Healthcare is under attack. Cyber criminals are targeting the industry for its lucrative, often times unsecured data, at times leveraging patient’s lives in order to collect a rich payout. As a result, healthcare organizations must prepare themselves and fully understand their risks. Cyber security has to be one of the highest priorities today for IT departments which must operate in a constantly changing threat landscape.
Healthcare is under attack. Cyber criminals are targeting the industry for its lucrative, often times unsecured data, at times leveraging patient’s lives in order to collect a rich payout. As a result, healthcare organizations must prepare themselves and fully understand their risks. Cyber security has to be one of the highest priorities today for IT departments which must operate in a constantly changing threat landscape.
But all is not lost. Bill Virtue, Security Engineering Specialist with PC Connection, Inc., took time recently to speak with Health IT Outcomes about the current state of health IT security, the role mobility and the cloud are playing in it, what the future holds for health IT, and more.
Q: How would you describe the current state of healthcare IT security?
Virtue: Although Ransomware is getting top billing in the healthcare security market, it is important for providers to understand what other vulnerabilities their systems are exposed to making a comprehensive vulnerability assessment critical. There are other security challenges such as Data Loss Prevention, a concern for anyone who maintains patient data and Access Controls, which provides users with access to only the data they need. These are two areas that are still not fully implemented or difficult for providers to get their arms wrapped around.
Q: What unique challenges does the rise of mobility play in securing healthcare from hackers?
Virtue: Mobility is vital in healthcare and it continues to be a growing market. Healthcare providers should determine if the use of mobile devices is a good fit for their environment and understand the risks when implementing a mobile device strategy. They need to consider user security training with regard to HIPAA and accessing patient data via mobile devices. There is no shortage of Mobile Device Management (MDM) applications on the market that include a number of security features to help with this.
Mobility is all about having faster access to patient data by clinical staff. When a patient goes to a hospital, most of the wait time is consumed by processing patient health data. If that patient moves from the Emergency Room to Admissions for instance, that data must be available immediately. Having the data accessible to hospital staff helps decrease the wait time which provides the ability to assist more patients in less time. This ‘data accessibility’ from mobile devices, can also provide immediate patient information for faster diagnosis.
Q: Has the path to the cloud been successfully navigated, or is there more to do?
Virtue: There is a lot more work to do with regard to housing patient data in the cloud. Most of the healthcare customers I talk to are concerned with the potential exposure of patient data in the cloud — including private clouds — encrypted or otherwise. Healthcare providers should ensure they can implement the same security policies required for Protected Healthcare Information (PHI) in the cloud as they have for on-prem solutions.
Q: What is being done to make Big Data more actionable in terms of providing better analytics?
Virtue: Analyzing healthcare data is more than just PHI. It requires not only patient data but can include data from University studies, Public Healthcare records, and other sources. The larger vendors are still at it with developing (or acquiring) technology for Big Data analytics. Although not exclusive to the Pharmaceutical market, I think most of this data is useful for those seeking a deeper understanding of clinical studies or used for healthcare forecasting but not for actionable decision making. Though it may provide some benefit at the patient level, it will reside in the data analytics market for some time to come — the data scientists are the only ones who truly understand it.
Q: How do you see health IT unfolding over the next decade and what does the industry need to do to meet the complex challenges that will undoubtedly come?
Virtue: A decade is a long ways away, certainly more mobile device usage and cloud applications. Having access to patient data from anywhere on any device will continue to be a service healthcare providers will want to implement. With that comes more security awareness training for users of those systems and more security policies for cloud based apps.
Application Security Testing is another hot topic. The speed of application development outpaces the ability to test it for vulnerabilities so you will see more App Testing in the future. Healthcare IT workers will need to become aware of the requirement for user Security Training, Secure Application Development, and Application Security Testing.
Q: You work closely with Dell, which is establishing a presence in the healthcare space. Can you briefly outline Dell’s healthcare market?
Virtue: Dell has been a leader in the healthcare market for more than 20 years, is again ranked by Gartner as number one Healthcare IT Services, and continues to invest in the healthcare industry. Michael Dell was a keynote speaker at HIMSS 2016 and committed to a continued focus on healthcare IT and products specifically suited for the healthcare space such as storage, security, networking, monitors, and mobile devices. For healthcare providers, Dell’s Cloud Clinical Archive houses over 11 billion medical images used by hospitals and medical providers that need access to medical archives.
Q: What troubles is HIPPA presenting in establishing and maintaining effective cloud computing and encryption/data archive solutions and what can be done to overcome those obstacles?
Virtue: There are a lot of moving parts to HIPAA, but in general the guidelines are well defined (at this point). The biggest challenges I see are awareness training for clinical staff and covered entities, as well as the ability to implement specific controls.
Cloud providers are defined as Business Associates and must adhere to the specified rules. Encryption is still considered an Addressable Implementation under HIPAA 164.12 although I think this is an obvious liability in many cases.
Q: How are Dell and PC Connection, Inc. helping protect data as it traverses the healthcare network?
Virtue: Specifics aside, Dell has a suite of solutions (Dell Data Protection – Enterprise Edition, Dell Data Protection – Mobile Edition, Advanced Threat Protection, End User Authentication, and Risk Detection) that deliver a comprehensive solution approach to HIPAA compliance. Coupled with the variety of IT services that PC Connection, Inc. has to offer, we provide in-depth expertise, savings, and outstanding service to customers. Many vendors don’t offer the breadth of products to address all of the areas outlined above — which makes Dell and PC Connection, Inc. an obvious choice for many of my healthcare customers.