Health providers have pressing reasons to now embrace security, says INTEGRIS Health's John Delano. Karen Epper Hoffman reports.
There's a real dichotomy at work when it comes to managing IT assets in health care. So says John Delano, the vice president and chief information officer at INTEGRIS Health, Oklahoma's largest health system – with nine hospitals and several doctors' clinics and home health agencies throughout the state. Delano sees directives flying in two different directions: on the one hand to make information systems more accessible and on the other, to make them more secure.
“Over the next couple of years, there will be a shift in priorities [where health care organizations] will be more focused on patient safety,” predicts McLaughlin. And, this will apply not only to making certain the proper drug is being dispensed, but that patient records are kept safe and properly maintained. He says this will come as the result of increased enforcement, as well as increased patient demand.
In many ways, INTEGRIS is ahead of the corporate health care curve to manage IT assets, as it has policies and procedures in place in case of an incident. The system is set up to routinely assess risk and use encryption products. However, for many health care bodies, the conflicting demands of digitizing patient records and supporting mobile and cloud technologies – while complying with intensifying regulations that require more regular risk assessment – broadens the scope of the circles they need to keep secure. Plus, all this must be attended to while staying focused on the primary objective: caring for patients.
“Health care organizations have so many challenges,” says John Kindervag, principal analyst for Forrester Research, “including some significant cultural challenges.” As Kindervag sees it, many health care organizations have done the bare minimum, or less, for the past decade in complying with the Health Insurance Portability and Accountability Act (HIPAA) and the subsequent Health Information Technology for Economic and Clinical Health Act (HITECH), even as the U.S. Department of Health and Human Services (HHS) steps up enforcement of violators with fines of up to $1.5 million per offense.
“The thinking has been, ‘We're not going to do anything till someone gets fined,'” says Kindervag. “Health care, overall, has been a laggard in [IT] security.”
Now faced with what Kindervag calls a “triple whammy of compliance,” brought on by the HIPAA Omnibus Final Rule, which takes effect on Sept. 23, industry observers say that hospitals and other health care organizations must find some way to better balance the use of new technologies with protecting their information. This includes so-called business associates, those contractors and subcontractors, such as billing companies that perform services on behalf of a health care provider.
“They have to think of themselves as part of a more global environment than just health care,” Kindervag says. Others also see the hurdles.
“If you have a CISO at all, you're pretty far ahead of the curve in health care,” says Deven McGraw, director of the Health Privacy Project for the Center for Democracy and Technology (CDT), a Washington D.C.-based advocacy organization. She points out that the level of security sophistication of health care organizations can range widely, especially since they can vary in size from a solo practitioner to a large multistate system.
Darren Lacey, chief information security officer for The Johns Hopkins University and The Johns Hopkins Health System, says that because his is an academic medical center, the structure is different. “We benefit from more sophisticated security professionals and have much larger and more diverse networks.”
Still, he says, the biggest risk is the sheer diversity of its networks. “It's difficult to unpack all the different processes,” Lacey says. However, he says the health care industry is making strides in pulling together its clinical and billing applications, consolidating systems and applications in a way that will make them more accessible to physicians and care providers. “We're reducing a lot of complexity and incompatibility…which is most encouraging,” he says.
Embracing new technologies, as well as streamlining legacy systems, is becoming increasingly important to health care organizations, according to a late 2011 survey of 1,000 U.S. adults by PwC's Health Research Institute. Twenty-eight percent of those polled said they would select a health care provider that offered online doctor consultations over ones that did not, and 17 percent said that whether the facility offered an electronic health record would affect their decision. Further, health care organizations may need to consider the impact of Facebook and Twitter on their information, as almost one-third of all respondents, including half of those under 35, say they have used social media for health care reasons.
One of the most challenging aspects of the HITECH Act has been that patients now have the right to obtain a copy of their data in the format of their choice, or even ask a provider to transmit the data to a third party that they identify, says Barbara Bennett, partner in the privacy and information management group at Hogan Lovells, an international law firm.
“There's a lot of deference to the patient's choice,” Bennett says. “This raises the issue of security: If a patient wants you to email their medical record to a friend or their aunt or Facebook, how do you do that securely?”
Daniel Berger, CEO of RedSpin, an IT security assessment company, says that in the face of increasing technological and regulatory demands, the health care sector has gone from being 10 percent of his business three years ago to representing more than 70 percent of his client base now. “The HITECH Act drove a great need for security,” he says. “It breathed new life into the [HIPAA]security assessment rule.”
Under the HITECH Act, health care organizations are incented to implement electronic health records (EHRs) – a change that will make patient information more easily portable and accessible. But, as Berger points out, this step also makes this sensitive data much more concentrated and potentially susceptible to hackers.
Larry Warnock, CEO of Gazzang, a cloud and Big Data security vendor for health care, says hospitals have been “nervous” about leveraging technologies like cloud computing. But as the pressure mounts for health care organizations to make their information both more portable and more secure, Warnock says more of them will come around to embracing these technologies. “Very few health care companies use their IT department as a differentiator,” says Warnock. “That will change.”
Our most difficult challenge
In fact, health care IT has already undergone significant change. Perhaps the most rapid and challenging, as well as beneficial, has been the explosion of mobile device use.
“A year ago, health care companies were talking about the potential use of mobile,” says Berger, commenting on the speed with which it's taken hold, “and now smartphones are everywhere.”
But, Delano of INTEGRIS Health warns that the move to mobility is an anxiety producer for those charged with keeping data secure. “Security is hard enough as it is. Now having to extend the reach of that data becomes this whole new challenge.” Before the advent of mobile and cloud, health care companies focused on building up a perimeter defense around the centralized information assets, he says. With mobile devices, the data is moving and the same security approaches don't hold water.
Providing security for a mobile network can be particularly challenging when hospital staff – or physicians who have access to the facility, but are not hospital employees – bring in their own devices. Delano says INTEGRIS still tries to “centralize as much as we can,” but he admits its hospitals have struggled with care providers toting their own devices to access the network.
“In our organization, the majority of our physicians are not employed by our system,” he says. They use the facilities and refer patients there, and it is difficult to stop physicians who simply want to check a patient's EHR or bill from their iPhone while doing their regular hospital rounds.
As a result, INTEGRIS established both a guest network for patients to access the internet and a separate affiliates' network for doctors to reach patient and hospital system data. Delano says his team is continually assessing the risk, as more and more care providers make use of tablets, laptops and smartphones.
“At the same time, there's not a good way to really secure those,” he says. “How can we make sure that everyone using smartphones [to access the network] has downloaded the right patches? What keeps them from going to a malicious site and [getting a virus] once they're connected to the cell network?”
Nonetheless, given the rising tide of mobile, 81 percent of health care organizations are permitting doctors to use their own devices, according to Kam's research. Unfortunately, he also found that more than half of these organizations (51 percent) are doing nothing to secure these devices. Kam believes this will change as HHS' Office for Civil Rights continues to invoke penalties for companies that willfully neglect information security.
The potential fallout from stolen electronic health records, says CDT's McGraw, is likely to be even worse than if hackers were to get a hold of financial records. “The level of sensitivity of the data is much higher,” she says. “If people get their money stolen, it can be put back and at the end of the day you will be made whole again. When health data becomes public and falls into the hands of an employer or a marketer, that has serious repercussions.”
The prospect of compromised electronic health records is troubling enough, but the ability to hack medical equipment makes the risk even greater, says Peter McLaughlin, senior counsel for Foley & Lardner LLP and the former CPO for Cardinal Health. Sitting in as co-chair of the American Bar Association's Security Committee discussion the weekend before February's RSA Conference, McLaughlin says one of the hot topics of discussion was the potential insecurity of medical devices, like insulin pumps or pacemakers, which could be hacked remotely. “We've seen technology researchers demonstrate, in a white hat fashion, that these things are not secure at all,” he says.
And breaches are happening: 94 percent of health care companies reported a breach within the past two years, and 45 percent say that they have suffered five or more breaches in the same period, according to research from the Ponemon Institute and ID Experts. “Health care companies are becoming more aware of what a breach is, and there are a whole host of new threats coming into play with mobile computing,” says Rick Kam, president and co-founder of ID Experts, a breach solutions company. “You don't need a truck anymore to walk away with a doctor's office full of records, just a thumb drive.”
Striking a balance
One of the biggest difficulties, say health care industry observers, is that at the end of the day, the primary focus of health care organizations is on the patients. Therefore, technology budgets historically skew greatly toward the kind of diagnostic equipment and medical tools that are used to treat patients, rather than the tools to secure their IT resources.
“Hospitals, in part, and health care, in general, are starting from an immature base in terms of IT technology,” Kam says. “Most investments are going to the super-duper diagnostic or treatment equipment. The main goal of the hospital is to help patients. Core IT is the laggard in this market.”
As a result, the health care industry has traditionally had trouble attracting IT security talent, which is in high demand across most industries nowadays.
“This is not an industry that has a great track record on security issues,” says CDT's McGraw. “Their primary issue is patient care, and for so many health care providers, security is only secondary or tertiary to patient care.”
And, even for large health systems, that IT budget is typically tiny relative to other industries, she adds.
In a recent survey from the Health Care Information and Management Systems Society, nearly six out of 10 respondents said the portion of IT budget earmarked for information security had increased the year before. However, at an average of just three percent of their IT allocation as a whole, the amount health care organizations spend on IT security is still well below the five to 10 percent spent in other industries.
“It's still business as usual,” says Kam. “They're not really taking into account the new threats.” Further, according to recent Ponemon-ID Experts research, three out of five hospitals and health care organizations don't have a budget appropriate to protect the personal health information of their patients.
“It's a significant problem,” Kam says, “and at the same time there are so many pressures to improve health care and reduce costs, and they're not keeping up on the security side.”
And those security and privacy demands are just going to get more stringent. According to the PwC survey, three out of 10 patients would choose a hospital with clear privacy and security policies over one without if cost, quality and access were the same.
But, as Delano sees it, the cost to provide and manage better security will increase, while typical health care reimbursements to hospitals decline. Therefore, health care IT security executives have their work cut out for them. “It's as big a challenge as any,” he says.
“Security is a cat and mouse game,” he adds. “I told the CEO a couple of years ago that my fear is to be sitting in front of the board, and explain why instead of spending a million dollars on a new CT scanner that can generate revenue, we should spend a million on securing a new wireless network.”
“We're working through it,” Delano plainly admits. “It's a little bit difficult to achieve.”