Fine print: The views and opinions expressed in this article are mine personally and are not necessarily representative of current or former employers.
Security Might Be the One Thing
I often get questions like, “What keeps you up at night?” or “What are your top priorities?” Invariably I cite items from our IT strategy, and almost always I remember to add security.
But I think it is time for me to admit I have it wrong. Security should be at the top of my list, not just on the list. It should have an etched place in the number one spot. If I was going to be kept up at night, there is no better topic to evoke fear than security.
Let’s face it: the healthcare industry has been terrible at managing security. Since 2009, more than 900 reports of breach have occurred, covering a staggering 30 million patients. Half of the data loss is a result of us losing things, which essentially translates to the realization that we are not very good at keeping our patients’ data safe when practically no one is trying to take it.
But that is changing. Statistics are a little shaky, but let’s say that roughly 3 percent of reported data loss is a result of people intentionally trying to take it. This Pandora’s box has been opened and we should expect it to stay open and become a growing threat. The incidents with Boston Children’s, Community Health, and the “playful” attack on Healthcare.gov are all windows into our future.
Bad people will try to get data from an industry that has minimally demonstrated its ability to hold onto it. If there ever was a time to get our ducks in a row, it is now.
We have moved from the ‘70s, ‘80s, and ‘90s — when healthcare’s IT data was made up of registration, scheduling, lab, radiology, and maybe some pharmacy — to the 2000s with robust EMR data. But the stakes are rising as we are duplicating the EMR data outside of our transaction systems into massive stores for mining. We are setting the data free by making it available any time from any place and from practically any device – hello, BYOD. The risks are greater and stakes are high. We will need to climb the learning curve rapidly and without a net as each breach is a CEO, board, and/or public event.
Luxury goods manufacturers long ago realized they don’t just sell products, but rather an experience. Similarly, healthcare organizations might say that they don’t just provide care, but trust. With so much talk about healthcare’s move into patient engagement, let’s start with the most basic way to engage our patients – keeping their data safe and maintaining their trust.
We all have work to do.
- Innovate. We need new products. We don’t need more companies built around missing bells or whistles for our EMRs. We need new product in a category underserved – security and privacy.
- Build your products with security baked into the DNA of the product to promote doing the right thing. Make it impossible to download an unencrypted file or develop ways to track and remote erase lost data.
- Accelerate your plans to host our data. We clearly need your help. But once you get our data, do a better job protecting it than us.
- Almost 20 percent of reported breaches came from issues with a business associate. Don’t be one of those — we are depending on you. You can build the scale and make the investments in security that are not always practical for individual healthcare organizations.
- If you are not in the healthcare space, come on in. We need your help.
- Partner with vendors to innovate. They need our help to understand the nuances and complexity of healthcare.
- Make security not just a priority, but the priority.
- Allocate spending like it matters.
- Differentiate between security and privacy and focus on each separately.
- Providers contributed to a greater than 130 percent increase in patient records lost in 2013. We all know we can do better. Let’s bend the curve.
- Treat patient data security with a similar focus to how we treat patient safety.
Government (yes, it has a role, too)
- Modify the breach notification rules to be more specific to the types of breaches. We have desensitized a nation to data loss warnings. I would bet that most readers or someone they know has received a letter regarding a loss or breach of their data and offering a credit monitoring service. These notifications are essentially based on the theory that we can’t prove something did not happen, so we must notify. Let’s focus our attention on when we know something has happened. This is the important place that needs our collective attention.
- Create a safe harbor for healthcare organizations to use advanced tools to proactively determine if risks or breaches have occurred. Here are a couple of examples. Tools exist to retrospectively scan if PHI was shared from our email systems. If we run these tools to educate and teach ourselves how to do better, we are open to reporting. Security experts say there are two types of organizations, ones that have had their networks penetrated and those that don’t know it yet. If we deploy advanced tools to study our networks in partnership with the best companies, we would be open to massive reporting requirements.
I had the pleasure recently to speak to an audience hosted by NIST, OCR, and HHS. I asked the audience how many have received a text, email, or call relating to possible fraud on a credit card. Most raised their hands. I asked how many had ever received the same notification related to their own electronic health data. No one had.
Like barcodes from manufacturing and real-time alerting from the financial sector, let’s adapt tools and products that work in other sectors to help healthcare become excellent.
Let’s engage our patients by building and keeping their trust!