Health-care organizations like the University of Mississippi Medical Center have now become a favored target of cybercriminals.
The Ponemon Institute, an independent research organization focused on privacy, estimates that medical identity theft affected 1.8 million people in the United States at a cost of $80 billion in 2015 alone.
The institute suggests criminals were able to exploit information from medical records to commit fraud four times more often than other types of identity theft.
A series of educational initiatives being launched by the Division of Information Systems and the Office of Compliance will alert UMMC employees and students to health-care information security threats and how they can be avoided.
“Over the last 10 years, most organizations have moved from a heavy paper records system to electronic health records -- for example, UMMC's move to Epic,” explained Nadia Fahim-Koster, interim chief information security officer. “Data is now more transportable, much more accessible. It can be transferable.
“Unfortunately, it can also be vulnerable to non-ethical hacking events.”
Medical identity theft can be used to file false or inflated insurance claims, to obtain free treatment or to purchase prescription drugs. RSA, a globally recognized security solutions provider, relates that medical fraud can take more than twice as long to identify as regular identity information.
And it can happen to any organization. According to a private and confidential report by the Ponemon Institute, “No health-care organization, regardless of size, is immune from data breach.”
In response to this emerging reality of health-care business, Fahim-Koster said DIS conducted a risk assessment last year to “consider the threats to our health-care IT environment. Issues were discussed and areas for improvement were identified, plans were put in place, and we started tightening and updating controls to make our information security stronger.”
But even with this increased focus, limitations remain.
Hartman Holliman, director of the Information Technology Project Management Office, said an organization can implement every information security measure available and follow each regulation to the last letter but still remain vulnerable.
“There's still the human factor,” Holliman said. “We can put in the very best tech, but it only takes one person being tricked into clicking that malicious link to expose us to something bad.
“One click can go around millions of dollars of technology.”
Which is why DIS and Compliance are focused on providing UMMC employees and students with the tools they need to thwart any breaches of the institution's medical information systems.
Throughout the next several months, announcements about information security-related news, events and items of concern will be posted on the Office of Information Security webpage, Twitter account (@ITatUMMC) and UMMC Intranet Scroll; information security will be integrated into DIS' quarterly electronic newsletter; digital signage and printed notices tailored to specific information security themes will be displayed throughout the Medical Center campus; and DIS representatives will be on hand to provide information security information at brown bag lectures, new student and new employee orientation and other campus events.
Plans are also in the works for interactive online gamification modules that teach information security concepts to be distributed to faculty, staff and students and for town hall-style meetings on information security to be hosted by institutional leaders.
"We want to make sure everyone understands the risks that are out there,” said Kevin Yearick, chief technology officer. “We can prevent these problems from getting inside our network through a combination of technology and awareness.
“Although problems exist, we remediate those through the proper response.”
Data breaches occur for a host of reasons -- when information that by law must be protected is lost, stolen or disposed of improperly, hacked by people or programs not authorized to have access to it or sent to others who do not have an official need to receive it.
Threats can range from cyberattacks to simple employee negligence. They can result in significant monetary losses, but what's worse for health-care institutions like UMMC is the threat to patient safety.
“Having a virus can create an incident that can shut a system down,” Fahim-Koster said. “That can result in patient harm. Sometimes it's more than just patient confidentiality -- it's also maintaining the integrity of the information.
“Patient information could be tampered with and displayed inaccurately, leading to a medical mistake.”
Not to mention a severe loss in trust.
“Personal health information is really no different than financial information,” she said. “The way you would expect your financial information to be secure at a bank, you would expect the same level of security of your personal health information.”
“Our customers will go elsewhere if we can't provide this,” Yearick said. “If they can't trust us as health-care providers, we've lost our mission.”
Because UMMC maintains a robust and effective IT department, some employees and students can be lulled into a false sense of security that, should a breach occur, DIS will just take care of it.
“A lot of people may think that DIS is just going to handle information security for them,” said Julie Green, IT program manager. “But it's important for them to know that they play a role in security as well.”
“Information security is everyone's responsibility,” Fahim-Koster said. “It's not just DIS, the vice chancellor, the COO of business operations -- every single individual is responsible for the security of information.”
Yearick admits integrating sound security measures into their regular daily routines may seem inconvenient for some employees and students.
“Change is naturally difficult,” he said. “People get apprehensive when it comes to IT. But we are going to be changing the way we do business, and we'll have a strong focus on the security of our information assets.”
Especially since the initiatives carry the full support of Dr. LouAnn Woodward, vice chancellor for health affairs, and her entire executive leadership staff.
This logo, featuring "Checkie," will accompany important posts on the UMMC intranet scroll that pertain to information security.
“The support from our executive leaders has been above and beyond expectations,” Fahim-Koster said. “We've been given full support to really put this program in place.
“The support from institutional leadership is a critical factor to the success of this program, and IT leadership's cooperation and willingness to make this happen is phenomenal to me.”
She said the information security initiatives will last “as long as needed until it is entirely ingrained in the Medical Center's culture.”
“Creating a culture of information security is part of our aim,” Holliman added. “Not doing so is not an option.”
For more about information security, click here.
2500 North State Street
Jackson, MS 39216
General Information: 601-984-1000
Patient Appointments: 888-815-2005