The expectation that healthcare IT departments can perform routine but constant security vigilance is unrealistic

March 13, 2015

We call it “protected” health information. But the reality is that breaches of our personal health data are on the rise, some of them breathtaking in scope.

The Anthem health insurance data breach reported in early February came right on the heels of the Community Health Systems breach, each exposing the personal health information of millions of customers.

Early reports linked the Anthem hack to state-sponsored cybercriminals from China, while according to the most widely discussed post-mortem, CHS was exploited by the well-known Heartbleed bug via an unprotected Juniper device. Sources later labeled it a sophisticated attack also linked to China.

But whether a sophisticated attack or an embarrassing security failure, the “nemesis” here isn’t just the hacker. It’s the unrealistic expectation that healthcare IT departments can perform routine but constant security vigilance.

Incompatible Directions

The reality is that today’s internal IT professionals are pulled into two incompatible directions, although each is essential to the healthcare organization’s well-being. There’s the obvious need for security and privacy compliance, of course.

But healthcare IT professionals are also an essential component of healthcare delivery, often tasked with making sure providers have the critical information needed for patient care. And they’re very much responsible for leading mandated technology initiatives such as EHR implementation and transitioning to ICD-10.

It’s time for healthcare executives to take a hard look at what is being asked of these professionals. And then pose a question to themselves: In addition to their daily responsibilities, can IT staff realistically fend off every attack to the healthcare organization’s network…or is it time to call in reinforcements?

Even with the most experienced security professional on staff, many organizations lack the tools, defensive systems, monitors, dashboards and manpower to really know what’s going on in their networks at any given moment. It is also somewhat inexplicable that healthcare has arrived at the point where every practice is expected to have a well-staffed IT department able to comply with increasingly complex privacy requirements, from the unceasing updates to HIPAA, to the Omnibus Rule — which at last count, was almost 600 pages.

Potential Solution

An infinitely more reasonable solution is to move their data (and the workload for protecting it) to a cloud services provider with specific expertise in healthcare. Such a vendor will already have the experts and redundant security systems in place to protect health data at a much higher level. To identify such a cloud provider, look for the following:

  • HITRUST-certified to assure data stays protected in accordance with all the most rigorous federal, state and industry standards. HITRUST controls were purpose-designed for healthcare information security.
  • Invest more time training their employees in security awareness than you do.
  • Verifiable and extensive employee background checks.
  • Additional patient data privacy capabilities, such as ability to de-identify patient-specific information.
  • An exclusive focus on health data management with proven record of customer successes.
  • Clear familiarity with which agencies have jurisdiction over healthcare data privacy, and their respective rulings and laws.
  • Can offer risk assessment to identify weak links in security.
  • Can offer the specific services to close security gaps.

Shared Risk

It should be noted that under the HITECH Act’s requirements for third party, “business associates” involved in managing patient data, cloud services providers actually have a legal obligation to keep patient information private and secure. Where the strongest provider will clearly emerge is in the “over and above” aspect of its Business Associates contracts. Such a provider will assume a majority of the shared risk should a data breach occur. Needless to say, few providers have the confidence to take this on, but it’s obviously important to find one who does.

Further, the provider will assure constant monitoring of the practice’s entire cloud network infrastructure for any breach attempt. Judging by the frequently long stretches of time between a breach and its discovery, many organizations are unable to keep up with this sort of vigilant surveillance – which includes maintaining a constant watch over which employees enter the network and when.

In the highly regulated, highly defended environment of a top-tier cloud services provider, by contrast, all access can be restricted and documented right down to the user, application, and file, with unauthorized access attempts immediately detected.

Handing off data security to a cloud provider might initially be a tough decision for some. But given today’s threats, it’s one that will ultimately help more healthcare organizations breathe easier over their IT security.

Topics: Cloud Computing, Electronic Health Record (EHR), Privacy & Security, HITRUST, Health Information Technology for Economic and Clinical Health (HITECH) Act, Network Infrastructure

Originally published March 13, 2015 at