Tuesday, March 6, 2012

Healthcare is not secure - trust suffers

There are a couple of articles on the subject of security in healthcare that clearly were prepared for release around HIMSS. They show up after HIMSS because Meaningful Use - used up too much of the news coverage.
Given that the excuses found in the articles are all over the spectrum this is revealing that there simply is a lack of a specific reason. This lack of a specific reason, as well as the stated financial investment ones, are an indication that it simply is not an important priority. To be blunt, lack of security doesn’t kill people, and there are a lot more treatment deaths to worry about. To be a priority in healthcare it needs to raise very high.  

I want to be very clear, to me this is the top priority. It is right there in the title of my blog. I do worry daily about indirect affects of poor security on patient treatment and safety. But as a subject matter expert, one must be able to see things from other perspectives in order to really understand your subject.

HHS/ONC/CMS have made small, but important, adjustments to Meaningful Use stage 2 statements that focus attention on the largest category of breaches, those caused by the loss of mobile devices that contain databases of PHI. For EHR certification criteria, the focus is first on smart EHR design that doesn’t leave PHI on end-user-devices, second if PHI is left behind it needs to be controlled using encryption. In the CMS rule this breach category is simply indicated as a reminder that covered entities are already obligated by HIPAA Security to do risk assessments and planning, so remember to assess and mitigate the risks of mobile devices that contain PHI getting stolen or lost. I knew this was going to be the case, since I worked with the writers of the NPRM as a member of the HIT Standards privacy and security workgroup and SME. See my blog article written last month - Encryption is like Penicillin

Trust suffers
The biggest negative of a lack of priority on security overall in healthcare, one that I don’t see any solution for, is ‘trust’. More specifically the lack of trust. Patients don't trust the system to protect them, Doctors don't trust the system to deliver good results or represent their work properly. This worry is holding back so much potential. Trust is a very hard thing to build, and even harder to hold onto. 

I have spent a half-dozen years creating standards for Health Information Exchanges; small, medium, and large. These standards designed in security layers, and privacy protections (that was my job after all). But if there isn't the perception of trust, all this technology can’t make things better. This perceived lack of trust is not completely due to just the breaches in Healthcare, but also the breaches everywhere on the internet. It is hard for the common man to believe that Healthcare industry will do better than other industries (e.g. video-gaming, banking, social-networking). We, the healthcare industry, are at the mercy of all industries. I really don’t think it would matter if we somehow magically made the healthcare industry the model of perfect security and privacy.

Baby steps are more effective than giant steps
I truly think that healthcare industry can continue to be relatively secure and privacy protecting. Yes losing control of 10 million patients records is actually low-profile. That is, there are plenty of other industries that are far more the focus of malicious acts. Most of healthcare breaches are due to carelessness and sloppiness.  It is not clear they were for any  malicious gain, or even resulted in any malicious gain. The rewards for attacking healthcare are simply not as fungible. This might change, I can't predict what dastardly things might be thought up. I do however think that the harm done so far has been minor in comparison. I don't like it, I want it better, but reality is that as long as there are higher priorities, those priorities will get the funding and resources.

The healthcare industry simply needs to continue to make reasonable advances (like promulgated in Meaningful Use). These advances are made easy because others have paved the way. Security mitigation technology is readily available like multi-layer networks, network based intrusion detection, data loss prevention proxy, host-based firewalls, automated patching, asset discovery/analysis, network encryption, host encryption, centralized/federated user identity/authentication, and audit-logging/management. Under a Risk Assessment scheme, these will be applied in proportion to the threats.

This is not just about prevention, but detection and action. We must detect security and privacy failures, and punish the one that caused the failure. We do this when the exposure is to a VIP, we need to do it just as strongly when it is Joe Everyone.

Note: This is not much different than 2010: