At Techumen we recognize that health care providers have highly complex clinical and business processes. In turn, these core functions rely on a large, distributed, computing and communications environment. We also recognize that the demands on computing for health care will be heightened as burgeoning new care areas like population health with its attendant large data sets, precision and genomic medicine, patient-driven care protocols, networked medical instrumentation, and telehealth become firmly entrenched in care-giving.
Our client, a large hospital system was seriously underperforming in its assessment of 3rd Party security risk. As with most large health care entities, it has a massive volume and velocity of data flows of electronic protected health information (ePHI) between care providers, payers, and vendors used to providing services to patients. This, obviously, engenders significant security and privacy risks. While Business Associate Agreements (BAAs) are standard and required, they do not accurately reflect the security posture of an organization. Increasingly Corporate boards are very sensitive to data loss caused by 3rd party inadequacies. The large Target breach of 2017 was directly attributable to poor 3rd party oversight. .
I first took the HITRUST Assessor course in 2009 and was disappointed. Roughly, the aim of HITRUST then, as it is now, is to allow all players in the health care ecosystem (providers, payors, suppliers and others) to adopt a single security framework, and then deliver attendant certifications to demonstrate that their security programs or selected IT systems are secure. In short, a hospital, for example, would conduct a HITRUST assessment to demonstrate to anyone (Govt. and private entities) that their overall security program has a requisite level of maturity. Only one report could be created and submitted to many who needed to verify the security maturity of an organization. (Note: CPA firms offer similar attestations such as the SOC Type 1 and Type 2 assessments, under AICPA guidance for service providers.)
The move to the cloud, to the internet of things, and the full embrace of deep learning (AI) is resulting in a massive transformation of enterprise IT, rather like the early embrace of the Internet in the mid-1990’s. This journey in 2018 is still in its infancy, and I posit that the time is now for security professionals to take a front seat at leadership tables and become more vociferous. We must convince our CFOs , CEOs and the board before launching any new IT initiative to first ask a simple question : “How will we secure our efforts?”
The IT infrastructure required to serve over 20 hospitals and over 300 clinics is necessarily very complex, distributed and large. Over 1000 applications in use and 70,000 network endpoints offers a simple indication of the size of the problem and the difficulty in securing information adequately. In addition, any comprehensive effort to shore up security and its execution would have to consider two fundamental aspects of delivering security to health care providers:
· To never harm patients
· To not interrupt, if possible, any clinical processes
There is an especially large and growing need for cybersecurity insurance:
1. Breaches are costly. (While breach cost estimates vary widely and typically depend on the type and magnitude of data affected, what is clear, however, is that breach cost analysis must include cost of business interruptions, tangible and intangible customer losses, class action lawsuits, and civil fines. For large breaches this cost can easily run into the millions. )
2. Information technology is too entrenched in corporate processes and breaches will become part of the business landscape (That is most businesses will eventually be hit by some kind of breach or suffer damage from a cybersecurity attack.)
3. Changing legal and regulatory landscape. Class action lawsuits will increasingly make their way through the courts. These will be especially expensive for most companies that have experienced a large breach.
Useful, powerful, small, cheap, and very easy to use. More things in life should be like USB drives, also known as flash drives, memory sticks, thumb drives, or USB keys. Since they were introduced in 2001 their increase in storage capacity has only been matched by their decrease in price. Fun fact: When first introduced, a 128-megabyte flash drive cost about $30. Now you can get 512 gigabytes for that price, and they’ve become devices most people can’t live without. Like all power tools, though, they must be treated with care and can cause a lot of damage if misused.
How frustrating is it to lose a smartphone? $650,000 worth, if you are Catholic Health Care Services of the Archdiocese of Philadelphia. An employee of theirs lost an iPhone last year. It’s easy to do so – but the iPhone was not encrypted, was not password protected, and had extensive ePHI on it. Most workers would say that they don't store ePHI on their phone. They don't use it to access an EMR, open any spreadsheets, or take any notes on their phone. However, ePHI, like water, has a way of leaking out to unexpected places. If you get corporate email on your phone, then you've probably been CC'd on a message with an attached spreadsheet, which often has ePHI. If you've installed Dropbox, or a similar app, on your phone, the data is usually accessible, especially if you've got auto-login enabled - or if the app catches any data locally.