ACOs: The Security ChallengesThe Data Risks Facing Accountable Care Organizations
As healthcare reform takes root and new accountable care organizations are created, health data potentially becomes more vulnerable to breaches, says security expert Bill Fox.
Established as part of the Medicare Shared Savings Program, ACOs encompassing multiple provider organizations will coordinate treatment of Medicare patients in a region. Participating organizations can earn extra Medicare payments if they meet specific quality and cost-savings requirements.
Data exchange is essential to the success of ACOs. That data sharing, however, creates risk, says Fox, principal at Booz Allen Hamilton, in an interview with HealthcareInfoSecurity (transcript below).
"A unique thing about ACOs is that as they try to figure out how to do integrated care delivery, [they need] more liquid exchange of data going from various hospitals to clinics to primary care physicians. [and] being sent out to the patients' smart phones," he explains. "But each one of those things comes with a new risk and a new process that has to be figured out."
In the interview, Fox, a former prosecutor, also discusses:
- Health data security concerns related to cloud computing;
- The threats to health data security and privacy by organized crime;
- Why training is important in preventing breaches involving mobile devices.
As a principal at Booz Allen Hamilton, Fox concentrates on financial integrity, cyber and mobile security, compliance and enterprise risk control across the healthcare continuum. He is the former deputy chief of economic and cybercrime at the Philadelphia district attorney's office and a former special assistant U.S. attorney.
Top Security, Privacy Issues for ACOs
MARIANNE KOLBASUK MCGEE: What are some of the top data security and privacy issues that accountable care organizations are going to face and why?
BILL FOX: A unique thing about accountable care organizations is that as they try to figure out how to do integrated care delivery, [they need] more liquid exchange of data going from various hospitals to clinics to primary care physicians [and] being sent out to the patients' smart phones. The physicians might want to be working off a tablet. They're really being the pioneers in figuring out, "If I can make data more accessible, more liquid, if I can get data to the point of care - and much of that's PHI and protected data - if I can do that successfully, then I can really help deliver quality care, lower cost [and] do all the goals of the ACO." But each one of those things comes with a new risk and a new process that has to be figured out.MCGEE: How do the risks that ACOs face with security and privacy differ from healthcare organizations that are not part of an ACO?
FOX: ... If you think about an organized system that's connected virtually and electronically with any other number of systems, that's where you start to add on complexity and risk because they've got to understand where the vulnerabilities are in terms of the processes, the people and the technology that are involved in making that work. ... Each layer of complexity that you add into that network adds a layer of risk.
Steps to Prepare
MCGEE: What steps should ACOs be taking to prepare for these emerging security and privacy challenges?
FOX: The really important point is ... not having silos. [Don't have] a group that's working on integrated care delivery; a group that's working on patients that are in a medical home; a group that's working on making a hospital internally work more efficiently - and then have the CISO's office way off to the side separately dealing with something. Or don't deal with something when it happens after the fact, [say] when there's a breach or an emergency; or, when they come to you with this idea that's all fully baked, and then the CISO, or maybe the legal department, will say, "You can't do that because there's a problem with HIPAA, HITECH or some other thing." If we could bring those people into the process at the beginning and have them at the table, then you can hopefully change that model so that it actually enables more innovative ways to do care delivery and to exchange data.
Biggest Cybersecurity Threats
MCGEE: What are the biggest emerging cybersecurity threats that all healthcare organizations should be watching out for?
FOX: What you've seen over time in financial services ... since my days as a prosecutor, [is that] the big thing was a DDoS [distributed-denial-of-service] attack. Now you've got much more involvement of organized crime, and they want to get the data either to use it or to sell it. There's a definite criminal intent there.
What you're going to find as financial services gets more sophisticated, looking at advanced persistent threats and state actors, is there will be a switch over to the healthcare industry because we have all that data, too. We have all this protected health information and financial data, and organizations have intellectual property, and the wall is not as hard to get through. They're basically looking at what has been the progression in other areas. We've seen a progression from DDoS to data manipulation and now data destruction. If I wanted to really hurt an organization, I could just get in and wipe 50,000 laptops of all the information on them. It's understanding what those emerging threats are, how they're morphing over into healthcare as we become a more digitally driven industry, and making sure we have those protections and processes in place.
Addressing Cloud Risks
MCGEE: As cloud computing services grow in popularity, what should healthcare organizations know about keeping cloud-based data safe and secure?
FOX: ... Every situation is different. At a high level, they need to understand who's going to be responsible. Is it going to be them or is it going to be the cloud vendor? If it's the cloud vendor, how are they segmenting that data from other data that's also in the cloud? Are you using a security tunnel where your security implementation is going to follow that data up into the cloud? Or are you going to turn it over to [the cloud vendor]? [It's also] making sure that whenever there's going to be a cloud implementation, all those questions have been answered to your satisfaction. In terms of policy, it maps to the new HIPAA regulations, the HITECH regulations, and you're confident that whatever data is going up there ... that all matches together into the security framework that you've put in place for your organization.
Improving Mobile Security
MCGEE: Many healthcare breaches involve unencrypted mobile devices that are lost or stolen. As organizations become more aware of the importance to encrypt, what else should they be doing to improve the security of mobile health data?
FOX: Probably the most difficult area is people. People are obviously always the weakest link in this chain. I think that education is very important to help them understand that it's not just your phone ... it's a way into the whole system. There have been innovations around segmenting phones so that there's a business side and a personal side. ...
Then, [it's important to monitor] those devices so that you know what's going on with them [such as], whether they're encrypted. ...
The other side of that is you really do want to be able to do things like text the doctor and ask him a question about medication in an emergency situation. You want to have the technology and processes that enable those faster and higher-quality sorts of delivery.