Population health — an approach to healthcare that uses vast amounts of patient health data to inform care for specific groups of patients — has the potential to help providers improve patient outcomes and reduce utilization. However, collecting and storing the amount of patient data required to effectively manage populations puts hospitals at greater risk of security breaches.
This content is sponsored by CDW
Data breaches are a dark part of CIOs' reality today. These events carry several costs for an organization, with hospitals feeling dents to their finances, operations and reputations.
Perhaps most troubling is this: Insecure data is a serious patient safety concern and puts exposed individuals in harm's way. Will patients trust your organization for life or death decisions if you cannot keep their medical record safe?
To mitigate the risk of a data breach and its effects on patient safety, hospital CIOs and chief information security officers must work with key leaders in the organization to establish a set of comprehensive data security practices.
Securing population health data is challenging
To paint a holistic picture of a patient group, population health applications often extract data from beyond an individual hospital's four walls. Valuable data include medical claims, prescription adherence, social determinants of health and patient-generated health data.
As hospitals connect to more IT systems and acquire more information, traditional security approaches, such as "perimeter" security that focuses on guarding intrusions to a facility's network, are no longer sufficient.
"Where is the perimeter these days?" says Ryan Witt, managing director of healthcare industry practice at cybersecurity company Proofpoint. "Is it the hospital, the primary care physician's office, the pharmacy, the patient's home or the patient? Population health is going to result in more datasets and data feeds to manage and secure, which adds stress to a hospital's already highly-targeted security ecosystem."
Health IT leaders face additional security challenges amid growing interest in creating data lakes — centralized systems holding large amounts of raw data. Convenient access to these data repositories encourages clinical teams to draw upon and analyze information as needed, yet a lake also increases opportunities for cybercriminals to access large amounts of sensitive patient data. Hospitals often allow team members to access and add data to the lake over the internet, without overseeing the content of each individual dataset that is added. While this process accelerates a hospital's ability to create a comprehensive data lake, it increases its exposure to risk by leaving data unencrypted and without strict access control.
"A key component to extracting value from the data is being able to securely share the data with relevant stakeholders," says Steve Cotham, healthcare practice manager at Hewlett Packard Enterprise. "The formation of data lakes and need to securely share this data must be factored into hospital security policy."
As hospitals continue to aggregate more patient data, CIOs must be prepared to appropriately secure this valuable — and sensitive — information.
Dangers of inadequate data security
Healthcare breaches aren't a theoretical concern for hospitals aggregating databases of patient information — they are a punishing reality. There were 477 U.S. healthcare data breaches reported in 2017, up from 450 of these incidents reported in 2016, according to a recent Protenus report.
"A hospital's EHR 'bundles' a patient's personal, financial and medical data in a single location, making this industry, and the protected health information stored within, an attractive target for hackers," Mr. Cotham explains. "Unlike a credit card that can be cancelled with a single phone call, a patient's medical record lives on."
Of all industries, breaches in healthcare are particularly detrimental because they compromise patient safety alongside an organization's operations. In May 2017, a worldwide ransomware attack called WannaCry infected more than 200,000 computers in 150-plus countries. The U.K. National Health Service was one of the ransomware's most prominent victims, bringing down operations for at least 16 facilities. The ransomware locked NHS workers at out of IT systems, including patient files. The disruption led NHS to cancel routine operations and divert ambulances at some of its facilities.
"A data breach puts patients at risk, period," Mr. Witt says, noting hospitals that lose access to clinical systems are often forced to divert patient care. "Most hospitals place patient safety at the core of their mission, so how do hospitals meet their objectives when data breaches continue to plague the industry?"
Besides their operational and patient safety concerns, cyberattacks are also extremely costly. In fact, at $380 per capita, data breaches are most expensive in healthcare compared to other industries, according to a June 2017 Ponemon Institute report. By contrast, the overall mean of data breach cost per capita across industries was $141.
"Financial risk for the hospital varies depending on scope of data loss. However total cost can be very high," Mr. Cotham says. "Taking into account legal fees, loss of patients, damage to hospital brand, loss of staff, lost revenues due to operational down time and clinical impact, total financial loss can be millions."
4 steps to improve data security in the hospital setting
Collecting and securing large amounts of health information for population health management programs is a crucial yet difficult undertaking. CIOs and CISOs can lay the groundwork for future population health success by taking the following four steps to protect patient data.
1. Train staff. The first step to creating a secure data environment is raising awareness around common cyberattacks among all levels of the organization — from front-line staff to C-suite leadership.
"The biggest challenge with many healthcare providers is a lack of understanding of the risk they are faced with," Mr. Cotham says.
Leaders can arm their teams with security knowledge in several ways. For one, share information about emerging technical threats with IT and security teams. Second, provide routine security awareness training to physicians and administrative staff. This training should cover best practices to avoid phishing attempts and unauthorized access. Combined, these efforts empower the entire hospital team to do everything possible to protect patient data.
Leaders must also make data security a boardroom conversation if data security practices are ever going to improve in a meaningful, sustainable way, according to Mr. Cotham.
"Having wide involvement across the company will ensure that the approach to security can become a business enabler, rather than an inhibitor," he says. "With board-level awareness of the risks that the organization faces, it becomes easier to secure the necessary support and budget to build a holistic security program, which will in turn lead to a better chance of success."
2. Deploy technology. Staff training is an important foundational step, but forward-thinking hospital teams also look to accomplished technology manufacturers to support risk mitigation efforts.
"Hospitals will never be able to train their way out of the cybersecurity crosshairs, so there also must be a significant focus on technology expenditure, but the spending must shift to where the attack surface is most active — email systems. Currently, the vast majority of attacks come via email, yet the vast majority of info-security investment is not focused on protecting email systems," Mr. Witt says. Proofpoint, an enterprise security company, provides cloud-based solutions to help hospitals detect and block targeted attacks from cybercriminals, such as those deployed through email.
IT solutions and services companies like HPE are also able to help hospitals prevent, detect and recover from threats to sensitive patient data. HPE Pointnext, the company's IT services organization, works with hospitals to modernize their risk mitigation efforts and meet healthcare compliance mandates, for example.
The company's portfolio of storage and network solutions also has "built-in" security functions, such as its scalable data storage solution 3PAR StoreServ, which includes encryption for data at-rest, or its Aruba 360 Secure Fabric enterprise security framework, which offers hospital security teams visibility into wired and wireless networks.
3. Understand devices. Traditional firewalls — security systems that monitor incoming and outgoing network traffic — no longer sufficiently protect patient data, as more and more devices like printers and MRIs wirelessly connect to the hospital. A talented cybercriminal can use these access points to penetrate a hospital's network.
"Cybercriminals today continue to adapt, finding new ways to connect into hospital systems," Mr. Cotham says, noting the importance of security controls like anomaly detection, data encryption and network access control. "Another component to this is understanding the behavior of the device accessing the network."
Each device on a hospital's network must have a predefined role, which the security team continuously monitors and manages. "For example, a printer on the network accessing your internal financial systems is probably not normal behavior, and may indicate an escalating attack from within the network," Mr. Cotham explains.
4. Test systems. Once a hospital has successfully deployed appropriate security systems, IT teams can gain support from working with outside consulting firms to regularly run penetration tests and security assessments to identify potential vulnerabilities.
"Engage an industry leader and move forward with a security assessment," Mr. Cotham says. "The security assessment will help the healthcare provider understand both the strengths and challenges of their current approach to healthcare security, and provide a good basis to build a mature security framework upon."
A security assessment enables hospital leadership to evaluate the organization's cybersecurity readiness by ensuring devices are protected, network access is appropriately managed and IT systems are patched in a timely manner. The outside consulting firm can also educate staff and document security policies.
For Mr. Witt, a key metric when evaluating cybersecurity technologies is to test before you buy. "Vendor or analyst claims are fine, but it doesn't mean that the solution in question is the best fit for a given hospital's environment. Require vendors to provide a [proof of concept], and make sure the solution works as claimed on your systems, with your applications, using your workflow and solving for your use cases." he says.
Conclusion
Training staff at all levels of the organization, deploying highquality security technology, monitoring wired and wireless devices, and regularly testing IT systems comprise four key steps to improve data security in the hospital setting. As hospitals continue to gather valuable patient data to drive population health efforts, mastering these components will be increasingly important for hospitals to ensure patient safety and strong financial outcomes.