Cybersecurity: Keeping Information Safe
Newswise — Just read the daily headlines to find them — cybersecurity breaches of healthcare organizations both large and small. Even the popular medical drama “Grey’s Anatomy” turned to ransomware when choosing a storyline plucked from real life. On the TV show, the fictional Grey Sloan Memorial Hospital staff members received a message on their computer monitors stating, “We own your servers. We own your systems. We own your patients’ medical records.” Then the perpetrators demanded a large sum of money in order for the hospital’s work to return to normal.
This type of security breach is exactly what Texas State University College of Health Professions researchers Dr. Alex McLeod and Dr. Diane Dolezel are hoping to resolve. While security breaches are becoming a prominent threat to the healthcare industry, explains McLeod, chair of the Department of Health Information Management and associate professor, the reasons why the breaches take place in this specific environment must be addressed.
A former captain with the San Antonio Fire Department Emergency Medical Services, McLeod is a natural fit for this research that combines his experience in healthcare with his education in information technology (IT). “When it comes to keeping health information safe, there is a natural link between computer security and healthcare data,” McLeod says. “Look in the news any day of the week, and you will see breaches. There have been more than 2,000 healthcare breaches since 2009. Millions and millions of records have been breached. If someone finds your healthcare record, it has enough information for that person to create credit in your name, use your information to obtain medical services, and simply wreak havoc in your life.”
Drawing from her experience working in IT, Dolezel was interested in the increasing data breach notifications she was seeing in healthcare. Combining forces, the duo began looking at specific data in order to determine what factors may be causing these breaches. Their initial research has produced a dozen published papers in professional journals including Decision Support Systems, a Tier 1 journal. They presented their findings last year at the annual Healthcare Information and Management Systems Society (HIMSS) conference.
Armed with data from the U.S. Department of Health and Human Services (HHS) about healthcare organizations with security breaches, McLeod and Dolezel matched those organizations with a list of factors from a HIMSS database. Aggregated from more than 6,000 healthcare organizations, factors included operating budgets, number of physicians using a pharmacy order entry system, number of part-time or contract employees, amount of money spent on security, number of patient beds, Wi-Fi use, and more.
After analyzing and matching the data, McLeod and Dolezel identified a list of factors that were consistent in the security breaches recorded in the HHS file. Those factors included the number of affiliated physicians working at the organization (the higher the percentage, the greater the risk ); items related to technology, such as barcode readers; the number of births; the number of staffed beds; operating expenses; and the facility’s age.
While these factors may help manage cybersecurity risk Dolezel says, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) should serve as an organization’s foundation for securing data. HIPAA requires organizations to develop and implement a risk management plan to protect patients’ data.
“Oftentimes, a risk management plan is developed,” Dolezel says, “but it is not implemented completely or monitored to see if it is doing the job it is meant to be doing; furthermore, upgrades to the security system may not get completed, providing opportunities for breaches to occur.
“It also comes down to human error. For example, most businesses and organizations, even in healthcare, allow employees to use their own electronic devices such as iPhones and laptops, and these can create big holes in a security system. Without proper security training, employees are not aware of the risk they present just by using their personal devices at work. IT security training should be conducted once a year,” Dolezel says.
“There are a lot of human elements to data breaching,” McLeod agrees. “In fact, we can fix the technology pieces much easier than we can fix the human errors, and it takes education, which the organization has to provide.”
As the two professors continue to research the cybersecurity risk of health information, they hope to make students aware of what’s happening in their growing field. Currently, Texas State offers bachelor’s and master’s degrees in Health Information Management.
With a growing need for more cybersecurity professionals, McLeod says that Texas State is exploring a multidisciplinary Healthcare Privacy and Security Initiative with departments across the university. Together, these departments will work toward future resolutions. ✪
Dr. Mina Guirguis is a professor of computer science at Texas State University. His research is driven by the interplay of security, networks, and stochastic (random) control with research contributions in the areas of cyber-physical systems (CPS), networks and computing systems, and mobile cloud computing.
Guirguis is the director of the Intelligent Security Group. His research and educational activities are funded with more than $3.3 million in grants. In 2012, he received the National Science Foundation CAREER award.
“My research work focuses more on decisionmaking in adversarial environments — in which an attacker and a defender interact through a series of decisions. We use game theory and decision theory to study problems in cyber-physical systems, the Internet of Things, and cloud computing,” he says.
“In the near future, vehicles will be making decisions based on communications with each other and with the infrastructure. Drones will be delivering packages and even our meals in some restaurants. Our buildings will be making smart decisions regarding power consumption, distribution, and generation. Realizing the vision for CPS will require fundamental new theories that coherently integrate security, networks, and control.”
Protecting protocols in sensor devices
Dr. Qijun Gu, an associate professor of computer science at Texas State, looks into research that covers networks, security, and telecommunications. His current projects include vulnerability in sensor applications, authentication in ad hoc and sensor networks, and security in peer-to-peer systems. He explains that his research involves biometric data with the potential to be hacked. His goal is to protect the protocols of these devices and the software.
“My research in general is on security for any kind of embedded devices; some is directly related to the health of the human body,” he says. For example, he mentions insulin pumps controlling daily injections that have the possibility of being hacked; or small computers such as smart watches that send data to other devices.
Some of his recently published articles include: “A Consumer UAV-based Air Quality Monitoring System for Smart Cities,” “Transient Clouds: Assignment and Collaborative Execution of Tasks on Mobile Devices,” and “Collaborative Task Execution with Originator Data Security for Weak Devices.”
Gu teaches undergraduate and graduate students in computer systems security and cyberspace security