Stemming the Tide of Cybercrime: Protect your Patients’ PHI

Human beings are not designed to handle large numbers. If someone owes you $100, but they only pay you $1, you would rightly be upset. However when considering two people who are worth $1billion and $2billion dollars respectively, most people would consider them to be of similar wealth, when in fact one is vastly wealthier than the other.

Maybe this is why the PHI data breach statistics that the HHS make public on their website don’t make big news.

They should. Last year (2015) 111,818,172 patients and healthcare individuals had their data exposed by the hacking of US companies working in the Healthcare industry.

This year alone, in the four months from January to April, the PHI data of 2,352,180 patients has already been hacked.

The numbers are staggering.

In practical terms, data breaches from US companies impact more people annually than the population of Germany.

But it gets worse. Not content with stealing data, attackers are now turning their attention to the booming business of Ransomware, where the PHI data is encrypted by the attacker, who then demands payment in return for the key to unencrypt the data. Some attacks make the news, but most don’t.

And it’s not that the attackers are getting smarter. The 2016 Verizon Report published last week reiterated that the same 10 vulnerabilities accounted for 85% of exploit attacks, with some vulnerabilities being older than the attackers who have been found to be exploiting them.

In an effort to encourage companies to find ways to close the floodgates themselves, last month the OCR initiated a new, stricter, set of HIPAA audit protocols and have been increasing the number of multimillion dollar fines levied as a result of data breaches. Time will tell if this makes a difference.

So how do you ensure that the PHI you’re holding remains private?

There are two simple things you can do right now:

Ensure there is a Business Associate Agreement in place with any supplier or business partner that will potentially handle PHI. There is guidance on this from the HSS website, however it is also important to get your legal team involved before any agreement is signed.

Put in place an SOP for regular security risk assessments of your systems. There is a free tool provided by HSS, but you will always gain more from an assessment performed by a qualified security expert. Ensure that the results are reviewed by your Senior Management Team. Put a plan in place to implement any critical recommendations and ensure someone owns that plan.

If enough organisations followed these two simple steps, maybe the breach numbers would reduce enough for us to get our heads around them.

Schrödinger’s Temperature Monitor

In 1935 Erwin Schrödinger devised a thought experiment in which he described a paradox of quantum mechanics. A cat was sealed in a box with a flask of poison, a source of radiation and a radiation detector. The flask of poison was linked to the radiation detector and would break if the monitor detected radioactivity. Although the half-life of the radioactive material was known, the precise moment that the radioactive energy was released and the cat became an ex-cat could not be determined in advance. Thus, as long as the box was sealed the cat could be simultaneously alive and dead. Only when the box was opened could the fate of the cat be observed.

 

Cell therapy products typically are more challenging to ship that traditional pharmaceutical products, you are after all shipping living cells (perhaps a little less challenging than a cat with a flask of poison). Even with robust mitigation strategies temperature excursions do occur; using conventional temperature monitors the manufacturing centre/treatment centre will only discover if there has been a temperature excursion once the shipment of starting material or therapeutic agent has been delivered to its final destination and the shipper opened; similar to the fate of Schrödinger’s cat, so while cell therapies are in transit one could assume that they are both within and outside their shipping specification.

TrakCel has integrated with temperature monitors that can provide real-time data and by configuring TrakCel’s platform warnings and alerts can be received should shipping temperatures exceed pre-set parameters. However, to effectively use real-time data, strategies need to be formed for addressing temperature warnings during shipments to prevent temperature excursions. Real-time data is of great value when shipping therapeutic agents (and starting material) from patients who may only have one chance of treatment or if collecting starting material is an invasive procedure which a patient may not want to repeat.

It is pointless to use these real-time monitors if you are unable to obtain access to the shipment in transit. To effectively use real-time data the following needs to be considered:

·        If access to the shipment is possible how will the current custodian be notified should a temperature warning be issued?

·        What can be done, or what equipment is required to return the shipment to the desired temperature at each step of the journey?

·        What resources are required to continuously monitor the shipment?

Real-time monitoring can be an effective tool for ensuring that medical supplies arrive within specification. However, the resources and planning required currently preclude this technology from being used for low value shipments; real-time monitoring technology may be suitable for high value products and challenging supply chain models.

No cats were harmed during the writing of this blog.