Cybercrime is a massive social and political issue, with new breaches discovered or reported almost daily. The financial and reputational costs are also massive—to the government, healthcare organizations, and patients. To tackle this problem, the vast cadre of talent in the government and within healthcare organizations should take a new approach to solving the cybersecurity problem: curtail the current “audits and penalties” approach and work together to fix the root of the problem by building an infrastructure that can truly protect this sensitive data.
Currently, our regulatory processes penalize healthcare organizations under the Health Information Technology for Economic and Clinical Health (HITECH) Act and the Health Insurance Portability and Accountability Act (HIPAA) for breaches, whether electronic or otherwise. As data becomes increasingly interoperable—as it should and needs to be—we shouldn’t wager over security responsibilities. Sharing data also means acknowledging and sharing the risks inherent in protecting that data while maintaining a unified front against threats.
Both the private and public sector are having data security challenges. There have been highly visible private attacks, like Community Health Services, Advocate Medical Group, and more recently with health insurer Anthem Blue Cross and Blue Shield. The government seems to be equally vulnerable as we’ve recently seen with the Department of Defense hack and Healthcare.gov test server breaches. (Access to healthcare information by third-party tech firms still remains a concern for the site.) Federal agencies don’t face the extreme financial penalties levied against healthcare organizations; however, they do incur reputational risk, and more importantly—whether a government or private breach—individuals are harmed by the loss of their privacy emotionally and in some cases financially.
Cybersecurity has additional costs. In our current model of “audit and penalize,” costs and personnel time associated with a protracted investigation can paralyze an organization’s security infrastructure by requiring voluminous data, policy, and procedure requests that detract resources from their normal monitoring, detecting, and mitigating responsibilities. Many times, both time and money, which could be used to better protect data, is wasted on inessential efforts.
Healthcare is and should be held to a very high standard for information systems and data security. However, the challenge of data security has become increasingly daunting for individual organizations to resolve. It seems logical that through collaboration the healthcare industry and the government can jointly solve this massive problem. Here are just a few opportunities that should be pursued to improve data security:
- Department of Health and Human Services (HHS)-led security forums for chief information officers (CIOs) and chief information security officers (CISO) that target policy education, review, interpretation, and discussion;
- Development of a “Healthcare Threat” feed with participating organizations;
- Office of Civil Rights (OCR) and HHS-hosted forums on the new National Institute of Standards and Technology that focus on standards and risk reduction;
- Security and privacy policy discussions that target eliminating ambiguity;
- OCR and HHS-hosted forums for reviewing critical security risks, gaps in the industry, and best practices for remediation;
- Co-acceptance of the fact the risks are huge and cooperatively working together to identify and resolve breaches.
Intermountain Healthcare has invested heavily in attempting to protect our patients’ personal information—over a hundred million dollars in technologies, processes, education, tools, and people during the last decade. These investments continually enhance our capabilities to protect data, but all this focus and money doesn’t change the security reality for healthcare: The industry is only one really smart and committed attack away from serious problems. This shouldn’t be our security reality, but it is, and it will get worse before it gets better.
My colleagues across the industry and I stand ready to work diligently to solve this increasingly difficult problem. In that regard, the federal government should reassess the effectiveness and need for drastic penalties and processes. Let’s gather together and look at the problem holistically and put practices in place that support each other while identifying criminals and appropriately penalize them. Let’s stop wasting time on meaningless assessments that only drain healthcare organizations of critical data security resources and use that time and energy to enhance the security of our patients’ data and increase their confidence in our overall ability to maintain that security. Together, the government and healthcare organizations can solve this problem, and through cooperation, solve it in an effective and less costly manner.
We share a common problem. It won’t be easy. It’ll take time. The answers aren’t simple, but they exist. Together, by pooling resources and knowledge, we can better protect the data for which both the government and healthcare organizations have stewardship.
The author is vice president and Chief Information Officer at Intermountain Healthcare, based in Salt Lake City.
