At Techumen we recognize that health care providers have highly complex clinical and business processes. In turn, these core functions rely on a large, distributed, computing and communications environment. We also recognize that the demands on computing for health care will be heightened as burgeoning new care areas like population health with its attendant large data sets, precision and genomic medicine, patient-driven care protocols, networked medical instrumentation, and telehealth become firmly entrenched in care-giving.
Our client, a large hospital system was seriously underperforming in its assessment of 3rd Party security risk. As with most large health care entities, it has a massive volume and velocity of data flows of electronic protected health information (ePHI) between care providers, payers, and vendors used to providing services to patients. This, obviously, engenders significant security and privacy risks. While Business Associate Agreements (BAAs) are standard and required, they do not accurately reflect the security posture of an organization. Increasingly Corporate boards are very sensitive to data loss caused by 3rd party inadequacies. The large Target breach of 2017 was directly attributable to poor 3rd party oversight. .
The first CRISPR babies have arrived in China. This event portends for vast new dabbling in genetic engineering. Watch for genetic manipulation, possibly coupled with radical new human implant shenanigans in S.E. Asia (Thailand and Korea especially). Medical tourism isn’t just another catchphrase. Futurist, William Gibson is/was correct. The future is “now”.
I first took the HITRUST Assessor course in 2009 and was disappointed. Roughly, the aim of HITRUST then, as it is now, is to allow all players in the health care ecosystem (providers, payors, suppliers and others) to adopt a single security framework, and then deliver attendant certifications to demonstrate that their security programs or selected IT systems are secure. In short, a hospital, for example, would conduct a HITRUST assessment to demonstrate to anyone (Govt. and private entities) that their overall security program has a requisite level of maturity. Only one report could be created and submitted to many who needed to verify the security maturity of an organization. (Note: CPA firms offer similar attestations such as the SOC Type 1 and Type 2 assessments, under AICPA guidance for service providers.)
The move to the cloud, to the internet of things, and the full embrace of deep learning (AI) is resulting in a massive transformation of enterprise IT, rather like the early embrace of the Internet in the mid-1990’s. This journey in 2018 is still in its infancy, and I posit that the time is now for security professionals to take a front seat at leadership tables and become more vociferous. We must convince our CFOs , CEOs and the board before launching any new IT initiative to first ask a simple question : “How will we secure our efforts?”
The IT infrastructure required to serve over 20 hospitals and over 300 clinics is necessarily very complex, distributed and large. Over 1000 applications in use and 70,000 network endpoints offers a simple indication of the size of the problem and the difficulty in securing information adequately. In addition, any comprehensive effort to shore up security and its execution would have to consider two fundamental aspects of delivering security to health care providers:
· To never harm patients
· To not interrupt, if possible, any clinical processes
There is an especially large and growing need for cybersecurity insurance:
1. Breaches are costly. (While breach cost estimates vary widely and typically depend on the type and magnitude of data affected, what is clear, however, is that breach cost analysis must include cost of business interruptions, tangible and intangible customer losses, class action lawsuits, and civil fines. For large breaches this cost can easily run into the millions. )
2. Information technology is too entrenched in corporate processes and breaches will become part of the business landscape (That is most businesses will eventually be hit by some kind of breach or suffer damage from a cybersecurity attack.)
3. Changing legal and regulatory landscape. Class action lawsuits will increasingly make their way through the courts. These will be especially expensive for most companies that have experienced a large breach.
Useful, powerful, small, cheap, and very easy to use. More things in life should be like USB drives, also known as flash drives, memory sticks, thumb drives, or USB keys. Since they were introduced in 2001 their increase in storage capacity has only been matched by their decrease in price. Fun fact: When first introduced, a 128-megabyte flash drive cost about $30. Now you can get 512 gigabytes for that price, and they’ve become devices most people can’t live without. Like all power tools, though, they must be treated with care and can cause a lot of damage if misused.