A few months ago we reported on the “banner” year for Health Insurance Portability and Accountability Act (HIPAA) enforcement (see HIPAA Fines & HIPAA Audits On The Rise) and while that piece was focused specifically at HIPAA violations, it got me to thinking – the undercurrent of what’s at stake is much wider. Data security of all kinds will remain a constant challenge as we push to greater levels of interoperability and health information exchange is inescapable as it props up all efforts for care coordination, value-based payments, and population health.
So it was with interest that I read the latest report from the Department of Health and Human Services’ Health Care Industry Cybersecurity Task Force, that shows the field has a lot of challenges ahead on a path to better patient privacy and data security (see Health Care Industry Cybersecurity Task Force Report On Improving Cybersecurity In The Health Care Industry) – not the least of which is poor provider organization awareness of the problem. The task force notes:
[M]any providers and other health care workers often assume that the IT network and the devices they support function efficiently and that their level of cybersecurity vulnerability is low. Recent high-profile incidents, such as ransomware attacks and large-scale privacy breaches, have shown this vulnerability assumption to be false…
The Task Force identified six “high-level imperatives” to organize industry actions toward solving this issue:
- Define and streamline leadership, governance, and expectations for health care industry cybersecurity
- Increase the security and resilience of medical devices and health IT
- Develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities
- Increase health care industry readiness through improved cybersecurity awareness and education
- Identify mechanisms to protect R&D efforts and intellectual property from attacks or exposure
- Improve information sharing of industry threats, risks, and mitigations
We have a lot of stakeholders in the field – from executives of provider organizations, to payers, to third-party tech firms – who are invested in making the future health care system a tech-enabled system. The health care profession should take a page from the international banking community and work together to create standards and practices for privacy, security, and data sharing. While the Office of the National Coordinator has set some standards and HIPAA has set parameters, the actual intricacies have been left to local entities, health care systems, and the myriad state and locally-based health information exchanges (HIE).
The standards to be created must include components associated with physical data security. The vulnerability of individual health care systems to hacking is quite terrifying. While the United States is not alone in lacking the sets of standards and practices, we can certainly begin the process of creating these models within our own country if we can create a national standards setting body.
Agreed-upon models of data encryption, nationwide definitions of a minimally required data set, firm policies about how and when the patient right to privacy can be overridden by the need of the practitioner to use prior medical information, confirmation that the right of the patient supersedes the rights of the federal government and local police entities, etc. are necessary if we are to significantly advance to our digital security standards and practices.
While some have argued that privacy no longer matters in this current digital age, I firmly believe that we in the health care industry must uphold the sanctity of the records of the people whom we serve. The egregious example of the nurse in Utah who was arrested for refusing to draw blood on an unconscious patient is an example of how we in health care must rigorously live by standards that protect patient’s information and privacy (see Utah Nurse Arrested Over Blood Draw: This Shouldn’t Happen Again). Physical security is no less important than data sharing standards. We must improve in both before health care consumers can feel confident that their health care data is protected.
Any lack of competency (or even the perception that organizations lack this competency) about the data security of health care organizations is a big issue for greater adoption of new tech tools.
For more on the challenges, as well as the opportunities in sharing data, join me on November 8 at The 2017 OPEN MINDS Technology & Informatics Institute for my session, “Behavioral Health Data Sharing: The Opportunities & Challenges In Health System Information Exchange.”