What a difference a couple of weeks make….
On 1st March 2018, two over-arching issues remained with me leaving Las Vegas and #HIMSS18: the central, recognized role of cybersecurity threats in healthcare, and the growing use of consumer-facing technologies for self- and virtual care.
Eighteen days later, we all learned about Cambridge Analytica’s misuse of 50 million Americans’ social network data posted on Facebook.
We who work in healthcare must pose the questions: going forward, how trusting will patients, consumers and caregivers be sharing their personal health information (PHI)? Will people connect dots between their Facebook lives – and their identities on social networks, generally – with their personal health information, privacy and security?
These uncertainties have been on my mind since learning the news about the world’s largest social networking platform, which as of the fourth quarter of 2017, had over 2.2 billion active monthly accounts.
Here’s what we-know-we know about health care, privacy, and security: briefly,
• HIPAA covers patients’ PHI that is held by covered entities and shared with contracted business associates
• HIPAA does not cover patient-generated data that is created outside of those relationships, such as information that comes from wearable technologies and mobile apps outside of “healthcare” settings, or data posted on social networking platforms
• Health information breaches are more highly valued by cyber-attackers as they are worth more than, say, consumers’ bank account or credit card identities
• Cyber-breaches are a new-normal in health care.
Note the 2018 HIMSS Cybersecurity Survey found that nearly 76% of healthcare organizations had a significant security incident in the past twelve months. Over one-third of these breaches came from online scam artists like phishing, 21% caused by negligent insiders, and 20% by hackers on the outside.
On the inside, healthcare organizations cite the biggest barriers for remediating cybersecurity incidents are lack of appropriate personnel (among 52%), lack of financial resources (for 47%), too many application vulnerabilities (among 29%), among other threats to successful mitigation and prevention.
Finally, 52% of healthcare organizations do security awareness training annually. Only 30% conduct such training on a monthly basis or more.
Most healthcare organizations intend to increase resources allocated to cybersecurity in 2018, according to the Center for Connected Medicine survey published in December 2017, shown in the second graphic from the report.
Looking to 2018, a study from Merlin and The Ponemon Institute forecasts the expectation that patient information will be even more at-risk this year compared to last year, shown in the bar graph.
“Hospitals and payer organizations (healthcare organizations or HCOs) are facing constant, increasingly destructive cyber-attacks,” Merlin and Ponemon attest. Amon the five industries they tracked, healthcare accounted for 1 in 4 total breaches in 2017, exposing over five million patient records.
The key takeaway, after all the talk and demo’s presented at #HIMSS18 about artificial intelligence and machine learning, population health and revenue cycle management best practices, is that consumers’ underlying, gut-level trust in the healthcare system is under siege by bad actors targeting both healthcare data, as well as peoples’ social, retail, and financial information.
The healthcare industry must be mindful of this emerging consumer reality, allocating resources to cybersecurity defenses, staff education and awareness, and patient engagement to engender trust and faith in their providers’ data stewardship.
[For more on the Facebook/Cambridge Analytica story and patient trust, see my take published “the morning after,” here in the Health Populi blog].