Where will HIT security be in 3 years?
April 16, 2014 in Medical Technology
Security is a nightmare for all companies, but the very nature of healthcare makes it far worse. It’s not merely onerous government requirements for medical data, or the popularity of security-adverse mobile devices. It’s the need to give tiny medical offices – small, independent businesses, with typically no meaningful IT staff – full network access to all files, physical building access to its employees and privileges to change/add to that ultra-sensitive data.
[See also: Security issues can’t be ‘swept under the rug’]
But are there ways to truly make these accesses more secure and to do so in ways that will be not merely viable, but even profitable? Many industry insiders say there are, but only if participants agree to start taking security seriously.
[See also: OCR: 'Pay attention to details']
Ask Jennings Aske, former chief information security officer for Partners HealthCare in Boston and today the CISO for Nuance Communications, what he sees as the biggest threat to healthcare IT security and he doesn’t hesitate to point the finger at cloud servers and email. More precisely, he cites consumer-grade clouds and email services where security – especially for anything as sensitive as patient-specific medical data – barely qualifies as an afterthought.
“The security conscience of most practitioners is very weak,” said Aske. “They don’t know about the risks of using Dropbox or using Yahoo! mail or Gmail. My greatest concern is them using the cloud to store medical records. I know one clinician who backed up every patient record to a cloud drive.”
There’s little IT can do about doctors who perform such reckless moves, other than encouraging doctors to better understand security issues. “I would very much like to see medical schools adding this to their curriculum,” Aske said.
Can IT be turned into a profit center?
Most agree that the weakest part of the healthcare security chain are those small independent medical offices, who need to have full hospital privileges. As long as those staffs engage in weak security practices, there’s not much corporate can do to keep things safe and secure.
But what if hospital privileges came with IT requirements, forcing the independent offices to not only apply with a series of IT rules, but requiring them to use the services of an IT firm on a short pre-approved list?
Even better – or worse, depending on your perspective – what if those independent firms were required to contract with the hospital’s internal IT services? In theory, that would address the security issue while adding revenue and profit to the corporate medical group.
Jeff Mongelli, chief executive officer of Acentic, a health IT compliance company, described the problem: That independent physician’s office “may have connectivity to Cedars-Sinai through an encrypted VPN tunnel,” he said. “But if his security is extremely lax, that’s going to create a (cyberthief) gateway. He might have a 10-year-old consumer-grade firewall and anti-virus on his server that is way outdated. And on the weekend, his 11-year-old son sits at his desk and plays games, unintentionally downloading viruses.”
Within the next few years, hospital groups will have no choice but to force an end to this situation, Mongelli said.
“Hospitals are going to have to demand higher levels of compliance out of the parties they are connected to, including laboratories, imaging centers and physicians,” including the right to audit IT infrastructure, he said.
That might have to include unannounced inspections. “IT guys are lazy. As soon as they know somebody will be sniffing around what they are doing, they’ll clean everything up,” he said — adding that if they’re never sure when the inspection will happen, that might motivate ongoing vigilance.
The next stage, Mongelli argued, is the creation of a virtual IT staff at the hospital group that anyone who wants to connect to the network must pay for – something he dubbed “almost an inevitable evolution.”
Even more frightening? It may not stop at hospital groups. “Insurance companies may come to the same conclusion,” he said.