The future of health IT security
It's not merely onerous government requirements for medical data, or the popularity of security-adverse mobile devices that make security so difficult. It's the need to give tiny medical offices – small, independent businesses, with typically no meaningful IT staff – full network access to all files, physical building access to its employees and privileges to change/add to that ultra-sensitive data.
But are there ways to truly make these accesses more secure and to do so in ways that will be not merely viable, but even profitable? Many industry insiders say there are, but only if participants agree to start taking security seriously.
Ask Jennings Aske, former chief information security officer for Partners HealthCare in Boston and today the CISO for Nuance Communications, what he sees as the biggest threat to healthcare IT security and he doesn't hesitate to point the finger at cloud servers and email. More precisely, he cites consumer-grade clouds and email services where security—especially for anything as sensitive as patient-specific medical data—barely qualifies as an afterthought.
"The security conscience of most practitioners is very weak," said Aske. "They don't know about the risks of using Dropbox or using Yahoo! mail or Gmail. My greatest concern is them using the cloud to store medical records. I know one clinician who backed up every patient record to a cloud drive."
There's little IT can do about doctors who perform such reckless moves, other than encouraging doctors to better understand security issues. "I would very much like to see medical schools adding this to their curriculum," Aske said.
Can IT be turned into a profit center?
Most agree that the weakest part of the healthcare security chain are those small independent medical offices, who need to have full hospital privileges. As long as those staffs engage in weak security practices, there's not much corporate can do to keep things safe and secure.
But what if hospital privileges came with IT requirements, forcing the independent offices to not only apply with a series of IT rules, but requiring them to use the services of an IT firm on a short pre-approved list?
Even better – or worse, depending on your perspective – what if those independent firms were required to contract with the hospital's internal IT services? In theory, that would address the security issue while adding revenue and profit to the corporate medical group.
Jeff Mongelli, chief executive officer of Acentic, a health IT compliance company, described the problem: That independent physician's office "may have connectivity to Cedars-Sinai through an encrypted VPN tunnel," he said. "But if his security is extremely lax, that's going to create a (cyberthief) gateway. He might have a 10-year-old consumer-grade firewall and anti-virus on his server that is way outdated. And on the weekend, his 11-year-old son sits at his desk and plays games, unintentionally downloading viruses."
Within the next few years, hospital groups will have no choice but to force an end to this situation, Mongelli said.
"Hospitals are going to have to demand higher levels of compliance out of the parties they are connected to, including laboratories, imaging centers and physicians," including the right to audit IT infrastructure, he said.
That might have to include unannounced inspections. "IT guys are lazy. As soon as they know somebody will be sniffing around what they are doing, they'll clean everything up," he said -- adding that if they're never sure when the inspection will happen, that might motivate ongoing vigilance.
The next stage, Mongelli argued, is the creation of a virtual IT staff at the hospital group that anyone who wants to connect to the network must pay for – something he dubbed "almost an inevitable evolution."
Even more frightening? It may not stop at hospital groups. "Insurance companies may come to the same conclusion," he said.
Aske said he applauded the thinking behind such requirements, but he questioned how practical and realistic such efforts would be.
"That's nice on paper, but the challenge is going to be implementing that," he said. "You see how slow healthcare organizations have been in implementing the broader healthcare exchanges? Why would security be any different?"
Who are you, really?
For pure security—and regulatory—reasons, expect to see a lot of focus on improved authentication systems. But also expect resistance from physician offices. The reason is an unintended consequence of efficiency demands.
Many physician offices, especially specialists, would rather avoid strict authentication, a tactic that could expose the practice of physicians letting staff members use the physician's login/password to process prescriptions, among other things.
"Although greatly discouraged, the practice of scribes, mid-levels and nurses placing orders and generating prescriptions under a provider login is an all too common occurrence," Mongelli said.
One big-picture fix would be to simply lobby to get more states to allow physicians -- or anyone they designate -- to process prescriptions and other medical orders, as long as the decisions are being made by the physician. Doctors would be able to delegate the key-entry, but not the decisions.
Under that scenario, nurses and other medical and administrative staff could log in as themselves. The liability would presumably stay with the doctor, however, if someone got an instruction wrong and ordered a prescription that harmed a patient. (The legal case would be more murky if the designee deliberately disobeyed a doctor's prescription instruction and harmed a patient.)
In the meantime, Mongelli argues that IT must insist on some quick fixes.
"With computerized order entry systems, those systems need to evolve to make it easier for the doctors to do it themselves," he said, adding that this problem may work itself out eventually. "Young doctors have a much easier time working with electronic documentation."
The 'absent-minded professor' problem
Physicians carrying mobile devices has greatly advanced hospital medical care, but it's also presented new and serious security threats. Living up to their absent-minded professor reputations, physicians often misplace the devices.
The risks associated with those misplaced mobile devices reads like a good news/bad news joke.
Good news: The health IT industry has generally been excellent at ensuring that as little data as possible is physically stored on the device, forcing almost all information to be wirelessly accessed from the network.
Bad news: That means that control of a device can potentially access far more information – anything stored on the connected servers.
Good news: Strong passwords will secure access to the network, meaning a thief would have a locked phone or tablet.
Bad news: Medical specialists tend to avoid strong passwords.
There's also another much worse security piece of bad news: The nature of mobile apps, with all of their interdependent parts, has opened a huge number of security problems, which have caught many large companies unaware. Starbucks' app stored all passwords in clear-text, meaning that a thief could find the password and use it. Walmart's mobile app also stored passwords (courtesy of how it implemented iTunes backup) as well as extensive geolocation history. Walgreens encouraged shoppers to take pictures of prescription labels -- and then those images were saved so anyone could see them, a serious violation of medical privacy. Delta Airlines properly encrypted passwords but it also saved its encryption key on the device -- in clear-text.
The key point with all of those large companies is that none of them knew about those mobile app security holes before outside security researchers told them, long after those apps were in wide circulation. Hospital groups are equally exposed. Even if the app passwords were encrypted, IT must make sure that the encryption keys are also protected.
This also means that a misplaced, lost or stolen mobile device must not only trigger an immediate remote wipe, but also an immediate change of any associated passwords.
That process doesn't start, though, until the device is reported lost, which itself relies on the physician noticing that the device is missing. A several-hour delay could be disastrous. One possibility is for physicians to carry a very small device (likely with an RFID tag) somewhere on their person (shirt pocket, for example) that would track the mobile device and digitally shout whenever it's more than XX feet from the device. That shout could be a text and E-mail to the doctor, an assistant plus someone in IT.
The rural network challenge
The approach of not storing data locally on mobile devices is fine in a hospital setting or the doctor's Wi-Fi-enabled offices. But in rural settings where Wi-Fi and over-the-air network access might be spotty, the argument can be made that much more data needs to stay resident on that mobile device, to help the physician do his/her medical magic.
Robert Zimmerman is the managing director for health information technology at QIP, a healthcare regulatory compliance company. Zimmerman's position is that the easiest and best route is minimalism. If a physician is visiting a patient, he or she should take the time to select only the files needed for that visit and store only those, he says. And then after that visit, delete the files.
"What is the real value to patient care? We have technologists trying to tell us to use technology for all of these decisions," Zimmerman said. "The IT people need to understand the true value proposition. There is a huge bias on data and big data. What's the quality of the data? (Doctors) are definitely bringing too much. Evaluate what you really need."
Zimmerman added that far too many people IT people don't fully understand HIPAA implications.
He also suggested that it's often acceptable to bring no sensitive medical files for a patient visit and to instead take extensive notes. Then compare those notes to the medical records a couple of hours later when the physician is either back in the office or at least is able to access the network.
"As a doctor, I am going to take the security risk," said Zimmerman. "What's the trade-off? Can I do without those files for an hour or two?"