Saturday, June 6, 2015

The Gift That Just Keeps On Giving

In my last post I wrote about some new woes for EHRs, such as malpractice risks, and I honestly didn't expect to write about them so soon.  But an article in Politico caught my eye, describing a huge problem with them that may not be top of mind for many: the risk (and cost) of being hacked.

In short, the health care industry has spent/is spending billions installing EHRs, more billions getting them to work, and is now realizing that they're going to have to keep spending billions each year to try to protect the information in them, as well as in other digital devices.

Say what you will about paper records, but it was awfully hard to steal too many of them.  The opaqueness that made them difficult to share/collaborate/analyze also made them virtually impossible to get remote access into.  Unlike EHRs.

The Politico article says that an individual medical record is worth ten times as much as a stolen credit card, that each hacked record can cost around $20 in legal costs and credit protection, and that the growing market for cyberinsurance is already a $2b industry, growing at 20-25% annually.

A May 2015 report from The Ponemon Institute lays out some other scary findings:
  • Criminal attacks are now the leading cause of health data breaches, up 125% over the last five years.
  • 65% of health organizations suffered multiple security incidents over the past 2 years.
  • Data breaches cost the industry $6b annually.
  • Employee negligence is still easily the leading source of concern.
  • Only about half of health care organizations think they have the right technologies or technical expertise to deter breaches, and slightly less than half are confident they can even detect loss or theft of patient data.
It's scary.  Jim Helms, Mayo Clinic's chief information security officer (CISO) put it bluntly to Politico: "The adversary is way ahead of us right now."  He also told The Wall Street Journal: "Medicine is 10 to 15 years behind in IT practices than other industries,"  Mr. Helms believes that health care data is harder to protect than financial information, and that "the stakes are higher."

Politico cites industry experts who recommend spending 10% of IT budgets on security, and up to 40% for newer companies, versus the industry average of 3%.  No wonder that only 37% of the organizations in the Ponemon survey felt their budget was sufficient to curtail or minimize breaches.

Breaches have become almost numbingly common in health care.  In recent months, there have been known breaches at Anthem, CareFirst, KaiserPremera, as well as a number of provider organizations, including Community Health Systems.  Just a few days ago personnel records on up to 4 million current or retired federal employees were hacked, and many believe that Chinese hackers suspected of being behind the attacks were the same hackers who attacked the big insurers.

As FBI Director James Comey told 60 Minutes earlier this year, "There are two kinds of big companies in the United States. There are those who've been hacked by the Chinese and those who don't know they've been hacked by the Chinese."

Just to be fair, it's not all about EHRs.  TrapX, a cybersecurity company, told The New York Times that Russian and Chinese hackers are infiltrating through other medical devices, such as x-ray systems or blood gas analyzers.  "This is going to get worse before it gets better, said TrapX's Carl Wright.  No wonder; "Clinical software is riddled with security vulnerabilities," claims Billy Rios of Laconicly, another security firm.

And institutional clinical software looks pretty secure compare to all those mobile apps and wearable trackers.

There are a number of strategies that health care organizations can follow to combat cyberattacks, such as de-identification and encryption of data, as well as better monitoring of hacking attempts.  For example, neither Anthem nor the U.S. government encrypted that data that was stolen.  However, in at least the Anthem case, it wouldn't have mattered, since the hackers used employee credentials that got them past the firewalls (as was true with last year's Sony breach).  Employees remain one of the biggest vulnerabilities.

Apple CEO Tim Cook has offered another perspective, that despite all of our concern about hackers stealing our information we're blithely giving it away anyway,   He implicitly criticized competitors like Facebook and Google who offer "free services" that he believes are pretexts for their gobbling up our personal information so that they can better target market us.   

As a boss of mine liked to always say, there's so such thing as a free lunch.

In a recent op-ed. Professor Zeynep Tufecki of UNC called on Mark Zuckerberg (and, by extension, other "free" services) to let her pay for her Facebook in return for less tracking and more privacy.  I wonder on how many people would actually opt for such an approach.

Indeed, a new study by the Annenberg School of Communications found that the public is well aware that their online data is being used to market to them, but 91% don't think the trade-offs are "fair."  Annenberg thinks the public is just resigned to the practice, feeling powerless to do anything about it.  Two recent polls by the Pew Research Center confirm that over 90% of Americans think it is important to control who collects what information about them, but are skeptical that their information -- especially online information -- will remain private and secure.

Look, we're not going back to a pre-digital world.  And in the digital world, there will be people who want to get access to our information, either legally or illegally.  Health organizations like to think they are in the patient business, but in the 21st century that means they are in the data business, which puts them squarely in the privacy business.  That means they need to invest sufficiently in IT resources and security.  

Health care now requires patient care, data analytics, and data custodianship, but there's no reason why any single organization needs to perform each of those itself.  Being a health care data custodian for health organizations might become a very hot business (as I've suggested before).  

Privacy doesn't mean what it used to mean, with more people increasingly opting for convenience over traditional notions of it, and with more ways to subvert it.  We're going to have to figure out what is most important to us and how best to protect it. 

1 comment:

  1. Excellent article. The needs for health data custodiants are obvius. But no single organization can currently provide the expertize and trust.