The Institute for Critical Infrastructure Technology recently released a report detailing stolen electronic health records and how the data is sold on the deep web. The report was critical of the health care industry’s attitude toward cybersecurity, stating “the health care sector trivialized threats and ignored cybersecurity for too long.”
That begs the question: Are health care’s cybersecurity efforts as uninspired as they seem? To find out more, Privacy Tech chatted with four health care privacy professionals, who all agreed, the industry is doing a better job than it is given credit for.
However, there is still a lot of work ahead.
IMS Health Chief Privacy Officer Kimberly Gray, CIPP/US, says health care’s cybersecurity standing is strong, but not every organization can put forth the same amount of resources to the problem.
“The health care industry is very diverse. We have got large organizations, small organizations, varying levels of sophistication, with varying levels of financial support,” said Gray. “I would say if you are talking about a health care plan or a large health system, they are probably doing a pretty good job. If we are talking about a small community hospital, or a group of two or three doctors, then you might have some issues.”
“I would say if you are talking about a health care plan or a large health system, they are probably doing a pretty good job. If we are talking about a small community hospital, or a group of two or three doctors, then you might have some issues.” —IMS Health CPO Kimberly Gray
Indiana Health Information Exchange, Inc. VP – General Counsel & Privacy Officer Valita Fredland, FIP, CIPM, CIPP/US, says the only way for the health care industry to ignore privacy and security issues is to do so deliberately.
“I think you characterize a lax attitude only if the person has an intent to avoid privacy and security,” said Fredland. “There’s no excuse for claiming ignorance at the leadership level, because privacy and security both in health information and personal information has been in the headlines daily for the last five years.”
Discussing privacy issues at the leadership level highlights a key issue within health care. Privacy professionals are considered an important cog in implementing strong protocols, but ICIT study authors James Scott and Protenus CEO Robert Lord saw privacy professionals as undervalued commodities with limited resources at their disposal.
Health care professionals agree.
“I think some of them do have a voice. For others, I think that voice is a lonely voice that’s heard maybe every now and again,” said GO 2 Consulting Privacy and Clinical Research Professional Gail Obrycki, CIPP/US. “I think they would have a bigger voice if something happened to that company where there was a major breach. Then, I think people would stand up and say we have to do something.”
“I think they would have a bigger voice if something happened to that company where there was a major breach. Then, I think people would stand up and say we have to do something.” —GO 2 Consulting Privacy and Clinical Research Professional Gail Obrycki
IMS Health's Gray has been around the health care industry long enough to see the value of some privacy professionals diminish as regulations became more routine.
When HIPAA first came onto the scene, Gray said health care organizations started creating the chief privacy officer position. Many health care CPOs were directors and vice presidents, giving them access to the CEO and the board. Once HIPAA became more of a compliance function, Gray said those duties were handed to chief technology officers. When the shift occurred, Gray noted many CTOs were on a lower management level, making it harder to deliver their message to executive leadership.
Conveying the importance of privacy and security to the board can be a difficult task. Fredland said it’s the role of privacy professionals to explain the significance of these issues in terms board members can relate to and understand.
“Privacy and security officers are responsible for outlining how the threats and risks to the privacy and security of data rank among the top risks to an organization.” —Indiana University VP, General Counsel & CPO Valita Fredland
“The most poignant method of conveying privacy- and security-related messages is in terms of organizational risk management. The board has a duty to assure that the risks and threats to the organizations have been identified and properly mitigated,” said Fredland. “Privacy and security officers are responsible for outlining how the threats and risks to the privacy and security of data rank among the top risks to an organization.”
Getting the attention of board members is important, but privacy professionals also must obtain funding to fuel their efforts.
Gray said smaller organizations often have difficulty gathering the financial support to detect threats and to operationalize their threat intelligence to neutralize those threats. Fredland also noted other departments are contending for money as well.
“The delivery of health care is about the art and science of the critical care, so when they look to spend money to provide care, often the first things in line are those expensive things like the clinical equipment, medical tests, and the environment to deliver patient care, and not so much the back-end things like monitoring for access anomalies" to the electronic medical record, said Fredland.
Education is also an important duty for health care privacy pros, although training employees can be difficult, given the sophistication of certain attacks, like phishing. “You can train people to be aware of that, but if you get six emails from your immediate bosses saying ‘send me this,’ I’m not sure how realistic it is to train somebody to ignore that,” said Wiley Rein Partner Kirk Nahra, CIPP/US.
It's clear, too, that health care training needs to be done on a consistent basis. This includes remedial training on proper care of mobile devices, and remedial training on social engineering attacks, for example. "It’s a perpetual thing. You don’t just do it once," said Gray. "You do your routine, regular training, but you also have something on the company intranet once a month, a little story about [cybersecurity]. It has to be a constant reinforcement."
Security assessments cannot be done irregularly, either. “I think part of the challenge health care companies are realizing is that this is a constant obligation. It’s not something where you can do a HIPAA security assessment on January 2015 and then you don’t do another one until January 2017,” said Nahra.
“I think part of the challenge health care companies are realizing is that this is a constant obligation. It’s not something where you can do a HIPAA security assessment on January 2015 and then you don’t do another one until January 2017." —Wiley Rein Partner Kirk Nahra
Health care organizations are doing their part to ensure they are in compliance with regulations and protocols. Gray sits on the board of HITRUST, an organization created to assist the health care industry in developing strong information security protocols. HITRUST works with health care companies of all sizes and fields, and uses its own certifiable framework to shore up an organization’s compliance with protocols such as HIPAA. Gray credits the organization for Anthem’s strong response to their massive data breach last year.
The health care industry knows more attacks will come in the future. Nahra believes it’s impossible for health care to eliminate all of the threats it faces. Human error will continue to factor into incidents, and the only way for it to be totally extinguished would be for employees to avoid using technology altogether, which is obviously not going to happen.
The balance between privacy and patient care also weighs on the minds of industry professionals.
“If a hospital spends every dime it has on security, maybe we would have a really secure, terrible health care system,” said Gray. “There are very aggressive health care privacy advocates whose goal — if you do all the things they want to — would shut down a lot of things. That may be a big win for privacy and security to shut down electronic health records, but it’s a loss for the health care system.”
While there is agreement health care is moving in the right direction in regards to privacy, there is still work to be done. Obrycki believes more health care organizations will act on privacy and security issues when they are the victims of cyberattacks, while Fredland feels providers will always play catch up to technology and malicious actors.
“I think we are trending toward being better all the time, but I’m coming from a standpoint where I think we are not doing all that poorly anyway,” said Gray.
If you want to comment on this post, you need to login.