DDoS attacks or corrupted by a virus.

The implications of a secure, incorruptible system for electronic medical records point to a potential sea-change in how data is stored. Imagine storing patient consent forms like organ donor consent, living wills, and DNR directives, all easily accessible by the authorized users. Double down on security with a medical computer equipped with two-factor authentication like a smartcard (or RFID, or biometric) scanner and a quick pin code.

That’s a one-two punch of security that can make HIPAA compliance a breeze.

Clinical Trial Data

There are other, far-reaching uses for both secure and easily-accessible data. Clinical trials and medical studies, for instance, are often made difficult by the logistical issues of having to store and collate a wealth of data. In the case of multiple parties contributing to a trial or study, the problem is only compounded.

Then add in that clinicians often to have de-identify the patients in the trials (but also have the ability to re-identify them for implementation or health reasons), and you’ve got a multi-headed hydra of potential data breaches.

Storing clinical study data on a blockchain is a perfect use of the technology and something that health giants like Pfizer and Amgen are already considering.

Blockchain for Preventing Fraud

Of course, not all theft comes in the form of hacking. Both insurance fraud and drug fraud cost hospitals (and sometimes patients) millions of dollars a year.

Preventing Health Insurance Fraud

In 2014, there were 2.3 million cases of medical identity theft, and the number has only been rising ever since.

This identity theft was usually for the purposes of either scoring prescription drugs or for using a patient’s insurance for “free” medical procedures.

This particular form of fraud is particularly devastating because it affects patients and healthcare providers alike, both of whom can have their reputations and finances irreparably damaged.

And, even worse, if the thief does receive treatment, their information (blood type, risk factors, allergies, even diagnoses) can get mingled with the actual patient. If this happens, it could cause incorrect diagnoses, medication complications, or the infusion of incorrectly-typed blood which can seriously injure or even kill someone.

There are even other potential consequences of medical identity theft: a Utah woman, Anndorie Cromar, was nearly arrested (and almost had her children taken away) when an identity thief used her insurance to pay for maternal services. The thief’s baby tested positive for drugs, and since the name on the birth certificate was “Anndorie Cromar,” police and Child Protective Services descended quickly on the wrong person.

The mix-up was eventually sorted out, but not without money, frustration, and what turned out to be the scare of Cromar’s life.

Blockchain technology can mitigate some of the issues — the patient can have an encrypted ID vault on the block, one that the provider can use to make sure that the person standing in front of them is the real policyholder (or the policy holder’s authorized dependents or partner). This ID vault could contain a picture, all ID paperwork, and even biometric data depending on consent and regulations.

Then, the clinician need only check the data against the patient in front of them to prevent most forms of health insurance fraud. They don’t even need to be sitting at a computer — they could grab a nearby medical tablet and pull up the data then and there.

Tracking Drugs and Eliminating Counterfeits

The nature of blockchain’s distributed ledger is a perfect match for inventory and drug-tracking all throughout the supply chain.

The “Drug Supply Chain Security” act, established in 2013, mandates electronic drug tracking in the United States. A secure solution like blockchain is practically custom-built for verifying drug transactions, authenticating barcodes, and keeping every step of the shipping and use chain fully recorded and protected from illegal tampering.

Medical computers with integrated barcode scanners streamline the process. If you already have a USB-powered barcode scanner, medical panel PCs are capable of powering those peripherals on their own, just from the built-in batteries of the PC itself.

Those same medical PCs can also come with built-in two-factor authentication, making them compatible with the SUPPORT bill and a vital tool in combating the opioid crisis.

Combining Blockchain and Healthcare

Blockchain isn’t a perfect panacea to cure all data security problems forever, but its secure, incorruptible nature (combined with staff education and good network hygiene) makes it an excellent solution to many of healthcare’s current data-handling issues.

To learn more about integrating blockchain with EMR and secure medical computers, contact Cybernet today.

BYOD Healthcare Policy

Are BYOD Policies in Healthcare a Mistake?

“BYOD” stands for “Bring Your Own Device,” and its potential implementation is a conversation being had in many workplaces, schools, industries, and hospitals.

In theory, it’s an effective cost-cutting measure: everyone is walking around with an advanced, mobile touchscreen computer in their pocket at all times. Why not leverage that ubiquitous technology, all the while saving the business some money on buying medical tablets for every employee?

While BYOD policies sound great on paper, are they actually effective? Do they do more harm than good?

Personal Devices Are a Hornet’s Nest of HIPAA Violations

The greatest flaw in any BYOD policy is almost always security — how do you ensure that the phone a staff member carries at home, at work, and out to the club is protected? How can you guarantee that the employee is always logging out of work applications, especially if they take work home with them as part of their job? Lines become even blurrier, and confidentiality suffers.

Imagine a doctor or nurse snaps a quick picture of an injury on their cell phone for later reference or sends it to another clinician for a second opinion. Even if the patient consented to this, is the text message software secure? Is the receiving phone or device secure? What happens if either is hacked or stolen?

Are all pictures snapped by the phone automatically backed up to the cloud? Some users may not realize this happens automatically, depending on the phone’s settings. Is the staff member’s Dropbox or iCloud shared with anyone else? How encrypted is it? What other, non-secure device is the cloud service backing up to? A home computer, a bedside iPad, a husband or wife’s laptop?

Of course, this doesn’t just apply to images. Ask yourself all of these questions regarding a text or email about a patient’s condition or personal details to another clinician. Think about what note-taking software is being used on the phone, and where that’s stored. Some staff members may record their thoughts or case reports into a phone recorder app, which may be backed up to the cloud or other, less secure devices.

Does the user even have a password on their phone or tablet? According to the “Consumer Security Risks Survey” from Kaspersky Labs, only half (53%) of mobile users have a security solution installed on their smartphones. And 20% weren’t even aware that mobile malware existed.

Each one of these avenues is a potential HIPAA violation, which can cause an individual or a branch thousands of dollars in fines and potentially more in active lawsuits.

Consider the Liability

Mobile devices get stolen or misplaced all of the time. Unlike dedicated hospital medical tablets,  a staff member’s personal cell phone or tablet is going home (or out) with them. And considering that 44% of smartphones were stolen in public places, and 14% from burglarized houses, the odds of losing their phone increase dramatically if they take it from the workplace.

If the device gets dropped or stolen at work, is the hospital liable? If the policy requires that staff bring their personal devices instead of using hospital-provided medical computers and medical tablets, there’s an argument that could be made. An argument that probably would be made, by an attorney.

Before implementing a BYOD policy, make sure employees know what’s required of them and what the liabilities are. Having employees sign documents that codifies this policy — to legally protect the hospital — will be job one.

Can Personal Devices be Managed by IT?

The IT department at a hospital or medical office (or, really, any facility or industry) performs a whole host of important jobs.

They maintain computer hardware and software, set up and manage the network, and ensure that data is protected and secure, just to name a few.

Devices that are officially owned by the hospital can all be managed with IT network software. Hospital or office-owned medical tablets are constantly under the watchful eye of the IT department. The IT team also keeps all device software updated to prevent bugs and known security breaches. They install anti-virus and firewall software on managed devices, and ensure that those programs are working and up to date.

Installing, troubleshooting, and maintaining all of these processes often requires that the tech have hours of access to the medical computer in question. With a BYOD policy, tech access to someone’s personal cell phone is extremely limited, if it’s even allowed.

Sometimes, due to liability concerns, the tech may have little to no access at all. This turns the individual user — a doctor or nurse — into the primary tech for their own device. And, unfortunately, many don’t have the time or aren’t up to the challenge.

This neglect or misunderstanding can lead to software patches not being installed and lax anti-virus maintenance, which can open up huge security holes for any device or network.

A SecureEdge Networks report indicated that as it stands, 80% of all BYOD devices are completely unmanaged by the IT team. Compare that to the standard practice of managing all medical tablets and computers in a facility, and the vast security gulf becomes more clear.

BYOD Policies Lack Standardization

Even with the proper policies in place, and a secure environment for users to log into confidentially, there comes the most frustrating feature of BYOD policies: lack of standardization.

The medical tablets and other medical touch screens purchased by the hospital typically come from the same vendor, and are running the same operating system and even use the same parts. This standardization allows IT to choose software and hardware peripherals that work with any device in the hospital.

With hundreds of unique personal devices, things get dicey.

While staff members may enjoy the familiarity of their own devices, that doesn’t mean productivity is necessarily increased across the board. When staff members have devices from a dozen different manufacturers, with different operating systems (on different versions, with different patches), trying to make software and communication work is no easy task.

Hospital apps, messaging services, and secure hospital data vaults have to be compatible with Android, iOS, Windows, and manufacturer-specific tablet OSes. Frequently used website portals must be compatible with Chrome, Safari, and half a dozen other mobile browsers.

And, most importantly, if there is a conflict, the IT department is responsible for maintaining access across dozens of different platforms and browsers. Assuming the policy even allows IT to maintain the BYOD devices, that puts a huge strain on the tech team.

To BYOD or Not to BYOD

According to an extensive study by the Ponemon Institute released in 2016, data breaches are a constant problem for almost every hospital.

In their study, they found that “nearly 90% of healthcare organizations…had a data breach in the past two years.” They then went on to report that “45% had more than five data breaches in the same time period.” Considering that the average cost of a data breach is somewhere upwards of $2 million dollars, the math speaks for itself.

BYOD policies are not without their benefits — they’re excellent short-term solutions, especially for facilities that don’t have the budget for as many dedicated medical tablets or computers as they need. BYOD has been known to boost morale, and when implemented properly can increase communication.

However, most of the studies that found this data looked at standard businesses who don’t have to worry about the stringent confidentiality and security requirements of HIPAA.

Still, with HIPAA violations costing companies like Anthem over $16 million, healthcare can ill afford to play it fast and loose with potential security breaches.

Contact Cybernet today to learn more about creating a secure network of purpose-built medical tablets and medical computers in your facility.