OP-ED

Cybersecurity Check In

No one likes to think about the possibility that patients might be hurt or killed as a result of cyber attacks. But all signs indicate that this is a real possibility and a serious problem. Attacks on Health IT systems such as EHRs or patient portals, electronic medical devices, or on standard healthcare digital systems can be a threat to patient safety.

To combat the cybersecurity threat, Congress and the Obama administration passed the  Cybersecurity Information Sharing Act of 2015, which established mechanisms for the US Government to collaborate with private industry to respond to cybersecurity threats. Lawmakers recognized the unique problems with cybersecurity in health technology and created the Health Care Industry Cybersecurity Task Force, charged to make recommendations to Congress regarding specific cybersecurity issues.  To paraphrase, we are to investigate:

  1. What can the healthcare industry learn from other industries about cybersecurity?
  2. What are the special challenges that we face with cybersecurity in healthcare?
  3. What are the difficulties protecting electronic health record (EHR) systems and networked electronic medical devices?
  4. What cybersecurity study materials should the healthcare industry be exposed to?
  5. How should an organization designed to coordinate the sharing of cybersecurity threats between healthcare industry players and the US Federal Government operate?
  6. Finally, we were asked give Congress a written report summarizing all of the above.

Our Task Force is asking the healthcare, patient and technology communities for help in this assignment. We are asking for discussion on these issues to be on platforms like The Health Care Blog, Reddit and Twitter, so the community may contribute new ideas as well as refine the ideas contributed by others. We are taking a crowdsourcing approach to cybersecurity ideation so we can aggregate and assess what people have to say about these issues.  

Cybersecurity in healthcare is too complex for any small group to understand completely, and too important for any group to pretend that they can. We need advice. And we will listen to anyone who has the advice to give and the time to give it. We may not be able to follow your advice specifically. We might disagree with you, or your advice might not be something that fits into our narrow mandate, but we will do our absolute best to ensure that we at least consider it carefully.

If you think you have special insights on how best to protect the healthcare system from cybersecurity threats, please let us know, ASAP. We are already feeling the deadline for our report to Congress looming. We will be listening to any responses that you make on this blog post, we will be hosting a discussion on Reddit soon, and we will be listening to tweets tagged with the hashtag of #healthcybersecurity.

Thank You,

Fred Trotter

Member of the Healthcare CyberSecurity Task Force

 

Livongo’s Post Ad Banner 728*90

Categories: OP-ED, Tech, Uncategorized

12
Leave a Reply

6 Comment threads
6 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
7 Comment authors
kevinmassSteve2William Palmer MDfredtrotterAdrian Gropper, MD Recent comment authors
newest oldest most voted
kevinmass
Member
kevinmass

Perfectly shared the consequence of cyberattacks in healthcare industry. Possibility of distressing patients is a too worst thing. Be aware of cybersecurity is a mandatory factor in this era, not only IT proffessionals in healthcare organizations but also the whole staffs.
If you wish to get more data about cybersecurity, be a part of cybersecurity healthcare community, https://www.opsfolio.com/

Steve2
Member
Steve2

Any system that makes the data more secure, also makes it more difficult to access and less useful. Those of us who work in real time will lose access to important info. When I have 5 minutes to get a patient into the OR, I am not going to be able to find out about that aortic stenosis I wish I knew about. Making the data centered around the patient sounds like a great way to be more secure, but you can guarantee that patients will forget their card, PIN number or whatever you plan on using to access that… Read more »

William Palmer MD
Member
William Palmer MD

Don’t you think, Adrian, that the patients–pretty soon after enough horror stories come out–are going to demand certain data be excluded from the hospital’s and doctor’s EHR? We all are going to realize that security is on an asymptotic curve with dollars on the x axis and security never being attained on the y going to infinity. What can be an alternative? Could we use a system not based upon TCP/IP? Could we use anything digital as a replacement? Could that block-chain database idea be helpful? There are data in there that can cost a marriage. Or a job. Or… Read more »

Adrian Gropper, MD
Member
Adrian Gropper, MD

We will increasingly associate personal data with the person rather than some institution. The design will be such that breach of one person’s record will not mean breach of another’s any more than one housebreak implies another. People will take responsibility for their own information as individuals and that includes doctors as licensed practitioner individuals. The current EHR model is unsustainable for all of the reasons we see around the world. It’s not just about interoperability as you can see in the scaling and privacy problems of highly centralized systems like the UK NHS. The EHR will split into an… Read more »

William Palmer MD
Member
William Palmer MD

I hope your view comes to be. I like it. The patient centered idea, however, means that ASHBUP–all stakeholders but the patient–will hate it. Can it succeed if this is true?

Adrian Gropper, MD
Member
Adrian Gropper, MD

What can the healthcare industry learn from other industries about cybersecurity? Most industries that handle valuable personal information are transparent about it. I get notified when my data is accessed, I get a monthly statement of disclosures. Transparency helps uncover attacks. Why is OCR not enforcing the right to a HIPAA Accounting for Disclosures for all data exports including Treatment, Payment, and Operations? What are the special challenges that we face with cybersecurity in healthcare? Diversity of users is the special challenge. Integrated delivery networks and mega-EHRs routinely assemble dossiers on 5 Million people or more. Unlike law enforcement or… Read more »

fredtrotter
Member

Adrian, thanks for highlighting some of the connections between cybersecurity and privacy. Could you be more specific? I know you think carefully about these issues.

Adrian Gropper, MD
Member
Adrian Gropper, MD

(a) http://thedatamap.org/ – a project led by Harvard’s Prof Sweeney, co-sponsored by PPR that just got a nice grant from the Knight Foundation, is mostly about how hard it is to track where data goes in healthcare. I’m not a security geek, but I’ve been told the first step to securing information is to know where it is. Not only don’t the patients know where the information is, but thedatamap and pervasive health industry practices to avoid transparency suggest that industry has little accountability either. (b) Rampant re-identification of longitudinal profiles by data brokers IMS Health, Optum, and many others… Read more »

Niran Al-Agba
Member

Agree with meltoots. The message to congress should be slow down until we can be certain data breaches are less common. In the meantime, I suggest you work with as many smart IT people as you can find. There are many brilliant ones who comment on this site.

meltoots
Member
meltoots

First, Certified EHR mandates patient portals, view download transmit, and every spoken word out of ONC and CMS is about interoperability of EHR data/API’s etc. In my opinion, ONC/CMS has pushed WAY to far and fast, and left the providers to bear the brunt of cybercrime all the while demanding easy flow of information. This is why we are seeing breach after breach after breach. Although interoperability “sounds great”, it has many current limitations and problems, and notably a big one is security. They are asking us to send TONS of confidential information around with limited resources, limited knowledge of… Read more »

fredtrotter
Member

Thanks meltoots. Obviously the interplay of interoperability and cybersecurity is of great interest to us. You indicate that interoperability driven cyber events are “why we are seeing breach after breach”. Do you have any hard numbers on that? We are keen to get a handle on how much poorly thought out interoperability efforts might be negatively impacting cyber with more specificity.

meltoots
Member
meltoots

Hey Fred, Did we have cybercrime in medicine prior to EHR? No. To steal medical records required a truck and a xerox machine. HITECH mandated EHRs and the free flowing of information everywhere, all at once, all with providers with little to no sense of vulnerabilities. Now, I’m not against interop per se, but the mandates were premature and not well thought out. You can assess your HIPAA risk all you want, but if you are unlucky enough to be a target, we are sitting ducks. I am against the EHR certification and the mandates, they are way far behind,… Read more »