At the CHIME-iHT2 Lead Forum on Data Security, being held March 2 at the Hyatt Fisherman’s Wharf in San Francisco, and co-sponsored by the College of Healthcare Information Management Executives (CHIME) and the Institute for Health Technology Transformation (iHT2—a sister organization to Healthcare Informatics under the two organization’s umbrella parent, the Vendome Group, LLC), Mac McMillan, the CEO of the Austin, Tex.-based CynergisTek, offered a bracing and yet carefully balanced portrait of the current landscape around data security in healthcare, for an audience of healthcare IT executives.
Among other comments he made, McMillan, long a data security guru in healthcare, spoke out about the recent, massive data breach at Anthem Inc. “Per Anthem,” he said, “people were missing the point” in most comments on that breach. “There is not an organization on this planet that can keep from being hacked,” McMillan said bluntly. “All it takes is one mistake, one misconfiguration, one missed patch, etc., to create entrée to someone trying to get in the door. But what shouldn’t be so easy is to exploit the network once you’re in and to be able to move around and extract so much data,” he said. “It’s like if Mrs. McMillan and I are sitting in our living room and the Fifth Infantry marches through our living room, and we don’t notice. We may not be able to stop people from getting in, but we should be able to react once they get in.”
One of the key problems, McMillan told his audience, is that “We have become over-reliant on our systems. In any hospital today, over 90 percent of their processes are automated, and over 90 percent of their data is digitized. When I started in healthcare 15 years ago,” he noted, “the average number of people who looked at a record in an encounter was fewer than 50; today, that number is more than 150, and fewer than half are in the hospital or involved directly in care. It is amazing the number of people who are actually touching our data,” he added. “And the main risk is still from people on the inside—either making mistakes, or doing things deliberately.”
Per that, McMillan added that CEOs and other senior patient care organization executives need to allow their chief information security officers (CISOs) to share with them the blunt truth about the risks and issues they face in their organizations, and provide the support and resources needed to gain realistic control over their data security situations.
What are some of the current developments to be thinking about right now in the data security arena? As McMillan noted, “A survey last year found that 51 percent of CISOs said that they believed the negligent insider was their biggest threat, while 37 percent said security end-user training was ineffective. I think that number was low, actually,” he said, referring to perceptions of the effectiveness of end-user training. “In fact, most people in hospitals are still basing their training on compliance requirements rather than security requirements, which is a big mistake,” as compliance-based training is far too weak, he said.
Of course, even when adequate training is done, there will be individuals doing the wrong things, and catching them is not a simple process, McMillan noted. “Traditional data auditing methods aren’t going to catch a lot of this activity,” he said. “What we need is behavior modeling and pattern detection. When you look at people inside who breached any particular system, they often didn’t break any rules from a compliance perspective, but had a different behavioral pattern from everyone else. So instead of looking at 50 records a day like their colleague, the admitting person committing data breaching patients’ records will have looked at 150 records a day, because they’re surfing, looking for information. And they get brazen over time,” he noted “We’ve had three cases this year already” that his consulting firm was called on to address, “where they caught individuals who had been doing this for over seven years. And these hospitals implemented a privacy monitoring program and looked for patterns, and then they suddenly realized what was going on and caught them.”
The reality, McMillan stressed, is that the breaching is only going to get worse over time, because of the value of the intellectual property in U.S. patient care data, and also because of the monetary value involved in hacking into individual patient records. But, he said, at the same time, “You can’t throw in the towel; we do have victories out there. And part of the problem is that we only talk about the problems.” Indeed, he noted, “Last week, in addition to dealing with the reporters, and asking my opinion about recent breaches, we also had two hospitals we work with, where my teams were able to help them avert a breach, because they detected what was going on early, were able to quickly isolate and eradicate the issue, and they were able to get back online within a few hours.”
It’s important for people to know, McMillan said, that “Those victories happen every day in healthcare, but we don’t talk about those. And we don’t celebrate the victories in healthcare IT. And we do need to talk about the things that go right. There’s still stuff going on out there, but when we have the right people and processes in place, it doesn’t have to end badly all the time. And I think we need to do a better job of that in healthcare IT security.”