by Darin Brannan
September 2017 – The 2009 HITECH Act ignited a profound shift in how providers document our health, taking us from paper-based charting to electronic health records in just a few short years. Although the success of the legislation’s original intention—to make the sharing of medical records infinitely easier—is still up for debate, another outcome has become crystal clear. Never before has our private medical information been so vulnerable to a public breach if not outright stolen. Worse, with the emergence of previously unheard-of crimes such as ransomware attacks, patients’ lives actually hang in the balance while the hospital scrambles to negotiate the release of its digital information.
If hospitals could have looked into the future to realize they would be expected to fight this ceaseless onslaught of cybercrime on their own, many would have outright refused to comply with the HITECH Act. Most providers simply aren’t equipped to stay ahead of cybercriminals and their increasingly sophisticated attacks. Yet the only response from government on this issue is a vague statement that it must do a better job at “sharing threat information.” Perhaps threat information sharing will help, albeit to a small degree. But given the federal government’s outsized role in digitizing our health records, a case can be made that it should do far more to help healthcare providers protect sensitive patient information.
Finance or enforce cybersecurity—a clear choice
The federal government routinely protects commercial industries from a vast range of crime. Look at agencies like the TSA and its presence in airports around the country. Or legislation like the Defend Trade Secrets Act, which enables significant expenditures of our federal judicial resources to track down and sue commercial trade secret thieves. Of course, these comparisons raise an obvious question: do we want the federal government actually in charge of protecting health information?
Well, let’s take an honest appraisal of the government’s own track record in preventing data breaches. The White House? Hacked. State Department? Hacked. The Department of Defense? Hacked. Some of these breaches have been truly astonishing in scope, like the theft of personal data of every person who had received a federal background check within the last 15 years–at least 21 million people.
Even federal healthcare entities have been unable to prevent breaches. Cybercrooks have hacked into Healthcare.gov, CMS, and the Veterans Administration, to name just a few. Moreover, even if the federal government had a stellar track record in protecting itself (and us) from breaches, giving it control of healthcare data security would involve centralizing our health information in some fashion. This would meet fierce—and most likely insurmountable—public and political resistance.
A far less controversial and more effective way would be for the federal government to fund, at least partially, the considerable time and money healthcare providers spend to protect patients’ health information. Rather than spend these resources on what is supposed to be their primary mission, delivering healthcare, providers are forced to divert them to building out internal IT security. Or given the extreme shortage of IT security professionals, commission third party partners.
Perhaps it’s time for the federal government to step in with a “Meaningful Use of Cybersecurity” program—one with a much heavier emphasis on using incentives rather than punitive measures. In this scenario, government subsidies would fund a set of defined IT security efforts, just as it funded the implementation of EHRs. Interest-free loans are another possible mechanism, with the potential for healthcare organizations to “pay off” these loans by adhering to (and ideally, exceeding) HIPAA privacy and security requirements.
These are just two suggested options for the healthcare industry to consider should it decide to seriously advocate for effective government involvement in healthcare cybersecurity. This isn’t to count out sharing information about data breaches. But it would be far more effective for government to share not just information but the responsibility and financial burden of defending patients from these breaches.
About the Author
Darin Brannan is CEO of ClearDATA, a secure healthcare cloud platform and managed services company. More than 350,000 healthcare professionals trust the ClearDATA HIPAA-compliant cloud to safeguard their patient data and power their critical applications.
The ClearDATA managed cloud protects sensitive healthcare data using purpose-built DevOps automation, security safeguards and compliance expertise—backed by a comprehensive BAA. This ensures healthcare organizations, and the technology providers that support them, are adhering to the highest standards in privacy, security and compliance in the cloud.