Given the current state of affairs in Washington, D.C., it would be a significant understatement to say that the direction of the U.S. health care system is unclear. However, even in these unpredictable times, it is apparent that certain trends in the industry will continue unabated.
It was against this backdrop that we welcomed nearly 100 attendees to our 2017 Washington Health Care Conference on May 5, an event we organized with the law firm Reed Smith. We had co-produced a panel to address one of the most challenging topics facing the entire sector today: how to address data security and privacy concerns while pushing the development of innovative health technologies. We were honored to be joined by Dr. Khan Siddiqui, the founder and chief medical/chief technology officer of health care technology firm higi.
As we’d developed the panel, we’d decided to organize the talk around key themes that we feel are relevant to all professionals and capture the most important data security concepts. Siddiqui presented the first idea that kicked off the conversation.
TRANSPARENCY
Siddiqui, who has built a medical device that provides monthly biometric screenings of patients, talked about “transparency,” because one of the most critical issues in health care is building trust with patients. Essentially a self-screening health station, the technology Siddiqui’s company built was in response to one question: How do you change behavior en masse to complement existing habits?
With more than 36 million patients on its platform, higi had to decide early on how it was going to think about data security and privacy. Siddiqui explained that from day one, his company considered not only how to make the data secure, but also how to make it easy for patients to understand how and where their data is being utilized.
To do this, companies must first decide who owns the data. Concluding that the patient owned the data, Siddiqui empowered his company to adopt a patient-centered approach that educates consumers. The solution for higi was to build a cloud-based enterprise.
In the cloud, higi utilizes an open system that processes information in real time, without the added risk of storing any data or passwords. This approach provides all patients with their own encryption keys, and allows higi to manage data security. In other words, “You can’t lose the keys if you don’t have the keys.”
THE 3 Ps: PLAN, PREPARE, PRACTICE
The next concept we discussed on the panel was the trifecta, otherwise known as the 3 Ps: plan, prepare and practice.
As medical facilities are increasingly learning, it is not if you will be hacked, but when you will be hacked. Unfortunately, hackers are not sensitive to work hours, and breaches happen when you least expect them. Therefore, companies must plan for incidences and have processes in place to act quickly and efficiently to mitigate damage.
Incident Response Plan
When preparing a response plan, certain questions must be asked to bulletproof your organization’s people, processes and technology.
People
- Who is on the incident response team?
- Who is my internal /external counsel?
- Where is my IT person?
- If I need outside IT assistance, which firm am I going to use?
- Has my team practiced an incident response?
- How many people have remote access to the network?
- How often have passwords been refreshed?
Process
- How am I going to communicate with external contacts and internal team?
- What do we do if the main server is hacked?
- Can we continue to operate business?
Technology
- Do we have a backup server?
- Are records encrypted?
- Are files backed up?
Risk Management
Risk management includes identifying all cyber and physical security threats a company could face, then focusing efforts on addressing the greatest risk. It is important to understand that the risk analysis is a living document. As both issues and systems evolve, assessment must be ongoing.
For example, medical facilities and companies are increasingly interacting with third parties who sign into their networks to exchange records between hospitals, practitioners, health care agencies, transcriptionists, insurance agencies and government regulators. Considering the constant flow of third parties in and out of the networks, brute force attacks are becoming common on the remote access servers. Companies must consider who they are giving network access to and scrub that access on a regular basis.
Utilizing a Risk-Based Approach for Cloud Computing
Finally, many companies are turning to the cloud for data security. While the benefits of cloud computing are considerable, companies need to weigh their vulnerabilities and prepare an effective response for times of crisis. When utilizing the cloud, it is important to adopt the same risk-based approach that is used when storing the data on a private server.
- When did we last conduct:
- an interface information security assessment?
- a vulnerability scan?
- a penetration test?
- How often are the people trained and re-tested?
- How often is the list of people who have access to my data scrubbed?
- How well is my data segregated from other people’s data?
INTEROPERABILITY
Next, we focused on interoperability, which, contrary to popular belief, is not just connectivity.
Companies must understand the sensors and actuators from which the data is being collected and be able to follow that information as it goes into a health record database where it can be used. It is also important to understand that just because something can be connected, does not mean it should be. Companies must be mindful of whether capturing additional information is worth the risk to their systems.
Security by Design
Data interoperability is one of the most crucial aspects of effective health care innovation. If the data is not structured correctly, it becomes extremely difficult to realize benefits from artificial intelligence, data mining and big data analytics. Cybersecurity and data privacy are a significant part of interoperability. Companies that incorporate effective cybersecurity measures at the outset are best prepared to mitigate damage during the inevitable breach attempt and likely incident.
One of the challenges companies encounter as they move into this interoperable world is legacy products. It is not that hospital systems do not want to update their technologies, but rather that they often cannot afford to do so. Companies must find ways to allow legacy systems to feed into interoperable networks while ensuring data security.
A company’s business plan should also be considered when designing the system. Before launching a new product, expansion areas should be mapped out, as this will have a significant impact on how the product should be designed. Simply put, let your business model and need for security drive your infrastructure.
MINDFUL
The last word our panel identified was mindful. When companies are forced into incident response – often due to inattentive employee actions – companies are not being mindful.
McKinsey estimates that the health care industry can save between $300-$450 billion a year if companies can more systematically create interoperability, manage the three Ps and become transparent. But if they are not mindful, this can never be achieved.
The steps to becoming mindful are simple:
- Recognize that you do not know everything, which opens your capacity to change.
- Identify responsible individuals. Companies need to identify who is responsible for transparency, security and interoperability. And these people need to think about both the peril and promise of technology.
- A company can never forget that patient-centric approaches are increasingly critical.
CONCLUSION
Despite the health care industry’s growing awareness of privacy and data security risks, organizations continue to avoid taking steps to address vulnerabilities until it is too late. When presented with ways to safeguard their systems – and by extension, their patients – health care organizations too often respond with: “But we’re doctors; we’re saving lives. If you stop us from continuing to do business as usual, you’re going to prevent us from saving lives.”
In the rapidly changing world of health care, this excuse is no longer acceptable. We need a paradigm shift in how we think about data security and privacy concerns while still allowing doctors to save lives.
In addition to promoting transparency with patients; planning, preparing and practicing for a cyber-attack; perfecting the interoperability of our networks; and approaching every problem and decision mindfully, we urge those in the health care industry to recognize that both the risks and rewards are nonlinear. We must challenge ourselves to consider health care security through a different lens.
Scott Thiel is a director in Navigant's health care and life sciences disputes, regulatory, compliance and investigations (HLS DRCI) practice, leading the health information technology regulatory group. Scott has over two decades of experience in the medical device industry, with expertise in product development, software and connectivity related to medical devices, regulatory affairs, compliance and quality system creation and remediation. He can be reached at [email protected].
Gerald Bessette is an associate director in Navigant’s information security services group based in Washington, D.C. He recently retired from the FBI after a 24-year career as a special agent and executive manager. He held numerous leadership positions around the country managing investigations of criminal and national security violations and managing technical surveillance programs as well. He can be reached at [email protected].
Published November 13, 2017.
