When speaking with our health IT clients, I’m hearing a distinct shift when it comes to cybersecurity. They no longer view it as an IT cost; they understand how it can facilitate growth, create competitive advantage and build trust in their products and brand.
Their executive management is on board with this thinking, too. They don’t want to hear about fear, uncertainty and doubt when it comes to data breaches, hacks and cyber threats, but rather how cybersecurity can help ‘protect the house and the product’ while at the same time enabling the business, customers and partners.
As more products and services in the healthcare continuum are connected, the need to proactively address cybersecurity increases. And as more consumer and business information is generated and shared, data privacy becomes a critical business requirement. This explains why we’re seeing forward-thinking health IT organizations moving to a new model of cybersecurity – one that’s adaptive to evolving risks and threats plus aligns with overall business objectives, such as increased revenue.
The one unifying thing we see with most health IT clients is the cloud. They need to design, build, assess, test and validate architectures and products on the cloud to confidently go to market with secure solutions. They’re finding that as they address cybersecurity in the design and development of products and services, they experience new ways to innovate and move faster. These cloud-integrated solutions can also enhance data privacy and boost customer trust and brand reputation. These are crucial safeguards as consumers are more concerned than ever about how their data is collected and shared.
Organizations aren’t waiting to hear that security program elements to demonstrate customer data protection are a requirement to closing a deal, they’re getting proactive by using cybersecurity as a sales strategy.Continue reading…
As if healthcare executives needed more to worry about, the recent hacker attack on Sony Pictures should send yet another reminder that data security can’t be ignored. On an international stage, Sony management learned the hard way that their e-mails, text messages, and private conversations were vulnerable to attack. Hackers accessed everything from the company’s sensitive financial information to its confidential employee communications. In the immediate aftermath of the attack, Sony is facing government inquiries, class action lawsuits from employees and business partners, and a significantly tarnished reputation.
Many executives in our industry might think that healthcare facilities are better prepared to withstand hacker attacks, with numerous government agencies regulating how we store and transmit protected health information (PHI) and personal identifiable information (PII). In reality, a significant number of healthcare facilities have already suffered damaging hacker attacks over the last few years and expectations are that hacker attacks will be a continued threat for the foreseeable future. The question healthcare executives must ask is: “What are we going to do about it?”
Over a year ago, the Federal Trade Commission held an Internet of Thingsworkshop and it has finally issued a report summarizing comments and recommendations that came out of that conclave.
As in the case of the HITECH Act’s attempt to increase public confidence in electronic health records by ramping up privacy and security protections for health data, the IoT report — and an accompanying publication with recommendations to industry regarding taking a risk-based approach to development, adhering to industry best practices (encryption, authentication, etc.) — seeks to increase the public’s confidence, but is doing it the FTC way: no actual rules, just guidance that can be used later by the FTC in enforcement cases. The FTC can take action against an entity that engages in unfair or deceptive business practices, but such practices are defined by case law (administrative and judicial), not regulations, thus creating the U.S. Supreme Court and pornography conundrum — I can’t define it, but I know it when I see it (see Justice Stewart’s timeless concurring opinion in Jacobellis v. Ohio).
To anyone actively involved in data privacy and security, the recommendations seem frighteningly basic:
–build security into devices at the outset, rather than as an afterthought in the design process;
– train employees about the importance of security, and ensure that security is managed at an appropriate level in the organization;
– ensure that when outside service providers are hired, that those providers are capable of maintaining reasonable security, and provide reasonable oversight of the providers;
– when a security risk is identified, consider a “defense-in-depth” strategy whereby multiple layers of security may be used to defend against a particular risk;
–consider measures to keep unauthorized users from accessing a consumer’s device, data, or personal information stored on the network;
–monitor connected devices throughout their expected life cycle, and where feasible, provide security patches to cover known risks.
–consider data minimization – that is, limiting the collection of consumer data, and retaining that information only for a set period of time, and not indefinitely;
– notify consumers and give them choices about how their information will be used, particularly when the data collection is beyond consumers’ reasonable expectations.
A time-and-technology challenged FDA, proliferation of software-controlled medical devices in and outside of hospitals, and growth of hackers have resulted in medical technology that’s riddled with malware. Furthermore, lack of security built into the devices makes them ripe for hacking and malfeasance.
Scenario: a famous figure (say, a politician with an implantable defibrillator or young rock star with an insulin pump) becomes targeted by a hacker, who industriously virtually works his way into the ICD’s software and delivers the man a shock so strong it’s akin to electrocution.
Got the picture?
Welcome to the dark side of health IT and connected health. Without strong and consistently adopted security technology and policies, this scenario isn’t a wild card: it’s in the realm of possibility. This is not new-news: back in 2008, a research team figured out how to program a common pacemaker-defibrillator to transmit a “deadly 830-volt jolt,” according to Barnaby Jack, a security expert.
Although healthcare providers are making progress in adopting health IT, Americans seem to be resistant to change to Electronic Health Records (EHRs). In fact, only 26 percent of Americans want their medical records to be digital, according to findings from the third annual EHR online survey of 2,147 U.S. adults, conducted for Xerox by Harris Interactive in May 2012.
Last month the Institute of Medicine issued a seminal report entitled “Best Care at Lower Cost: The Path to Continuously Learning Health in America.” The report estimates the American healthcare system suffered a $750 billion loss in 2009 from inefficient services and administrative expenditures. The report is grounded on the principle that effective, real-time insights for providers and patients which result in collaborative and efficient care depend on the adoption and use of digital records.
As people are naturally resistant to change, education will be key in gaining support among Americans for the transition to EHRs. If providers can help patients understand “what’s in it for me,” that will likely go a long way in making Americans feel more comfortable with the switch to digital.
Let’s take a look at five ways EHRs directly impact the patient. For these examples, we’ll use a fictitious patient named “Joe”:
Health Information Exchanges (HIE): HIEs work on the principle of a network – they grow stronger as more participants join. If Joe’s primary care doctor switches to digital, that’s a great step in the right direction. However, it isn’t truly meaningful until his primary care doctor joins an HIE and begins sharing Joe’s patient health history, medication history, lab results, family and social history and vital statistics with his specialists, emergency care providers, and so on. This sharing of information helps ensure that Joe gets the best quality of care, because all of his providers will be in sync and have the most up-to-date information. It also helps reduce the amount of duplicate exams and labs Joe will be asked to give.
Today, my team presented a list of risks to the Compliance, Audit and Risk Committee at BIDMC. Here’s my list of top risks for 2012:
1. Old Internet browsers – many vended clinical applications require specific versions of older browsers such as Internet Explorer 6, which are known to have security flaws. We’ve worked diligently to eliminate, upgrade or replace applications with browser specificity. At this point we are 96% Internet Explorer 8/Firefox 7/Safari 5 minimizing our risks to the extent possible.
2. Local Administrative rights – Of our 18,000 devices on the network, a few thousand are devices that require the user to have local administrative rights to run their niche applications (often the research community doing cutting edge research with open source or self developed software). We have done everything possible to eliminate Local Administrative rights on our managed devices.
3. Outbound transmissions – Security has historically focused on blocking evil actors from the internet. Given the current challenges of malware and infections brought in from the outside, it’s equally critical to block unexpected outbound activity.
4. Public facing websites – any machine that touches the internet has the potential to be targeted for attack. We’ve implemented proxy servers/web application firewalls on most public websites.
5. Identity and Access management – Managing the ever changing roles and rights of individuals in a large complex organization with many partners/affiliates is challenging. If an affiliate asks for access to an application, how do you automatically deactivate accounts when users leave an affiliate, given the lack of direct employment relationships?
Not through a musical hook or melody that you can’t shake. Or a well timed smile by someone your soul connects with. Or a box of chocolates. Or a poem. People have been penetrating the human heart with those Luddite-ish tools since the beginning of civilization.
I was thinking more about that electronic device your doctor might have implanted into your chest to keep your heart beating. Or the little box stuck in your gut to help you and your pancreas regulate your diabetes. Or the mini-computer surgically inserted to keep your neurological systems on track.
Hacking the medical miracles put inside people to let them live longer with more normal lives.
While to my limited knowledge nobody has reported a single case and the likelihood is extremely low, it is a real enough concern that the New England Journal of Medicine published a paper about the need to improve security last year.
Back in 2005, Hurricane Katrina smashed into the Gulf Coast community of Waveland, Mississippi. Among the many losses were the community’s medical files. The storm instantly wiped out more than 10,000 of Waveland Medical Center’s patient medical records.
“For the past year, we have had to rely on our memories and notecards to keep track of patient care while treating patients outside or in a tent, battling against power outages, and working without heat in the cold and without air conditioning in the summer,” said Roberta Chilimiagras, M.D., WMC’s owner, in the days after the storm.
Patients fleeing the Gulf Coast area often sought treatment elsewhere. In Houston, Melinda Amedee presented at the MD Anderson Cancer Center, saying that she had been scheduled to have a tumor removed from her kidney at a New Orleans hospital. As Time magazine reported, her case posed a serious challenge to the doctors in Houston, who had no medical records and no way of contacting her Louisiana kidney specialist.
This example – extreme as it is – highlights a critical, and often overlooked, component of the privacy and security of patient information. Health information security can be thought of as a three-legged stool—Confidentiality, Integrity, and Availability. It’s widely accepted that health information must be kept confidential. But what good is all that information if doctors and their patients can’t get to it at the critical moments? I’d argue that on a day-to-day basis, patient access to, and input on, what is in their health records is an aspect of privacy and security that deserves greater attention.Continue reading…
Insurance exists to cover a wide range of potential business risks. Cyber insurance is worth considering as companies increase their presence, business practices and data storage online. In fact, Cyber insurance is not just for companies conducting transactions online (e.g., online retailers).
It is valuable to any company who has critical systems or sensitive data, which is almost every business. While it is possible to have insurance that covers damage to your servers and other computer equipment, it is almost certain the insurance only covers the physical damage to the hardware, itself, and not the valuable data housed within. In fact, insurance policies regularly state that the policy is limited to the replacement costs of the hardware and not the data. This means that in the event a hacker gains access to your systems and disrupts operations, standard insurance coverage will probably offer little or no protection unless hardware is actually damaged.
The costs associated with restoring lost or damaged data, sending breach notifications to consumers, and other potential liability under each state’s breach notification statues can be astronomical. Cyber insurance can help cover some of the costs of a data breach, including the expense of sending notification to affected individuals, public relations, fines, penalties, responding to regulators and any subsequent litigation by affected individuals. The potential for attacks and breaches is growing exponentially as more and more businesses move operations to the cloud. Moreover, attacks do not necessarily derive from an outsider. Data breaches have resulted from careless, frustrated and vengeful employees who often attempt to profit from someone else’s information. Depending on the policy, Cyber insurance can offer protection from hackers, viruses, data breaches, denial of service attacks, and copyright, trademark, and website content infringement.