At Techumen we recognize that health care providers have highly complex clinical and business processes. In turn, these core functions rely on a large, distributed, computing and communications environment. We also recognize that the demands on computing for health care will be heightened as burgeoning new care areas like population health with its attendant large data sets, precision and genomic medicine, patient-driven care protocols, networked medical instrumentation, and telehealth become firmly entrenched in care-giving.
Our client, a large hospital system was seriously underperforming in its assessment of 3rd Party security risk. As with most large health care entities, it has a massive volume and velocity of data flows of electronic protected health information (ePHI) between care providers, payers, and vendors used to providing services to patients. This, obviously, engenders significant security and privacy risks. While Business Associate Agreements (BAAs) are standard and required, they do not accurately reflect the security posture of an organization. Increasingly Corporate boards are very sensitive to data loss caused by 3rd party inadequacies. The large Target breach of 2017 was directly attributable to poor 3rd party oversight. .
The IT infrastructure required to serve over 20 hospitals and over 300 clinics is necessarily very complex, distributed and large. Over 1000 applications in use and 70,000 network endpoints offers a simple indication of the size of the problem and the difficulty in securing information adequately. In addition, any comprehensive effort to shore up security and its execution would have to consider two fundamental aspects of delivering security to health care providers:
· To never harm patients
· To not interrupt, if possible, any clinical processes
“What’s our cloud strategy?” is a common question in IT these days. A somewhat lengthy answer is required. Few technologies have grown as fast as the cloud. It is a profound shift to have your data – your precious, regulated data – stored not just out of your control, but out of your sight. This change provokes a wide range of responses, from “Never in a thousand years” to “Take my data, please”. A better reaction might be “Yes, but.” As with many things in life, and certainly in healthcare, the extreme reaction is not the best one.
We have conducted over 200 security risk assessments for providers of various sizes, from a multi‐state hospital chain to solo practitioners. One common theme that emerges from all of these assessments is that the return on investment (ROI) on information security products is lower than it could be. Simply stated, most health care providers are wasting limited resources to manage their information security.