By Matt Fisher, Esq
Twitter: @matt_r_fisher
Every industry, whether it be healthcare, financial, or anything else, is under constant attack or threat to digital information. This is not news, especially in light of the numerous stories about breaches from Target to Hyatt Hotels to voter databases to health insurers and more. It feels as though a new breach (or more) occurs everyday. At the same time, an ever increasing amount of information is created, shared and stored digitally. To some degree, there is a chicken and an egg question as to whether the concerns always existed or the explosion of data has created and/or exacerbated an issue.
Regardless of the cause, cybersecurity needs to be an issue foremost on the minds of organizations in any industry. The healthcare industry is no exception. Cybersecurity is so important because of the numerous touchpoints where digital information is created and transmitted. Examples include electronic medical records, health information exchanges, wearables, medical devices and many other devices. Many of these items are common place within the healthcare industry.
For example, electronic medical records (EMR) create risks because the entire medical record is storied in a digital format. There are concerns that EMR vendors do not sufficiently build in security protections or do not meet even the minimum standards required under healthcare regulations, including HIPAA and/or Meaningful Use. Additionally, any piece of software may be subject to outside attack or exploitation. Effective countermeasures require finding vulnerabilities and constantly updating to meet new challenges. However, that is not necessarily the case in healthcare.
The exposure created by EMRs is not the end. The prevalence of smartphones, tablets and other personal devices is another example of a threat to security in a healthcare organization. It is highly unlikely that a healthcare organization supplies each of its employees with a personal device. Instead, individuals typically utilize their own device in a system commonly referred to as bring your own device (BYOD). In a BYOD scheme, an organization may not even be fully aware of all of the devices connecting to its network. This means that the organization cannot track where information flows, what malicious software may be introduced into the system (intentionally or unintentionally) and may not track information retained on a device after the individual leaves the facility. Stopping BYOD is likely impossible, so an organization must have protections in place. The nature of those protections will be determined on a case by case basis, but the risk is ever present.
A newer cybersecurity challenge to healthcare is the combination of the so-called Internet of Things and wearables. Devices of all kinds, be it watches to beds to refrigerators and many others, are connecting to the internet, gathering information and communicating (whether known or not). So many devices are coming onto the market each day and many are not designed to be used in the healthcare industry. This means that devices, potentially as designed, do not protect the privacy of healthcare information or even pretend to do so. While this may be all well and good if used solely for an individual’s own devices, the push is on to integrate into the delivery of care. Accordingly, information from wearables and similar devices is coming into the healthcare arena, which results in concerns about overall system security.
As the numerous examples demonstrate, cybersecurity presents challenges not merely because it relates to the protection of what is often very sensitive information, but because the landscape is constantly shifting too. It is not enough to focus on any one area, say HIPAA or Meaningful Use, and assume that everything will be fine. Instead, cybersecurity is really a broad focus that encompasses many areas and concerns. In reality, being cybersecure goes beyond any particular law. True cybersecurity is really akin to a lifestyle.
With all that in mind, right or wrongly the healthcare industry has earned a reputation for ignoring cyberthreats and not taking sufficient steps to bring security measures in line with current standards. Complaints suggest that the healthcare industry uses outdated tools, does not test enough, and does not stay current on new trends, among other issues.
What can help? For one thing, education and training are essential. Unless every individual in an organization is aware of the potential issues and alert, there will be a point of weakness. As such, at least annual training and continual education can be helpful practices. Not only will such activities inform individuals, but it can keep those specifically designated to overseeing cybersecurity on their toes.
Another key component its instilling a culture of threat awareness and intelligence. If an organization, from top to bottom, is concerned about cybersecurity and considering it, then a good portion of the battle has been won. Wanting to do the right thing, while a cliche, is actually beneficial. Before action can occur, a willingness to act needs to be there. Cultural awareness helps create this baseline.
One important caveat to this whole discussion is that no matter how much attention is place on cybersecurity, it is a matter of when, not if a breach or other exposure will occur. Those who want to improperly access information are always ahead of defenses. Human error is always a factor too. Issues will always happen. The difference is that attention to and a focus on cybersecurity can help mitigate the harm when something bad does happen. Ultimately, cybersecurity is an issue that is here to stay, so ignore at your own peril.
About the author: Matthew Fisher is the chair of the Health Law Group at Mirick, O’Connell, DeMallie & Lougee, LLP, in Worcester, MA. Matt advises his clients in all aspects of healthcare regulatory compliance, including HIPAA, the Stark Law and the Anti-Kickback Statute.
[content_box type=”with-header” title=”Register for Upcoming Cybersecurity Discussion Webinar ” text_color=”dark” color=”default”]
Matt Fisher will be moderating an upcoming HITECH Answers webinar on Thursday, January 21st at 2 pm EDT with industry leaders discussing the impact of cybersecurity on healthcare. Panelists include Mac McMillan, Chair of the HIMSS Privacy & Security Policy Task Force and Iliana Peters, J.D., LLM, Sr. Advisor for HIPAA Compliance and Enforcement at HHS Office for Civil Rights. Register for Cybersecurity and Healthcare Panel Discussion.
[/content_box]