Can Security Be Solved?: Healthcare Challenge

MattFisher-whiteBy Matt Fisher, Esq
Twitter: @matt_r_fisher
Host of Healthcare de Jure#HCdeJure

Every day brings a new report of a security breach or other security based problem within healthcare. The unceasing cycle of issues gives rise to the question of what can and is healthcare doing about security and in particular cybersecurity. That is a question that is front and center for many individuals within the industry and examining the industry. It was also the focus of a recent discussion I had with Stephen Cobb, a security industry veteran currently running a research team at ESET.

Mr. Cobb focuses his research on emerging security threats. Given his prior experience in the privacy realm, Mr. Cobb brings a somewhat different approach to the security. As a setup, cybersecurity is not a new issue. Cybercrime has been on the rise for at least six years, which means it is becoming more complex and being carried out by more sophisticated actors. It is no longer a matter of the proverbial kid in the basement trying to hack into a system. Now, it could be nation states carrying out the attack. At the same time, healthcare went through a well-known push to implement electronic solutions. As such, there is a tremendous convergence of criminal activity and a system ripe for the picking.

That is a bit of a simplification, but Mr. Cobb broke down the concerns in healthcare into three dimensions. Those dimensions are (1) regulatory, (2) complexity, and (3) legacy systems.

From the regulatory perspective, the issues center around complying with HIPAA and becoming complacent as to what that means. HIPAA establishes a baseline for security measures and by no means is sufficient to fully (or adequately) protect against the current cybersecurity threats. From this angle, the regulatory requirements in healthcare set an artificial target for security, that, in many cases, is not even met. More must be done.

The complexity problem in healthcare is the reality that information in healthcare is unique from other industries. The financial or telecommunication industries, which went through these types of systems upgrades previously, have different sets of data. However, those data sets are fairly consistent from one organization to the next. In healthcare, rightly or wrongly, each provider seems to maintain their own records. Further, the information that constitutes the medical record spans many different areas of an individual’s life and is in a myriad of formats. On top of the data format, there is also the need to disseminate that data to many different places. Each of these elements creates a security risk, which in turn makes comprehensive security difficult.

Lastly, healthcare continues to employ many legacy systems. Mr. Cobb remarked that in some instances, systems can be so old that newer information technology or security personnel have never seen the technology and may not know how to use it. As such, Mr. Cobb remarked that healthcare may be one of the only industry where having knowledge of 20 plus year old systems could be viewed as prerequisite.

After considering the dimensions that make security in healthcare difficult, there is also a talent shortage. Mr. Cobb referenced studies that found a shortage of skilled people worldwide who can fight cybercrime. It is not a healthcare problem, but an overall system problem. The rapid pace of cybercrime development means that right now the fight is almost all defensive. Hopefully, reinforcements or just first line defenders will arise soon.

Right now there are no ready answers. However, it may be useful to look for solutions and assistance in different areas. For example, Mr. Cobb explained that an effective security focused person may have a different psychological profile than the standard IT person. Traits of a good security person may include imagination, strong nerves and a touch of humility. Finding individuals with these traits could require looking in unexpected places.

The bottom line is that security is a major concern and one that will only continue to grow. As such, the question is what will organizations do? Will they sit back and wait for a problem, or take the bull by the horns and seek to gain what control over the matter is possible. It is a soul-searching question, though honestly there is likely only one answer.

About the author: Matthew Fisher is the chair of the Health Law Group at Mirick, O’Connell, DeMallie & Lougee, LLP, in Worcester, MA. Matt advises his clients in all aspects of healthcare regulatory compliance, including HIPAA, the Stark Law and the Anti-Kickback Statute. This article was originally published on Mirick O’Connell’s Health Law Blog and is republished here with permission.