Skip to content Skip to navigation

With So Much Investment in EHRs and Data, Why Has Data Security Lagged So Far Behind?

August 2, 2016
| Reprints
Click To View Gallery

In the past several years, billions of dollars have been invested in health IT and digital health, including dollars spent by healthcare organizations investing in electronic health record (EHR) systems, taxpayer dollars from government incentives and private investments by venture capital firms into digital health technologies. And all of this investment in health IT and digital health comes down to one thing—healthcare data.

As most healthcare organizations and providers are now adopting EHRs and other health IT tools, the main goal is to digitize health data, taking it from the traditional pen and paper to electronic files, to bring healthcare into the digital world. And by digitizing health data, healthcare organizations can then more efficiently collect it, store it, share it across organizations and analyze it to drive more efficiency and better outcomes.

However, according to seed fund and startup accelerator Rock Health in its digital health funding report for 2015, the top six digital health categories, accounting for 50 percent of all funding, did not include data security or cybersecurity. The top six categories were healthcare consumer engagement, wearables and biosensing, personal health tools and tracking, payer administration, telemedicine and care coordination, Rock Health reported.

These issues came up during a recent round-table discussion and press event I attended that was focused on cybersecurity and healthcare. During the discussion, executive leaders at healthcare delivery organizations and in the digital health space discussed the cyber threats facing the healthcare industry, and the need for digital health companies and healthcare organizations to step up their focus and investment in data security. The round-table discussion took place in San Francisco and was sponsored by Merck Global Health Innovation, Merck’s venture capital group, Aventura, a situational awareness technology vendor and ClearData, a cloud computing vendor, with the aim of giving a market perspective about cybersecurity in the healthcare space.

Joel Krikston, managing director of Merck GHI, provided what I found to be very insightful food for thought about the ongoing digitization of healthcare, and the very real risks and potential business impacts of cyber threats and data breaches.

According to Krikston, in the past two and a half years, VC firms have invested $15 billion in digital health. “I’ve been in digital health panels with Verizon, Samsung, Honeywell, Lockheed Martin, so the list of people who are in healthcare all the sudden has grown dramatically. And what’s happened is there is an excitement and palpable belief, as least on behalf of private markets, that the time has finally come for the convergence of mobile technologies, digitization of healthcare and activated consumers. And, these macro trends have formed this perfect storm that there is a future state of healthcare that everyone is playing for and the foundational asset is data,” he said.

“So data has existed in healthcare, that’s not new, it has existed on paper, in file cabinets, where it has not been accessible or shareable,” Krikston noted. “The big dream going forward, whether its population health or patient engagement, or buzzwords like care coordination, is that we’re going to be able to take that data and share it with each other, running analytics on it and we’re going to make it appear in real-time at physicians’ and nurses’ workstations and the point of care. We’re going to get patients to self-report data that they’ve never self-reported before, and we’re going to be able to glean all of these insights into what is happening in healthcare delivery. We’re going to get clinicians to follow evidence-based protocol, get patients to take their drugs, and all because we have the data to inform decisions.”

However, Krikston asserted that the market has significantly underinvested in security as well as in workflow solutions to enable security technology to integrate with providers’ workflow.

“My fear is that we’ve just seen the tip of the iceberg when it comes to healthcare security breaches,” he said, also noting that even bigger healthcare security breaches could cause “a ripple effect throughout the healthcare market.”

“All of the [Centers for Medicare & Medicaid Services} initiatives, government reform, MACRA, and the other buzzwords to drive quality improvement, all of that could stop in its tracks, until CIOs and CEOs of hospital systems figure out what healthcare data security actually is,” he said.

And speaking from a venture capital perspective, Krikston says his organization is more closely scrutinizing digital health startups’ efforts with regard to security, compliance and controls. “I think due diligence for most investors on HIPAA issues is that they will ask companies, ‘Are you HIPAA compliant?’ and if the company says yes, then they move on the next thing on the diligence check list. We’re not doing that anymore.”

And, with $15 billion going into the digital health market in the past two and a half years, Krikston referred to healthcare data security as the “elephant in the room that nobody is talking about.” “So that’s why we’re getting together here to share ideas and talk about it,” he said, referring to the round-table discussion, which included people on the “front lines” of healthcare security, such as health IT executives at large health systems and a CIO of a small Kansas-based health system.

John Gobron, CEO of Aventura, agreed during the discussion that the healthcare industry is coming to the game late with regard to data security.