Cybersecurity Check In

No one likes to think about the possibility that patients might be hurt or killed as a result of cyber attacks. But all signs indicate that this is a real possibility and a serious problem. Attacks on Health IT systems such as EHRs or patient portals, electronic medical devices, or on standard healthcare digital systems can be a threat to patient safety.

To combat the cybersecurity threat, Congress and the Obama administration passed the  Cybersecurity Information Sharing Act of 2015, which established mechanisms for the US Government to collaborate with private industry to respond to cybersecurity threats. Lawmakers recognized the unique problems with cybersecurity in health technology and created the Health Care Industry Cybersecurity Task Force, charged to make recommendations to Congress regarding specific cybersecurity issues.  To paraphrase, we are to investigate:

  1. What can the healthcare industry learn from other industries about cybersecurity?
  2. What are the special challenges that we face with cybersecurity in healthcare?
  3. What are the difficulties protecting electronic health record (EHR) systems and networked electronic medical devices?
  4. What cybersecurity study materials should the healthcare industry be exposed to?
  5. How should an organization designed to coordinate the sharing of cybersecurity threats between healthcare industry players and the US Federal Government operate?
  6. Finally, we were asked give Congress a written report summarizing all of the above.

Our Task Force is asking the healthcare, patient and technology communities for help in this assignment. We are asking for discussion on these issues to be on platforms like The Health Care Blog, Reddit and Twitter, so the community may contribute new ideas as well as refine the ideas contributed by others. We are taking a crowdsourcing approach to cybersecurity ideation so we can aggregate and assess what people have to say about these issues.  

Cybersecurity in healthcare is too complex for any small group to understand completely, and too important for any group to pretend that they can. We need advice. And we will listen to anyone who has the advice to give and the time to give it. We may not be able to follow your advice specifically. We might disagree with you, or your advice might not be something that fits into our narrow mandate, but we will do our absolute best to ensure that we at least consider it carefully.

If you think you have special insights on how best to protect the healthcare system from cybersecurity threats, please let us know, ASAP. We are already feeling the deadline for our report to Congress looming. We will be listening to any responses that you make on this blog post, we will be hosting a discussion on Reddit soon, and we will be listening to tweets tagged with the hashtag of #healthcybersecurity.

Thank You,

Fred Trotter

Member of the Healthcare CyberSecurity Task Force


Categories: Uncategorized

12 replies »

  1. Perfectly shared the consequence of cyberattacks in healthcare industry. Possibility of distressing patients is a too worst thing. Be aware of cybersecurity is a mandatory factor in this era, not only IT proffessionals in healthcare organizations but also the whole staffs.
    If you wish to get more data about cybersecurity, be a part of cybersecurity healthcare community, https://www.opsfolio.com/

  2. Any system that makes the data more secure, also makes it more difficult to access and less useful. Those of us who work in real time will lose access to important info. When I have 5 minutes to get a patient into the OR, I am not going to be able to find out about that aortic stenosis I wish I knew about. Making the data centered around the patient sounds like a great way to be more secure, but you can guarantee that patients will forget their card, PIN number or whatever you plan on using to access that data.

    Long term, we need to find ways to make the information gained from health records less valuable. I suspect that having health care truly universal would help, but not eliminate that value. I also suspect that this will be one more factor forcing us all into larger organizations which can afford to prioritize and pay for security measures.

    For DOS attacks size matters. Maybe a subsidized distribution network?

    Short term? No one uses Microsoft or Adobe products? Sorry, couldn’t resist.

  3. I hope your view comes to be. I like it. The patient centered idea, however, means that ASHBUP–all stakeholders but the patient–will hate it. Can it succeed if this is true?

  4. We will increasingly associate personal data with the person rather than some institution. The design will be such that breach of one person’s record will not mean breach of another’s any more than one housebreak implies another. People will take responsibility for their own information as individuals and that includes doctors as licensed practitioner individuals.

    The current EHR model is unsustainable for all of the reasons we see around the world. It’s not just about interoperability as you can see in the scaling and privacy problems of highly centralized systems like the UK NHS. The EHR will split into an institutional practice management system with minimal personal data and as many patient-centered health records as there are patients.

    The contents and security of people-centered data stores will be as diverse as the contents and security of our homes are today. Diversity, instead of the monoculture of the EHR, is where this is all headed.

  5. Don’t you think, Adrian, that the patients–pretty soon after enough horror stories come out–are going to demand certain data be excluded from the hospital’s and doctor’s EHR? We all are going to realize that security is on an asymptotic curve with dollars on the x axis and security never being attained on the y going to infinity. What can be an alternative? Could we use a system not based upon TCP/IP? Could we use anything digital as a replacement? Could that block-chain database idea be helpful?

    There are data in there that can cost a marriage. Or a job. Or an elected position. And there are data that can cost fortunes in blackmail actiities and in lost business revenues.

    There is no way we can go back to paper unless we want thousands of people to be utterly shamed and embarrassed and to be the laughing stock of the century every night on TV.

    So, don’t we need a clever substitute–could we mix in an analog box with the digital?–for the EHR that can work?…for the small quantities of ultra secret data that no one will put in a computer?

  6. (a) http://thedatamap.org/ – a project led by Harvard’s Prof Sweeney, co-sponsored by PPR that just got a nice grant from the Knight Foundation, is mostly about how hard it is to track where data goes in healthcare. I’m not a security geek, but I’ve been told the first step to securing information is to know where it is. Not only don’t the patients know where the information is, but thedatamap and pervasive health industry practices to avoid transparency suggest that industry has little accountability either.

    (b) Rampant re-identification of longitudinal profiles by data brokers IMS Health, Optum, and many others others – Data leaves HIPAA-covered entities without consent or accountability under pretense of de-identification. Once it’s in the hands of aggregators, proprietary and mostly secret methods are used to re-indentify the data in order to assemble longitudinal profiles that are much more valuable than the isolated events. The data is then sold without any accountability to the patient themselves, or to anyone else I’m aware of (does FTC know?) and sometimes it’s sold to criminals. Moreover, if the data brokers we know of can re-identify data it means that other data brokers who are just plain criminals can do it as well, maybe better.

    (c) IDESG – The Identity Ecosystem Steering Group – is a public/private partnership seeded by the US Department of Commerce in order to improve cybersecurity, (I served on the Board and Management Council for about two years). The idea behind IDESG is the NSTIC Principles https://en.wikipedia.org/wiki/National_Strategy_for_Trusted_Identities_in_Cyberspace is admirable and IDESG puts privacy above other stakeholders. The tension between security and privacy when privacy threatens commercial interests is clear. Specifically, IDESG is struggling to execute the planned transition from public funding through the Department of Commerce to funding from private commercial interests. So far, it looks like the only way to avoid a privacy vs. security compromise is to continue funding IDESG as a public service, like we do the EPA or CFPB.

    (d) Direct Secure Messaging and DirectTrust – Those of us that helped to create Direct (weren’t you involved Fred?) based the protocols and practices on secure and established Federal Bridge Certificate Authority certificates – the same ones used to allow individuals access to Federal facilities. When our work was to be put into the Meaningful Use regulations, the anti-privacy interests came out (without public process AFAIK) and HHS removed the FBCA option in order to shift control to the hospital and vendor level. The result was an un-regulated, rent-seeking intermediary called DirectTrust that has enhanced data blocking and balkanized systems. Even worse, Direct Trust was recently elevated to control over the next generation of health cybersecurity systems under the CMS “Privacy on FHIR” initiative. “Privacy” in this CMS scheme, as with Direct before it, is clearly a loser and security will be as well. It’s an example of Medicare bureaucrats covering themselves by privatizing a responsibility they should accept for themselves the way Google and Apple do. As we have seen with the private prisons fad, not all security functions lend themselves to privatization if our security goal includes to save money and to respect human dignity as well.

  7. Hey Fred,
    Did we have cybercrime in medicine prior to EHR? No. To steal medical records required a truck and a xerox machine. HITECH mandated EHRs and the free flowing of information everywhere, all at once, all with providers with little to no sense of vulnerabilities. Now, I’m not against interop per se, but the mandates were premature and not well thought out. You can assess your HIPAA risk all you want, but if you are unlucky enough to be a target, we are sitting ducks. I am against the EHR certification and the mandates, they are way far behind, and expect way too much too fast. I think providers should only do what they are comfortable with in terms of access and movement of information. The speed of the mandates put every patient at risk with misinformation, and breaches. It would NOT take a sophisticated attacker much time to post erroneous information via the mechanisms laid out for interop and then propagate it out to every EHR in the world. We are mandated to do TOC SOC and eRX etc, and other than eRx, not sure the risk benefit of the TOC and SOCs. This sharing of information requires open ports, many times passwords (man in middle attacks) sent in clear, even non encrypted traffic. In medicine, we have NO idea how sophisticated these attacks are, even on patched systems, the vulnerabilities run wild. We still have admins at our hospital sending out MS Word documents for agendas for meetings. Just takes one Cryptolocker macro virus to cripple us. Even with this knowledge, there are no changes to the Word docs all flying around.
    So its pretty easy to do the numbers. Prior to 2009, no mandates for interop or EHR. After there was, the cybercrime went up thousand fold. The criminals know we are weak on security and attack because they know we are mandated to have certain activities and then open ports/access. Kinda obvious.

  8. Thanks meltoots. Obviously the interplay of interoperability and cybersecurity is of great interest to us. You indicate that interoperability driven cyber events are “why we are seeing breach after breach”. Do you have any hard numbers on that? We are keen to get a handle on how much poorly thought out interoperability efforts might be negatively impacting cyber with more specificity.

  9. Adrian, thanks for highlighting some of the connections between cybersecurity and privacy. Could you be more specific? I know you think carefully about these issues.

  10. What can the healthcare industry learn from other industries about cybersecurity?

    Most industries that handle valuable personal information are transparent about it. I get notified when my data is accessed, I get a monthly statement of disclosures. Transparency helps uncover attacks. Why is OCR not enforcing the right to a HIPAA Accounting for Disclosures for all data exports including Treatment, Payment, and Operations?

    What are the special challenges that we face with cybersecurity in healthcare?

    Diversity of users is the special challenge. Integrated delivery networks and mega-EHRs routinely assemble dossiers on 5 Million people or more. Unlike law enforcement or banking where users are relatively narrow in terms of role, these massive healthcare databases are accessible to a range of institutions as broad as government, small clinics, and giant hospital staffs and lloosely affiliated providers. Because of this diversity in healthcare, individual user accountability is much harder to enforce.

    What are the difficulties protecting electronic health record (EHR) systems and networked electronic medical devices?

    Trying to secure 5 million people’s health data through a firewall or other perimeter defense in the face of diverse users makes as much sense as putting castle walls around a city of 5 million. We need to shift to security based on the individual patient and the individual user and avoid aggregating from disparate systems by design. Medical devices are particularly ill-suited to protection by linkage to EHRs. They are personal and need to stay patient-centered with information transferred out as needed and not stored or aggregated into EHRs. Breach of an EHR should never threaten the medical devices, home monitors, or mobile apps of any individual patient.

    What cybersecurity study materials should the healthcare industry be exposed to?

    Apple and Google have been shown to be competent in protecting personal data at scale. The healthcare industry needs to adopt Apple’s policies and practices for personal devices and personally controlled health records and Google’s practices for securing standard OAuth interfaces to personal data in EHRs. In combination, these two approaches are a tremendous advance from where the health industry is today.

    How should an organization designed to coordinate the sharing of cybersecurity threats between healthcare industry players and the US Federal Government operate?

    With total transparency and open source software.

  11. Agree with meltoots. The message to congress should be slow down until we can be certain data breaches are less common. In the meantime, I suggest you work with as many smart IT people as you can find. There are many brilliant ones who comment on this site.

  12. First, Certified EHR mandates patient portals, view download transmit, and every spoken word out of ONC and CMS is about interoperability of EHR data/API’s etc. In my opinion, ONC/CMS has pushed WAY to far and fast, and left the providers to bear the brunt of cybercrime all the while demanding easy flow of information. This is why we are seeing breach after breach after breach. Although interoperability “sounds great”, it has many current limitations and problems, and notably a big one is security. They are asking us to send TONS of confidential information around with limited resources, limited knowledge of cyber security, and demanding we do not lose a single byte. This is VERY difficult without paying for VERY skilled security experts and no one wants to pay for that. We have to reconcile the need to send information back and forth to each other as medical providers all the while not getting breached by elusive, smart cybercriminals.

    What I would recommend? Tell ONC and CMS, until you PAY each and every physician to employ a high level security expert, do NOT mandate interoperability of medical records, patient portals, patient derived data passing into medical records, nor APIs. Most medical practices are VERY susceptible to cybercrime and we are so busy trying to care for patients and keeping up with every other data entry point mandated on our backs, you will continue to get breaches at an alarming rate. We don’t even have a unique ID for every patient in the US that we can use to be sure of patient matching records between institutions. There are too many holes and problems out there.
    There are now more than a zillion reasons MU/MACRA, all this EHR counting attesting clicking sharing etc needs to be paused. Security is near the top. You are going to face REAL headwinds if you even MENTION that you think a pause or dialing back is in order. They would much rather let millions of records be breached every week than to admit they were wrong about HITECH, EHRs, and pushing so fast and hard.