Healthcare is not without its issues. Seemingly, for each source asked what the biggest problem the sector faces, there is a differing opinion on what’s most important. I’m often perplexed by the lack of cohesiveness shown toward the industry’s leading issues, too, and sometimes wonder how many of us could name the most pressing threats to the industry, as agreed upon by the community. There are clear problems – interoperability, lack of transparency, disparate systems working against each other — to name a few. So, in the following series, I’ve asked some insiders for their opinions on health IT’s greatest problems, and as you’ll see, they responses received vary greatly.
Scott Friedman, executive vice president, Sherpa Software
Healthcare IT struggles mightily with patient information that is not in the medical record system, but has leaked into other locations in the healthcare organization (cell phone emails, USB drives, employee desks, etc.). Healthcare organizations have moved Protected Health Information (PHI) into HIPAA compliant electronic health records (EHRs) systems, patients maintain electronic copies of their health information, which they give to their different providers as they move between appointments. This “patient distributed information” becomes PHI, with all its associated compliance and legal burdens for the health care organization.
There is liability associated with this, and information governance strategies available that reduce the associated risks. Patient distributed information is present on smartphones, tablets, laptops, and the like are not sanctioned EHR (such as email, file directories, etc.). These devices are not part of the organization’s HIPAA compliant system, and never can be. Most healthcare providers ignore the problem, which eventually leads to catastrophic security failures resulting in patient privacy breaches, and career damaging incidents for the healthcare IT department.
To eliminate the problem, IT needs to look to integrate an information governance framework that can:
- Interview employees to understand how they deal with and understand this issue.
- Audit, usually done with software systems, to provide objective evidence and quantification of the presence of PHI on your digital systems.
- Set specific policies and procedures employees can follow in each and every situation when they come into contact with “patient distributed information.”
- Provide raining and review of policies and procedures work.
- Automate the policies and procedures with software systems to ensure compliance.
- Surveil your digital systems is the best way to monitor and review your program, as well as seek to improve it.
Acknowledge the increasing presence of patient distributed information on your digital systems, and have a plan for how to address it. Look to information governance to establish a strategy and program to address patient distributed information. With the proper policies, procedures, training, and systems in place your organization will be able to effectively handle and mitigate the risks.
Steve Schick, senior director, education, LightCyber
One of the most pressing issues facing healthcare organizations today is the threat of a targeted data breach. While data breaches are a top concern for most companies and organizations, it is even more acute for healthcare. Healthcare data is some of the most valuable in the dark web, commanding a substantial premium over credit card details. Over the past year, there have been at least 95.5 million healthcare records in the U.S. stolen through big data breaches, representing nearly 30 percent of the U.S. population.
While nearly every healthcare organization is a target, there are very few that can properly defend against a targeted data breach. Most have an excellent level of preventative security, but no amount of prevention will keep a motivated cybercriminal out of a network. Both Gartner and the FBI agree that it is no longer possible to have 100 percent effective preventive security. Even the president of RSA, Amit Yoran, concluded world’s largest security conference with the cutting observation, “Our industry has adopted a defensive mindset that mimics the dark ages … beyond this irrational obsession with perimeters, the security profession follows an equally absurd path to detecting these advanced threats.”
The shocking news is that very few companies have the means to find a post-intrusion active data breach. The traditional preventative and malware-focused approaches do not work. The industry “standard” of six months to discover a data breach is evidence enough. Only with great luck will organizations be able to find active attackers if they are still chasing signatures of known malicious software and other statically defined technical artifacts. Larger organizations find themselves drowning in security alerts, most of them false-positives.
The best way to find an active data breach quickly and accurately is to look for the operational activities they have to use once they land in a network. In particular, reconnaissance and lateral movement are two kinds of behaviors that must be done and can be spotted if you know how to look for them. The new breed of active breach detection technologies seems to be a promising new way of finding these attackers. Unfortunately most healthcare organizations don’t yet know about these.
This year, healthcare IT must seriously look beyond just prevention to strategies and tools that will stop data breaches after an attacker has already made it into the network. Traditional approaches have proven to be immense failures for this problem. It’s time to consider a new approach to safeguard the systems and data these IT organizations are chartered to protect.
Amir Naftali, co-founder and chief technology officer, FortyCloud
Healthcare IT operations are very frequently computation and memory intensive. Operations like processing electronic personal health records, ?genetic data analysis and other healthcare related Big Data processing are all heavy CPU and memory consumers?.?
Therefore, IT are always on the lookout for a more powerful yet cost-effective solution. Today, cloud-based infrastructure services (IaaS) offer almost infinite virtual computation resources in an attractive and agile pay-per-use model.
These resources can be allocated almost anywhere around the globe.
Moving healthcare IT operations to infrastructure clouds seems, therefore, a like very natural step. An almost a perfect fit exists between the computation and business needs of Healthcare IT, and the compelling business model of IaaS.
However, the only caveat with this alliance is security. Healthcare IT operations deal with highly sensitive patient data, while public cloud infrastructure environments have security challenges that are inherent to the model itself. Furthermore, health-related security regulations, like HIPAA, make it impossible to adopt any leading public IaaS offering “as is” for healthcare IT operations. Therefore, to ensure that its data is secured in the cloud or hybrid environments, a CISO must supplement its cloud operations with an ISV solution that is not part of the initial cloud offering.?
Jonathan Kaplan MD, MPH, board certified plastic surgeon, Pacific Heights Plastic Surgery
Price transparency — patients want it, but doctors/facilities don’t want to provide it because the doctor/facility has no incentive. The pricing info that consumers do get is mostly just US averages. It’s almost impossible to get pricing for a specific service from a specific provider.
[Electronic Health Reporter]