Guest Column | March 26, 2018

Why Innovative Health IT Designs Must Consider Security First

By Perry Price, CEO and Co-founder of Revation Systems


Thanks to advancements in patient-provider communications and mobile capabilities, today’s digitally inclined patients are already using technology to transform their medical care experience — and the expectation around ease-of-interaction will only continue to rise from here.

As proof of telehealth’s growing impact, the 2017 Consumer Telehealth Index Survey reported that 50 million U.S. consumers would switch medical providers based on whether their doctor offered telehealth or not. Compared to just 17 million in 2015, this staggering jump illustrates the powerful role health IT already has on the direction of the industry.

While recent innovations provide a strong promise of improving the healthcare system, telehealth’s amazing potential does not come without risk. Perhaps the most significant of which is the security of patient information.

While telehealth solutions have many obvious advantages, such as expanding access to quality care, private data has the potential for exposure any time it’s circulated electronically — which, for telehealth, is always. For instance, consider the following scenario:

John is being treated for a life-threatening illness. He communicates with his doctor about the status of his condition via email every week since his provider is remote. During the course of these interactions, John’s unsecured email is hacked and his identity is stolen based on the sensitive information contained in those notes between him and his doctor. Although John can receive quality care from a specialist located thousands of miles away in ways that didn’t exist two decades ago, his protected health information (PHI) and his identity are also put at risk in previously unimaginable ways.

Scenarios like John’s are (unfortunately) all too common today and illustrate a stark need for the highest level of security in groundbreaking healthcare innovation.

In order to ensure that these digital solutions maintain proper levels of security for sensitive patient data, they must be designed with security in mind first — not added on as a final precaution.

Shed The Illusion That Protection Occurs At The Border

Most legacy IT systems were built on the concept that security is provided at the borders — either at the firewall level or by monitoring access to computers. However, as health IT designs continue to support large quantities of data in the cloud, it’s no longer enough to rely on protective measures that occur after the initial design phase. Although many improvements have been made to legacy IT systems (namely, the creation of virtual private networks), the risk of an attack has become too great to rely solely on the border protection of data.

Highlighting the severity of this risk, the HIPAA Journal found in its report on the Largest Healthcare Data Breaches of 2017 that more than 14.6 million individuals were impacted last year alone. As a result, telehealth solutions today must have security at their very core, from inception to the building process. Healthcare IT departments can no longer assume that security efforts occurring post-design of the solution can guarantee the safety of patient data.

By designing applications that are built with security inherently at the core, authentication of all end points and encryption of all content or media is handled at the application layer — both in transit and at rest. Access to data is controlled with detailed audit trails for any type of access, whether it be user, customer, vendor or even IT administrator. In today’s security ecosystem, telehealth solutions require controlled access at the physical, network and applications layers to ensure the complete protection of sensitive patient data.

Protection From The Inside Out

Organizations now have an increasing need to protect themselves not only from hackers outside of the organization, but also themselves internally — as “insiders” can pose as much of a security threat as “outsiders.” A 2017 HIMSS Analytics study, for example, reported that 78 percent of respondents identified employee security awareness/culture as the biggest concern in terms of security threat exposure.

Insiders (i.e., employees, vendors and others who may have access to sensitive data) have a level of access that needs to be controlled and monitored. Without protection guarding those on the inside with access to protected health information (PHI), organizations can find themselves just as exposed to a security breach as they would without protecting data from outsiders.

For example, many organizations today have Bring Your Own Device (BYOD) policies for employees. While these policies provide a flexible workplace, they also introduce a new level of risk to an organization. Security must be considered in these scenarios to prevent employee error or negligence contributing to a security breach. Proper and consistent education and training for employees on security matters is key to minimizing this risk.

While the current digital transformation has produced wonderful innovations in the health IT space, the need for security to be at the heart of the design of these solutions is crucial. By shedding the assumption that protection of data will happen at the borders of a business, and taking measures to protect it from the inside out, IT departments of healthcare organizations can better safeguard patient populations against a security breach.

Health IT needs to continue to innovate beyond current boundaries for the sake of its patients, but innovation must always be built with the patients’ cybersecurity in mind first — otherwise the technology will ultimately do more harm than good.

About The Author

Perry Price is CEO/president of Revation Systems. In this role, Price builds and grows the customer base, recruits qualified talent, and streamlines internal operations. Price utilizes his deep domain expertise in IP networking and communication applications, including telephony, unified communications, call-center technologies, and messaging.