Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Healthcare Orgs May Be Ramping Up Cybersecurity Efforts

Posted on August 18, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

As I’ve noted (too) many times in the past, healthcare organizations don’t have a great track record when it comes to cybersecurity. Compared to other industries, healthcare organizations spend relatively little on IT security overall, and despite harangues from people like myself, this has remained the case for many years.

However, a small new survey by HIMSS suggests that the tide may be turning. It’s not incredibly surprising to hear, as health it leaders have been facing increasingly frequent cybersecurity attacks. A case in point: In a recent study by Netwrix Corp., more than half of healthcare organizations reported struggling with malware, and that’s just one of many ongoing cyber security threats.

The HIMSS cybersecurity survey, which tallies responses from 126 IT leaders, concluded that security professionals are focusing on medical device security, and that patient safety, data breaches and malware were their top three concerns.

In the survey, HIMSS found that 71% of respondents were allocating some of their budgets toward cybersecurity and that 80% said that their organization employed dedicated cybersecurity staff.

Meanwhile, 78% of respondents were able to identify a cybersecurity staffing ratio (i.e. the number of cybersecurity specialists versus other employees), and 53% said the ratio was 1:500 which, according to HIMSS is considered the right ratio for information-centric, risk-averse businesses with considerable Internet exposure.

Also of note, it seems that budgets for cybersecurity are getting more substantial. Of the 71% of respondents whose organizations are budgeting for cybersecurity efforts, 60% allocated 3% or more of their overall budget to the problem. And that’s not all. Eleven percent of respondents said that they were allocating more than 10% of the budget to cybersecurity, which is fairly impressive.

Other stats from the survey included that 60% of respondents said their organizations employed a senior information security leader such as a Chief Information Security Officer.  In its press release covering the survey, it noted that CISOs and other top security leaders are adopting cybersecurity programs that cut across several areas, including procurement and education/training. The security leaders are also adopting the NIST Cybersecurity Framework.

According to HIMSS, 85% of respondents said they conduct a risk assessment at least once a year, and that 75% of them regularly conduct penetration testing. Meanwhile, 75% said they had some type of insider threat management program in place within their healthcare organization.

One final note: In the report, HIMSS noted that acute care providers had more specific concerns was cybersecurity than non-acute care providers. Over the next few years, as individual practices merge with larger ones, and everyone gets swept up into ACOs, I wonder if that distinction will even matter anymore.

My take is that when smaller organizations work with big ones, everyone’s tech is set up reach the level better-capitalized players have achieved, and that will standardize everyone’s concerns. What do you think?

Despite Abundance of Threats, Few Providers Take Serious Steps To Protect Their Data

Posted on July 27, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

I scarcely need to remind readers of the immensity of the threats to healthcare data security out there. Not only is healthcare data an attractive target for cybercriminals, the aforementioned keep coming up with new ways to torture security pros (the particularly evil ransomware comes to mind).

Unfortunately, healthcare organizations are also notorious for spending too little on data security. Apparently, this also extends to spending money on information security governance or risk management, according to a new study.

The study is sponsored by Netwrix Corp., which sells a visibility platform for data security and risk mitigation and hybrid environments.  (In other words, the following stats are interesting, but keep your bias alert on.)

Researchers found that 95% of responding healthcare organizations don’t use software for information security governance or risk management and that just 31% of respondents said they were well prepared to address IT risks. Still, despite the prevalence of cybersecurity threats, 68% don’t have any staffers in place specifically to address them.

What’s the source of key IT healthcare security threats? Fifty-nine percent of healthcare organizations said they were struggling with malware, and 47% of providers said they’d faced security incidents caused by human error. Fifty-six percent of healthcare organizations saw employees as the biggest threat to system availability and security.

To tackle these problems, 56% of healthcare organizations said they plan to invest in security solutions to protect their data. Unfortunately, though, the majority said they lacked the budget (75%), time (75%) and senior management buy-in (44%) needed to improve their handling of such risks.

So it goes with healthcare security. Most of the industry seems willing to stash security spending needs under a rock until some major headline-grabbing incident happens. Then, it’s all with the apologies and the hand-wringing and the promise to do much better. My guess is that a good number of these organizations don’t do much to learn from their mistake, and instead throw some jerry-rigged patch in place that’s vulnerable to a new attack with new characteristics.

That being said, the study makes the important point that employees directly or indirectly cause many IT security problems. My sense is that the percent of employees actually packaging data or accessing it for malicious purposes is relatively small, but that major problems created by an “oops” are pretty common.

Perhaps the fact that employees are the source of many IT incidents is actually a hopeful trend. Even if an IT department doesn’t have the resources to invest in security experts or new technology, it can spearhead efforts to treat employees better on security issues. Virtually every employee that doesn’t specialize in IT could probably use a brush up on proper security hygiene, anyway. And retraining employees doesn’t call for a lot of funding or major C-suite buy-in.

Downsides of Incorporating Behavioral and Social Data Into an EHR

Posted on June 19, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

In response to my post about incorporating behavioral and social data into EHR, I got the following email from one of our readers:

My worry on the collection of such behavioral and social data is that it will get used to further prescribe people with the psychiatric drugs that have such horrendous side effects to the benefit of big pharma rather than move towards diet, health education, nutrition and other non-medical remedies that can have long lasting benefits for a lifetime.

It’s a very fine point. In my previous article I didn’t spend enough time talking about the potential downsides of incorporating all that data into an EHR. The reader pointed out the potential abuse by big pharma to sell more drugs. No doubt, pharma is trying to sell more drugs. I’m sure the creative minds at pharma will try and find ways to leverage this data and sell more drugs. That’s the nature of healthcare.

However, I think pharma would try to do this whether the data was in the EHR or not. In fact, having this data in the EHR for the doctor might mean the doctor makes better choices and doesn’t always default to pharma to treat a patient. For example, if you know they’re living in a poor area, then you can ask them if they have enough food or heat in the winter in order to avoid them returning to you a few weeks later with another cold. This would actually lead to less drugs because you’re actually treating the cause of the problem as opposed to just the presenting problem.

While this example paints a pretty picture, you could also paint an awful picture where this data is used for discrimination. This could be in the office itself or by insurance companies. Some of the new ACA laws help when it comes to insurance discrimination, but many fear that the move to ACOs will cause these organization to discriminate against the unhealthy and poor. I have this fear as well. When you pay to keep people healthy, who do you want to have in your patient population? The healthy.

When you start talking about including all this new data in an EHR, there are a lot of privacy and security questions that come up as well. We’ve always known that the patient record was a treasure trove of personal information that needed to be safeguarded and protected from abuse. Social and behavioral data makes the health record even that much more desirable to nefarious groups who want to abuse the data. HIPAA along with privacy and security will become that much more important.

I’m sure I’m just touching the surface on the challenges and problems associated with all this new data. Although, the thing that scares me most is the way people could abuse the data. I don’t think these are reasons to not use this data. We need to use this data to move healthcare forward. However, it is a call to be very thoughtful about how we collect, secure, and use the data we’re collecting.

Healthcare Data Quality and The Complexity of Healthcare Analytics

Posted on March 2, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

The other day I had a really great chat with Khaled El Emam, PhD, CEO and Founder of Privacy Analytics. We had a wide ranging discussion about healthcare data analytics and healthcare data privacy. These are two of the most important topics in the healthcare industry right now and no doubt will be extremely important topics at healthcare conferences happening all through the year.

In our discussion, Khaled talked about what I think are the three most important challenges with healthcare data:

  1. Data Integrity
  2. Data Security
  3. Data Quality

I thought this was a most fantastic way to frame the discussion around data and I think healthcare is lacking in all 3 areas. If we don’t get our heads around all 3 pillars of good data, we’ll never realize the benefits associated with healthcare data.

Khaled also commented to me that 80% of healthcare analytics today is simple analytics. That means that only 20% of our current analysis requires complex analytics. I’m sure he was just giving a ballpark number to illustrate the point that we’re still extremely early on in the application of analytics to healthcare.

One side of me says that maybe we’re lacking a bit of ambition when it comes to leveraging the very best analytics to benefit healthcare. However, I also realize that it means that there’s still a lot of low hanging fruit out there that can benefit healthcare with even just simple analytics. Why should we go after the complex analytics when there’s still so much value to healthcare in simple analytics.

All of this is more of a framework for discussion around analytics. I’m sure I’ll be considering every healthcare analytics I see based on the challenges of data integrity, security and quality.