It’s difficult to read the news today without seeing something about information security breaches. Whether they are at the consumer level, the commercial level or within our own healthcare provider space, the news around security attacks and prevention is currently overwhelming.
During the last several months, in fact, terms like phishing and ransomware have become household terminology. Many people know someone that has been impacted by one, the other or both.
Two issues complicate securing the healthcare provider enterprise. The first is that organizations must strike the right balance between security and access. This is particularly relevant within the clinical community. While it would be possible to further lock down healthcare applications, the bottom line is that the clinicians need to be able to deliver patient care in a fast-paced dynamic environment. Finding the right balance that matches the threats and stays aligned with the organization’s risk tolerance is paramount.
The second is the user community itself. In most organizations, users are both the first and last line of defense. While the threat landscape continues to grow and becomes more sophisticated, the tools to battle the black hats are also maturing. Healthcare providers are spending more money on information security professionals and investing in additional tools but users are still the most likely vulnerability.
Indeed, an organization only needs one employee, whether it be malicious or accidental, to click on the wrong link or open the wrong web page to start a chain of events that can result in an information security breach.
So what does this mean for the future of information security in healthcare? I think that there are several trends that will change this landscape over the next several years and make it easier to manage the risk associated with information security in the healthcare provider space:
1. The move to more cloud based information security tools. More and more information security tools will be moved to the cloud. This will allow the tools to be updated more dynamically to address zero day type malware. This move to the cloud should ultimately make it more economical to make these tools available to all healthcare providers – large and small.
2. More effective collaboration and information sharing. This manner of threat intelligence is starting to happen now, but will become more routine for healthcare providers. The ability to quickly and crisply share information about zero day attacks will help healthcare providers stay slightly ahead of the curve. Sharing cybersecurity information will eventually extend beyond just healthcare providers as the vulnerabilities and the risk landscape is shared among non-healthcare providers.
3. Additional focus on educating the end user community around the risks and what their role is in prevention. Much like the “if you see something, say something” approach to airport and transit security, we will need to make our employees our eyes and ears. As they become more aware of their role and what to do when they see something that does not look right, healthcare providers can begin to avoid costly information security breaches. This education and awareness will also help employees be more effective and “safe” consumers, in their homes and while mobile, in this digital age.
And then there’s the generational issue that may ultimately impact the way healthcare providers battle information security risks in the more distant future: Younger people are much more comfortable being transparent about their personal lives. Whether it is tweeting about where they are and what they are doing or snapchatting from a hospital room, this generation seems to be more comfortable sharing information. Ultimately, this may change the paradigm such that there are fewer things that need to be addressed with privacy and security controls.
Another factor that could be a game changer in terms of dedicating significant financial and personnel resources to securing patient information is the large number of breaches that are being reported.
What happens in a scenario in the future when these events result in most of the country’s patient records being breached at one point or another? At that time, do we begin to look at secreting securing patient information differently?
Only time will tell.
John Donohue is Associate CIO of Technology and Infrastructure at Penn Medicine.