In the past several years, billions of dollars have been invested in health IT and digital health, including dollars spent by healthcare organizations investing in electronic health record (EHR) systems, taxpayer dollars from government incentives and private investments by venture capital firms into digital health technologies. And all of this investment in health IT and digital health comes down to one thing—healthcare data.
As most healthcare organizations and providers are now adopting EHRs and other health IT tools, the main goal is to digitize health data, taking it from the traditional pen and paper to electronic files, to bring healthcare into the digital world. And by digitizing health data, healthcare organizations can then more efficiently collect it, store it, share it across organizations and analyze it to drive more efficiency and better outcomes.
However, according to seed fund and startup accelerator Rock Health in its digital health funding report for 2015, the top six digital health categories, accounting for 50 percent of all funding, did not include data security or cybersecurity. The top six categories were healthcare consumer engagement, wearables and biosensing, personal health tools and tracking, payer administration, telemedicine and care coordination, Rock Health reported.
These issues came up during a recent round-table discussion and press event I attended that was focused on cybersecurity and healthcare. During the discussion, executive leaders at healthcare delivery organizations and in the digital health space discussed the cyber threats facing the healthcare industry, and the need for digital health companies and healthcare organizations to step up their focus and investment in data security. The round-table discussion took place in San Francisco and was sponsored by Merck Global Health Innovation, Merck’s venture capital group, Aventura, a situational awareness technology vendor and ClearData, a cloud computing vendor, with the aim of giving a market perspective about cybersecurity in the healthcare space.
Joel Krikston, managing director of Merck GHI, provided what I found to be very insightful food for thought about the ongoing digitization of healthcare, and the very real risks and potential business impacts of cyber threats and data breaches.
According to Krikston, in the past two and a half years, VC firms have invested $15 billion in digital health. “I’ve been in digital health panels with Verizon, Samsung, Honeywell, Lockheed Martin, so the list of people who are in healthcare all the sudden has grown dramatically. And what’s happened is there is an excitement and palpable belief, as least on behalf of private markets, that the time has finally come for the convergence of mobile technologies, digitization of healthcare and activated consumers. And, these macro trends have formed this perfect storm that there is a future state of healthcare that everyone is playing for and the foundational asset is data,” he said.
“So data has existed in healthcare, that’s not new, it has existed on paper, in file cabinets, where it has not been accessible or shareable,” Krikston noted. “The big dream going forward, whether its population health or patient engagement, or buzzwords like care coordination, is that we’re going to be able to take that data and share it with each other, running analytics on it and we’re going to make it appear in real-time at physicians’ and nurses’ workstations and the point of care. We’re going to get patients to self-report data that they’ve never self-reported before, and we’re going to be able to glean all of these insights into what is happening in healthcare delivery. We’re going to get clinicians to follow evidence-based protocol, get patients to take their drugs, and all because we have the data to inform decisions.”
However, Krikston asserted that the market has significantly underinvested in security as well as in workflow solutions to enable security technology to integrate with providers’ workflow.
“My fear is that we’ve just seen the tip of the iceberg when it comes to healthcare security breaches,” he said, also noting that even bigger healthcare security breaches could cause “a ripple effect throughout the healthcare market.”
“All of the [Centers for Medicare & Medicaid Services} initiatives, government reform, MACRA, and the other buzzwords to drive quality improvement, all of that could stop in its tracks, until CIOs and CEOs of hospital systems figure out what healthcare data security actually is,” he said.
And speaking from a venture capital perspective, Krikston says his organization is more closely scrutinizing digital health startups’ efforts with regard to security, compliance and controls. “I think due diligence for most investors on HIPAA issues is that they will ask companies, ‘Are you HIPAA compliant?’ and if the company says yes, then they move on the next thing on the diligence check list. We’re not doing that anymore.”
And, with $15 billion going into the digital health market in the past two and a half years, Krikston referred to healthcare data security as the “elephant in the room that nobody is talking about.” “So that’s why we’re getting together here to share ideas and talk about it,” he said, referring to the round-table discussion, which included people on the “front lines” of healthcare security, such as health IT executives at large health systems and a CIO of a small Kansas-based health system.
John Gobron, CEO of Aventura, agreed during the discussion that the healthcare industry is coming to the game late with regard to data security.
“It’s important to look at where we’ve come. It’s not just $15 billion of private investment, but also $20 billion of public investment, and all mostly into one thing, the electronic medical record (EMR) itself. We’re digitizing data which used to live in a chart and now it lives in the EMR. Here we are in 2016 with massive growth in EMR use, but almost no investment in the security of the data,” Gobron said.
In fact, Krikston estimated that the healthcare industry spends about 12 to 13 percent of IT dollars on security, where most other verticals spend north of 20 percent of their IT budgets on data security. The problem, he said, is that security became a compliance requirement issue in the healthcare industry as opposed to an investment in “best-in-class practices.”
And, it was pointed out during the discussions that, somewhat ironically, the digitizing of healthcare records has actually made healthcare data more valuable to cybercriminals. Gobron noted that the data security threat has evolved from the problem of losing laptops—and, often, software encryption can solve that problem by encrypting the data—to advanced persistent threats, such as malware.
“Five years ago, the data wasn’t that valuable, as it didn’t live in one place. You had a billing system, you had sub-specialty systems, and hackers weren’t attracted to it. Through Meaningful Use, the data is there, it’s real and every single hospital has it. There was so much effort and thought and investment into EHRs and EMRs, but the security has lagged behind,” he said.
According to many security experts, ransomware is one of the oldest forms of malware. “It’s almost like smallpox, its back,” Gobron said. “There is software to prevent it and there are ways, but it takes some investments and preparation. The speed in which the industry has implemented EMRs at the expense of other things, there might not be much money left for these kinds of security investments in proportion to the other investments. Rather than look at how ransomware works, it’s interesting to look at the why it works, which is that the data now lives in one place, so its super valuable.”
When asked about what the federal government’s role should be in helping healthcare organization’s combat cybersecurity threats, Gobron voiced frustration about the lack of focus on data security in the Meaningful Use measures.
“Meaningful Use Stage 1 had 50 measures, one of which was security and it was a risk assessment, so that’s what we got, we had a very small percentage of investment that went into it. And, unfortunately, all you need is one crack. I think the industry is starting to realize this,” he said.
For me, one of the more interesting insights shared during the discussions was the impact of healthcare data security breaches not only to individual organizations, but to the health IT world at large, and even, more significantly, to the overall healthcare industry as providers increasingly adopt technology in the ongoing evolution from a fee-for-service model to a value-based care model.
Krikston noted, “Beyond the impact to an individual, step back and remember that 70 percent of reimbursement will supposedly will be tied to some sort of quality measure soon, and that’s completely dependent on data. With Medicare creating last year a complex chronic care management program, a $17 billion market for physicians to interact with complex Medicare patients, at least 20 minutes a month, which is designed to proactively suck waste and cost out to the system, and that is completely dependent on data.”
He continued, “I think the big risk to me is if all these initiatives aimed at saving the American medical industry, which is unsustainable in its current state, is dependent on data, and that trust goes away, and adoption goes away, that’s a trillion-dollar impact on government initiatives and budget initiatives.”
Speaking from an investor perspective, Krikston said the fear for an investor forecasting the digital health market is “if something happens broadly in this market or in healthcare data security and you either lose patients, clinicians, hospitals or nurses as adopters of these tools, then I think all bets are off. And, we think about it a lot, much more than we used to it.”
For me, this was a startling idea, that if CIOs and health IT leaders and clinicians, and even consumers, cannot trust that health IT tools will keep data secure, that adoption could start to fall off. And, what would be the potential impact of that on the ongoing digitization of healthcare? What would that mean for ongoing health system-driven initiatives using digital health tools, such as patient engagement, remote monitoring and telehealth?
While these discussions may paint a dire picture, it raises many issues worth considering, and not just for health IT leaders at provider organizations, but also vendors and government leaders as well. It also serves as a reminder that data breaches or ransomware attacks are not “one-off” situations that only impact that particular organization, but is part of an evolving industry-wide threat. And, the issues raised also highlight how critical it is for hospitals and health systems to share best practices around data security to try to close that gap.
