Cybersecurity Blog: The Cyber Scene is evolving, are you?

Return to blog

Healthcare payments will be soon become outcome-based; that’s been the message for 20 years. After all, paying for quality outcomes is an obvious step in our healthcare system's evolution. Until recently, it has been impossible to manage outcomes across the entire spectrum of healthcare settings. But the one thing shown by the 90s payment models is when technology and processes for managing care lacks financing, tremendous value destruction occurs.

Through legislation and the Accountable Care Act, the government provided adoption incentives for needed technology to manage quality care. Hence, the adoption of Electronic Health Records (EHR) has exploded over the last seven years or so. This has given rise to many new types of systems and products aimed at managing health outcomes. 

But each EHR (wherever they exist) collect only a small portion of a patient’s healthcare records; those of that one provider. While it's suggested these systems connect together across providers to offer patients a seamless experience, the cost and risks far outweighed the incentives.

The world of population health seeks to change that. Driven largely by Centers for Medicare and Medicaid, we are now seeing an uptake on outcome-based care by individual providers paid based on cost trend lines and outcomes (although outcome measures are still largely aimed at process measures, not clinical outcomes). To fully inform the care process and care management resources, provider systems need to talk with each other to exchange data about patients. While this exchange of personal data is a boon for patient care, it is a potential nightmare for cybersecurity professionals if not done correctly. The diagram below shows the reach of a typical EHR and likely attack vectors for hackers to exploit.

EHR_Interfaces_diagram.jpg

Because the outcome-based care requires lots of data, the priority is to collect as much patient data as possible, specifically about patient care and outcomes; as well as running retrospective or predictive analytical models in pursuit of best-care. With population health, the hope of Population Health analytics is that the diagnosis comes faster. In the interim, a wealth of sensitive patient data is collected and shared. While some of the largest companies and governments may claim to support the kinds of scale envisioned with population health, the reality is they don’t. Most operate under some notion of centralized control that doesn’t exist with our healthcare world and likely won’t in the future. Moreover, while companies like ADP and large banks interact with thousands of entities uploading highly sensitive financial data on millions of customers and employees, those transactions are highly structured. They also result from decades of experience building common interfaces, transaction sets, and protocols focused on a minimalist approach to data sharing (i.e., only share what is needed to complete the transaction). 

The healthcare industry has 20 years of experience sharing data with insurance companies and not much else. Even then, few call that experience "seamless" as the dominant insurance companies dictate how the data is provided, with a few niche software companies providing the needed glue. The words open and interoperable were rarely used to describe those one-off solutions. So, now we’re talking about provider-to-provider data sharing with no one at the top of the heap dictating everything. And these exchanges are intended to share as much as possible to improve the likelihood of an accurate diagnosis and effective treatment. The result is much more data at risk of loss or theft.

So how does one begin to tackle this daunting and multi-faceted problem? It hardly seems fair to dump this problem on the overworked, and often underpaid, primary care provider or many of the small practices that most people still value. Larger hospitals are starting to get a grip on the problem, but most still have a long way to go. Ultimately, solving this problem requires a collaborative effort among hospitals, small and large practices, insurance companies, government agencies, and technology providers. And even then, it won’t happen overnight. Cybersecurity will need constant vigilance and expertise.

At Leidos, we recommend the following:

  1. Start Small and Test, Test, Test – Much of this anticipated interaction among EHRs and related systems is unproven at any scale. The more connections there are; the more complexity and the risk. Community hospitals can kick things off by inviting medical practices to participate in pilot programs exchanging patient data and working collaboratively to close the inevitable cybersecurity holes that arise. While the hospital should not dictate standards unilaterally, most practices will look to hospitals for leadership.
  2. Leverage A Strong Systems Integrator – While EHR vendors will claim their product is easy to use and integrate, the reality is interoperability and security are often lesser priorities than other EHR features. Holding a single systems integrator, who knows healthcare, technology, and cybersecurity, responsible for pulling all the pieces together across hospitals, practices, insurance companies, and other entities helps to reduce the complexity and competing priorities.
  3. Make Cybersecurity A Top Priority – While we hardly need to look far to justify cybersecurity’s importance, the reality is that funding for these projects often only consider cybersecurity as an afterthought when the project is nearly complete. Include cybersecurity professionals from the beginning and be part of the design team that specifies requirements, including detailed procurement requirements. Cybersecurity also needs to be part of every interoperability and data exchange discussion. The product vendors will always claim cybersecurity is covered, but buyers need to ensure the vendors include cybersecurity and commit to fixing later discovered vulnerabilities in a timely manner.
  4. Implement a Robust Cybersecurity Monitoring Program – While small providers can’t afford anything close to a full-time security operations center, the larger community can. Whether it’s through a contracted managed security services provider or through shared resources, the community covering health population should follow through on its commitment to truly cover lives all the way down to the data describing those lives. Only through ongoing monitoring at all levels for malicious and anomalous activity can there be any hope that cyberattacks will be stopped or at least contained in a timely manner.

Most importantly, all these efforts will need to be done in full partnership with the care process and care management. A successful program requires open and collaborative discussions, firm commitments from all parties, adequate resources, and time to make it all happen. Once population health builds steam and data flows become more robust, time and resources may be in shorter supply. This process needs to start now.

Gib Sorebo is a Chief Cybersecurity Technologist for Leidos where he assists both government and private sector organizations in addressing cybersecurity risks as well as complying with legal and regulatory requirements. He has been working in the information technology industry for more than twenty years in both the public and private sector. In addition to federal and state governments, Gib has done security consulting in the financial services, health care, and energy sectors. He is currently responsible for coordinating cybersecurity activities in the energy sector company-wide. He recently co-authored a book on Smart Grid Security that was published in December 2011. He is also a frequent speaker at national security and utility conferences, such as the RSA Security Conference, FINRA Annual Conference, CSI Annual Conference, multiple oil & gas cybersecurity conferences, and the FIRST Annual Conference, where he has given talks on the Internet of Things, information security liability, Sarbanes-Oxley, E-Discovery, smart grid security, incident response, breach notification, and several other topics. Gib holds a law degree from the Catholic University of America, a Master’s Degree in Legislative Affairs from George Washington University, and a Bachelor’s Degree in Political Science from the University of Chicago.