The Department of Health and Human Services (HHS) recently announced the formation of the Health Care Industry Cybersecurity Task Force, a group charged with evaluating best practices on data security, which should spur greater investment by the healthcare community in cybersecurity. According to HHS, the number of health records compromised jumped from 13 million in 2014 to 113 million in 2015.
Until last year, the majority of data breaches were due to stolen or misplaced laptops or files accessed from within the building. This is still a problem—the 750,000 people who had records stolen this way last year likely agree—but de minimis compared to the broader threat of hacking and phishing—in this case, where a cybercriminal tricks someone to provide their electronic health record (EHR) login credentials. And ransomware is the new version shut down the system in a hospital, for a fee (two public incidents in the last three months).
Healthcare technology spending ranges from $40 billion-$50 billion in the U.S., but has been concentrated in a limited number of EHR providers who no doubt, keep security as an important feature, but not the main feature of their offerings. Security itself should be amongst the next big waves—the need is there and it is not going to get better on its own. The threat environment should create significant opportunity for managed security service providers (MSSPs) and security providers willing to take the plunge into the complicated world of healthcare, and the competitive landscape has not yet matured as the top healthcare IT outsourcers and advisors are still focused on uptime and convenience. The fact that KLAS does not have an award for security services is an indicator of focus.
That said, selling into healthcare is a complicated endeavor. Particularly selling technology and services into healthcare. First, they segment into payers and providers:
- Payers skew to the larger end of the enterprise spectrum. Given their size and constant need to transfer data you would expect greater sophistication, but some of the largest breaches have occurred at health plans in recent years.
- Hospitals—6,000 of them—have a wide range of size and expertise and even the major hospital chains may buy individually by branch, regardless of shared services or GPOs.
- Non-hospital providers—numbered in the 100s of thousands—vary dramatically by scale and need. Groups/chains tend to move together.
In our experience, when you dig into decision processes and spending patterns, both payers and providers have distinct behaviors and can be segmented further. The benefits to having a deep understanding of different segments include better ability to direct product development, sales and marketing resources. And similarly to know which partners and channels with which you’ll have the best chance of success.
For the payers, Stax’s research shows that some should be nearing the end of their investment in enterprise data warehousing and integration, and they have a lot that they need to protect. They are also comfortable outsourcing large implementations to third party providers and the sales cycle is generally slow. All this points to the opportunity to choose your end target and best partners along the way.
Providers have a much more complex challenge for three primary reasons: broad range of user sophistication, broad user access, and a broader industry goal of more information sharing.
The broad range user sophistication is the largest issue facing hospitals today. More so than any other industry, access to large amounts of sensitive data is being put in the hands of many employees with low expectations on technical sophistication prior to this decade who are still in the process of learning new, often user-unfriendly, IT systems. Many of the recent provider breaches are a result of phishing scams where employees are tricked into providing login information. The solution to this issue requires both IT departments and physicians to have the difficult discussions to flag which users are less savvy and to work with them to understand the range of potential attacks and what to do in each instance.
Broad user access is not an issue that is going away any time soon, and therefore must be incrementally improved rather than eliminated. Provider IT departments must work closely with medical and HR departments to ensure that access is purely limited to those who need it, and are only able to access information required to do their job. Tiering of rights based on position, finger or palm print identification verification, and tightening the number of access points should be top of mind for providers.
Lastly, Stax’s research shows that providers are interested and investing in more remote services via telemedicine and more patient engagement, which means even more information bouncing between systems and remote access. When enabling this new communication between physicians and patients and between systems, compliance should be top of mind for all parties. Providers must work to limit the amount of information accessible across platforms to only what is required, clarify which parties are responsible for maintaining which aspects of the data, and to complete a full vetting of partner sophistication and access.