HIMSS15: 3 Privacy, Security TakeawaysInteroperability, Cyberthreats and New Targets
This year's Healthcare Information and Management Systems Society Conference was bigger than ever, attracting more than 43,000 attendees. And the hot topics of privacy and security came up frequently at many sessions, interviews and informal chats during the event.
Three key themes that emerged are EHR interoperability challenges, emerging cyberthreats from hackers and potential new breach targets.
If we could just start eliminating some of the easy ways that attackers can get in, that more than anything will have the biggest impact.
Secure, nationwide health data exchange is a top goal of the Department of Health and Human Services' Office of the National Coordinator for Health IT. Certainly, the mass adoption of electronic health records by medical professionals and hospitals participating in the HITECH Act "meaningful use" incentive program, which launched in 2009, has brought the industry to a tipping point for the use of digitized records, as ONC's leader Karen DeSalvo pointed out several times during HIMSS 2015.
Securely sharing that data locally, regionally and nationally can potentially improve care coordination, and hopefully improve patient outcomes and reduce costs. But the path to true EHR interoperability, which paves the way for data sharing, is riddled with many small potholes and several large obstacles. That includes technology standardization and application programming interface issues that need to be sorted out by health IT vendors.
And for healthcare providers, it also means having more clarity about trust issues, including a better understanding of HIPAA - such as what data can and cannot be shared with other healthcare providers, with or without patient consent.
There's also a need to harmonize, or, at the very least, better understand, the patchwork of state privacy laws that complicate health information sharing.
Data segmentation and electronic patient consent technology - if implemented properly - hold promise for protecting the privacy of patients' most sensitive health information, including records of mental health, substance abuse and reproductive health treatment.
Another major hurdle for achieving interoperability: intentional and unreasonable information blocking among healthcare providers and vendors who use a variety of tactics that prevent the sharing of patient data. Unfortunately, those tactics include some healthcare providers inappropriately using HIPAA as an excuse to not share patient records.
Lucia Savage, ONC's privacy officer, noted in discussions at HIMSS that the agency is working with the Department of Health and Human Services' Office for Civil Rights to assess those situations where healthcare providers inaccurately blame HIPAA for why they won't exchange or release patient information.
It's no surprise that the recent hacker attacks against Anthem Inc. and Premera Blue Cross were hot topics at this year's HIMSS. Unfortunately, security experts at the show made it clear during educational sessions and one-on-one discussions that those attacks are just the tip of the iceberg of sophisticated external threats that the healthcare industry is facing.
Plenty of other healthcare organizations also have had significant breaches, committed by bad guys externally and internally or triggered by mistakes by insiders and business associates. But unfortunately, far too many have yet to detect these breaches.
The bottom line is that healthcare organizations need to ramp up their risk management programs to improve breach detection as well as prevention, moving well beyond a narrow focus on HIPAA compliance. "If we could just start eliminating some of the easy ways that attackers can get in, that more than anything will have the biggest impact," security expert Mac McMillan, CEO of CynergisTek, told me during an interview at HIMSS.
The Next Targets
But who will hackers be targeting next? In interviews at HIMSS, those singled out as potential targets were business associates - especially cloud vendors - self-insured firms, health information exchanges, and systems containing health data from consumer wearable devices.
"Hackers are bad guys, but they're good economists," Dan Berger, CEO of risk assessment consulting firm Redspin, told my colleague Howard Anderson during an interview at HIMSS15. "By that what I mean is it's all about a rate of return." As a result, hackers will target "large data stores of PHI" to maximize their ability to grab information that they can sell, he says.
Berger argues that larger business associates, which have access to huge amounts of patient information, as well as major self-insured companies that store health data on their employees, could be the next targets for hackers.
Meanwhile, McMillan predicts that health information exchange organizations also could be targeted because of the large amount of data they handle. And when it comes to consumer-generated health data that patients increasingly want to share with their providers, "we're moving fast in these technology areas, and we don't have all the privacy and security answers yet," McMillan told me.
So, now that we've reached the tipping point in digitizing health information for millions of patients across the country, sharing that data securely - and keeping it safe while it's at rest - will need to be a perpetual mission for healthcare organizations and their business associates. I just hope they're prepared to handle that mighty challenge, and that many more entities will make significant progress in protecting patient data before the next annual HIMSS conference rolls around.
Additional Summit Insight:
Hear from more industry influencers, earn CPE credits, and network with leaders of technology at our global events. Learn more at our Fraud & Breach Prevention Events site.