By Matt Fisher, Esq
Twitter: @matt_r_fisher
At HIMSS16, I had the opportunity to sit down with Mac McMillan, the Chairman, CEO and co-founder of CynergisTek, Inc., to discuss cybersecurity issues facing the healthcare industry. The discussion focused on ransomware, the role of data in healthcare, which includes where generated and how utilized, and how to manage access to data. While seemingly disparate issues, all of them do tie together by getting to issues of trust, security and confidence in the healthcare system.
The discussion on ransomware focused on how it remains an emerging threat. This was true at the time, not long after the Hollywood Hospital attack, and even more true now following multiple systems being hit in the past week plus. The criminal perpetrating the ransomware attacks are difficult to detect and track. If sophisticated, the criminals mask their identities, which throws up difficult, if not impossible, to overcome roadblocks in bringing them to justice or just holding accountable.
The discussion of ransomware with McMillan touched upon the nature of the attacks. Oftentimes, the ransomware is introduced through a malware attack. McMillan suggested that the criminals are not necessarily after the data. McMillan explained that, to some degree, ransomware attacks are easy to run for the criminals. A whole host of attacks are sent out, for relatively low-cost, which in turn means that the criminals only need a small percentage to be successful. Once the ransomware is in, McMillan suggested that there is a lack of evidence to suggest that the ransomware accesses the data. Instead, the goal of the ransomware attack is to cause sufficient disruption and annoyance that the ransom will be paid. Recognizing the goal of the attack and the large number that go out, it becomes more understandable why settlements can be so low. Those seemingly low settlements can add up quickly when a bunch of people or organizations pay them.
At the same time, when a ransom is paid it offers encouragement to the criminals. The payment appears to justify the approach taken. Further, the more press coverage an attack gains, the more people fear the attack occurring. Given the difficulty of tracking down the criminals and the numerous exposure points, the publicity likely creates a vicious circle.
In light of the concerns raised by ransomware, the discussion with McMillan turned to patient-generated data and specifically whether such data could be found reliable and/or welcomed into the system. A query was also presented whether attempting to incorporate patient-generated data would result in vulnerabilities to healthcare systems because unknown sources would be feeding data into what is otherwise a supposedly secure system. There is a significant amount of debate whether healthcare systems have done enough to be truly secure, but that is a different issue. While McMillan acknowledged that more people touching data can create more risk, there are significant benefits to healthcare to encouraging patients to generate their own data.
The benefit derives from patient perceptions about the data that they generate themselves. This information may provide a more accurate picture of what a patient is actually doing and thinking. Further, there is not necessarily support to determine that patient-generated data is less accurate than other data. Anecdotally, assertions are made that data from patients may be more comprehensive. Engaged patients are likely essential to transforming the healthcare system to one based on quality and value. Informed patients can make a physician’s job easier.
Turning back to the security issues, the concern over incorporating patient-generated data arises from enabling more access points to systems and figuring out how such data can fit into the regulatory scheme created by HIPAA. Both issues, while certainly serious, should not be viewed as barriers. To some degree, as discussed with McMillan, both concerns can drive down to access controls. McMillan described that the healthcare system predominantly utilizes role-based access controls at the moment. Role-based access is access that is predetermined based on a person’s role. For example, in role-based access, a primary care physician seeking access to an electronic medical record system will be given full access to all records because that person is a physician. From the security standpoint, there is then an expectation, and hope, that the physician will then only access information about their patients. Clearly, this system creates risk.
However, McMillan suggested changing to an attribute-based system to help address these concerns. Under an attribute-based system, each data element and user is assigned an attribute that must align for access to be granted. It is a smarter, more adaptive system that will arguably result in enhanced security. Locking data down so it can only be accessed would theoretically connect to patients loading in data because there could be some segmentation. It all comes down to shifting the system to recognize new realities when it comes to data and security.
Overall, the discussion with McMillan highlighted the significant number of security threats that the healthcare industry faces. There is no shortage of concerns and the industry, from many reports, is woefully behind in preparing for those threats. As McMillan said, a shift needs to occur and it must occur quickly. If not, healthcare data will continue to be exposed and trust in the system could erode to dangerous levels.
About the author: Matthew Fisher is the chair of the Health Law Group at Mirick, O’Connell, DeMallie & Lougee, LLP, in Worcester, MA. Matt advises his clients in all aspects of healthcare regulatory compliance, including HIPAA, the Stark Law and the Anti-Kickback Statute. This article was originally published on Mirick O’Connell’s Health Law Blog and is republished here with permission.