Healthcare has metrics and indicators for just about everything – quality, patient experience, infection rates, clinician 5-star ratings, etc. Yet there currently is no metric or data on how secure a healthcare organization keeps their IT systems. There is no way for patients (or clinicians for that matter) to gauge how secure/insecure their organization is.
This week on HCLDR I want to explore cybersecurity, data security and its impact on patients.
The inspiration for this week’s chat comes from a recent story in Canada: eHealth files stolen in ransomware attack. Here’s the summary:
- On Jan 5th, Saskatchewan’s eHealth agency received a message asking for a bitcoin payment
- eHealth did not pay the attackers
- eHealth restored their files from a backup and was able to continue working
- An audit into the attack revealed that some files were sent to a suspicious IP address in Europe
- It is unclear what was in those files since they were locked by the attacker
[Background: eHealth Saskatchewan is an organization that is mandated by the Province to lead all IT services for the Saskatchewan Health Authority – the body that is responsible for healthcare for all citizens living in that Province. The agency collects, combines and stores the electronic medical records of all patients.]
“There were some files that did leave our organization and went to some suspicious IP addresses in Europe,” said Jim Hornell, CEO of eHealth. “At this point, we have no indication whatsoever that there was any personal health information of people on those files. But we can’t say with 100% certainty.”
According to the Breach Portal managed by the US Department of Health and Human Services, Office of Civil Rights, 39 million records were affected by breaches in 2019. That portal only represents the breaches of more than 500 records that were investigated by the Office for Civil Rights. The actual number of security incidents involving patient data is much higher.
There is no equivalent portal or centralized reporting of healthcare related data breaches in Canada.
With the growing threat and prevalence of cybersecurity incidents, I am a bit surprised that there is no coordinated effort to create a metric that rates the quality of a healthcare organization’s data security. We have the equivalent for patient safety and care quality. Why not security?
To be fair, there has been (and continues to be) a lot of debate on the validity of quality metrics, but even if they aren’t 100% accurate, the current metrics are consistent across all organizations and give an indication of relative quality. Could the same not be done for data security?
Perhaps a better question to ask would be whether the quality of an organization’s data security would factor into a patient’s decision to receive care from that organization. Quality metrics have been around for a while yet I wonder how many people look those up when they are considering where to get their care.
Personally, I believe that we would be dismayed (initially) at what a standardized security metric would show. Data security is something a lot of organizations claim to prioritize, but when it comes to budgeting, data security is not a top area of investment. Want proof? Just ask any healthcare organization how many people are 100% dedicated to data security. I’m going to bet it’s less than 2% who would answer yes.
Healthcare should look no further than the financial industry for inspiration. Financial institutions are not immune to cybersecurity incidents, but they do have processes, technology and people in place in the event an incident occurs. They immediately lock down accounts, monitor for suspicious activity on those accounts, help customers get new credit cards, etc. Healthcare should have the equivalent.
When your financial information is breached, stolen or compromised, there are certain actions we as individuals can take. We can cancel credit cards, get new bank accounts, and contact credit agencies to put alerts on our files. There is no such equivalent when our health information is breached.
It is not possible for us to request new patient IDs from every single healthcare organization we have seen (or even find out which organizations have records on us for that matter). Nor is there a central agency for patients to contact where an alert can be put on their file to prevent fraudsters from using the stolen information. The lack of a healthcare equivalent of a credit rating service also means that there is no central place where healthcare organizations can go to validate if someone’s health records were breached.
Perhaps it is the pessimist in me, but I feel that it’s only a matter of time before we all experience a health data breach. I just hope that when it does happen, there will be more resources available to victims than simply “credit monitoring services”.
Join us this week on #hcldr as we tackle the topic of health data security, not from a technical standpoint, but from the perspective of patients and clinicians. It all happens Tuesday February 11th at 8:30pm ET (for your local time click here):
- T1 If you had your medical record breached, what would you like to see happen in terms of notification, recovery & compensation?
- T2 If healthcare organizations had a published security rating, where would it rank in your consideration of where to receive care or work as a clinician?
- T3 Who ultimately should be held accountable for a healthcare data breach? Head of IT? CEO? Individual that clicked the questionable link to allow the virus in?
- T4 Relative to other priority areas like patient experience, patient safety, access-to-care, clinician burnout, etc. where does data security fall?
Djuric, Mickey. “eHealth files stolen in ransomware attack”, Global News, 7 February 2020, https://globalnews.ca/news/6523229/ehealth-files-stolen-in-ransomware-attack/, accessed 9 February 2020
Westman, Nicole. “Health Care’s Huge Cybersecurity Problem”, The Verge, 4 April 2019, https://www.theverge.com/2019/4/4/18293817/cybersecurity-hospitals-health-care-scan-simulation, accessed 9 February 2020
“Challenges in Healthcare Cybersecurity”, Association for Executives in Healthcare Information Security, 9 January 2019, https://aehis.org/challenges-in-healthcare-cybersecurity/, accessed 9 February 2020
Riggi, John. “The importance of cybersecurity in protecting patient safety”, AHA, https://www.aha.org/center/emerging-issues/cybersecurity-and-risk-advisory-services/importance-cybersecurity-protecting-patient-safety, accessed 9 February 2020
“Cyber Safety is Patient Safety: The Importance of Healthcare Cybersecurity”, Voices of HHS, 29 October 2019, https://www.hhs.gov/podcasts/voices-of-hhs/importance-of-healthcare-cybersecurity.html, accessed 9 February 2020
“A Lifeline: Patient Safety & Cybersecurity”, HIMSS, 9 December 2019, https://www.himss.org/sites/hde/files/media/file/2019/12/09/a-life-line-patient-safety-cybersecurity.pdf, accessed 9 February 2020
Garrity, Mackenzie. “10 largest data breaches of 2019”, Beckers Hospital Review, 31 December 2019, https://www.beckershospitalreview.com/cybersecurity/10-largest-data-breaches-of-2019.html, accessed 9 February 2020
Breach Portal, US Department of Health and Human Services – Office for Civil Rights, https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf, accessed 9 February2020
Landi, Heather. “32M patient records breached in 2019. That’s double all of 2018, Protenus reports”, Fierce Healthcare, 6 August 2019, https://www.fiercehealthcare.com/tech/32m-patient-records-breach-2019-double-all-2018-protenus-reports, accessed 9 February2020
Steger, Andrew. “What Happens to Stolen Healthcare Data?”, HealthTech Magazine, 30 October 2019, https://healthtechmagazine.net/article/2019/10/what-happens-stolen-healthcare-data-perfcon, accessed 9 February2020
Garrity, Mackenzie. “5% of hospital IT budgets go to cybersecurity despite 82% of hospitals reporting breaches”, Beckers Health IT & CIO Report, 12 March 2019, https://www.beckershospitalreview.com/cybersecurity/5-of-hospital-it-budgets-go-to-cybersecurity-despite-82-of-hospitals-reporting-breaches.html, accessed 9 February 2020