Can Security Be Solved?: Healthcare Challenge

security-265130_640Every day brings a new report of a security breach or other security based problem within healthcare. The unceasing cycle of issues gives rise to the question of what can and is healthcare doing about security and in particular cybersecurity. That is a question that is front and center for many individuals within the industry and examining the industry. It was also the focus of a recent discussion I had with Stephen Cobb, a security industry veteran currently running a research team at ESET.

Mr. Cobb focuses his research on emerging security threats. Given his prior experience in the privacy realm, Mr. Cobb brings a somewhat different approach to the security. As a setup, cybersecurity is not a new issue. Cybercrime has been on the rise for at least six years, which means it is becoming more complex and being carried out by more sophisticated actors. It is no longer a matter of the proverbial kid in the basement trying to hack into a system. Now, it could be nation states carrying out the attack. At the same time, healthcare went through a well-known push to implement electronic solutions. As such, there is a tremendous convergence of criminal activity and a system ripe for the picking.

That is a bit of a simplification, but Mr. Cobb broke down the concerns in healthcare into three dimensions. Those dimensions are (1) regulatory, (2) complexity, and (3) legacy systems.

From the regulatory perspective, the issues center around complying with HIPAA and becoming complacent as to what that means. HIPAA establishes a baseline for security measures and by no means is sufficient to fully (or adequately) protect against the current cybersecurity threats. From this angle, the regulatory requirements in healthcare set an artificial target for security, that, in many cases, is not even met. More must be done.

The complexity problem in healthcare is the reality that information in healthcare is unique from other industries. The financial or telecommunication industries, which went through these types of systems upgrades previously, have different sets of data. However, those data sets are fairly consistent from one organization to the next. In healthcare, rightly or wrongly, each provider seems to maintain their own records. Further, the information that constitutes the medical record spans many different areas of an individual’s life and is in a myriad of formats. On top of the data format, there is also the need to disseminate that data to many different places. Each of these elements creates a security risk, which in turn makes comprehensive security difficult.

Lastly, healthcare continues to employ many legacy systems. Mr. Cobb remarked that in some instances, systems can be so old that newer information technology or security personnel have never seen the technology and may not know how to use it. As such, Mr. Cobb remarked that healthcare may be one of the only industry where having knowledge of 20 plus year old systems could be viewed as prerequisite.

After considering the dimensions that make security in healthcare difficult, there is also a talent shortage. Mr. Cobb referenced studies that found a shortage of skilled people worldwide who can fight cybercrime. It is not a healthcare problem, but an overall system problem. The rapid pace of cybercrime development means that right now the fight is almost all defensive. Hopefully, reinforcements or just first line defenders will arise soon.

Right now there are no ready answers. However, it may be useful to look for solutions and assistance in different areas. For example, Mr. Cobb explained that an effective security focused person may have a different psychological profile than the standard IT person. Traits of a good security person may include imagination, strong nerves and a touch of humility. Finding individuals with these traits could require looking in unexpected places.

The bottom line is that security is a major concern and one that will only continue to grow. As such, the question is what will organizations do? Will they sit back and wait for a problem, or take the bull by the horns and seek to gain what control over the matter is possible. It is a soul-searching question, though honestly there is likely only one answer.


About Matt Fisher

Matt is the chair of Mirick O'Connell's Health Law Group and a partner in the firm's Business Group. Matt focuses his practice on health law and all areas of corporate transactions. Matt's health law practice includes advising clients with regulatory, fraud, abuse, and compliance issues. With regard to regulatory matters, Matt advises clients to ensure that contracts, agreements and other business arrangements meet both federal and state statutory and regulatory requirements. Matt's regulatory advice focuses on complying with requirements of the Stark Law, Anti-Kickback Statute, fraud and abuse regulations, licensing requirements and HIPAA. Matt also advises clients on compliance policies to develop appropriate monitoring and oversight of operations.
This entry was posted in EHR, EMR, Health IT, HIPAA, HITECH and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s