Data security continues to ramp up as a key strategic and tactical issue for healthcare IT leaders across Canada, a panel of industry experts agreed, on Sep. 21, during the first day of the Health IT Summit in Toronto, sponsored by the Institute for Health Technology Transformation (iHT2—a sister organization to Healthcare Informatics under the Vendome Group corporate umbrella), and being held at the Omni King Edward Hotel in downtown Toronto.
The panel discussion was led by Shirley Fenton, vice president and director of the National Institutes of Health Informatics (NIHI—based in Waterloo, Ont.), who is one of the three co-chairs of the Health IT Summit in Toronto. Joining her on the panel were Brendan Seaton, president of the Mississauga, Ont.-based ITAC Health (the Information Technology Association of Canada, Canada’s national healthcare IT vendor association), Alyssa Daku, vice president of strategy, quality, and risk management, at eHealth Saskatchewan (Regina), and Geoff Besko, managing director and enterprise architect at Hilltop Business Solutions (Winnipeg).
Shirley Fenton began the discussion by asking, “How are people’s attitudes towards privacy and security changing now?” ITAC Health’s Seaton said, “A lot of surveys have been funded by Canada’s Health Infoway, and it’s pretty much an axiom that there is significant demand for digital health solutions among the public. However, privacy and security do top the list of consumer concerns. That’s sort of where we are,” he said.
“There is the privacy paradox” in this context, Seaton continued. “All of these surveys in Canada and the U.S. find that privacy and security are top of mind for people and users of information systems. But the paradox is that our behavior doesn’t match. We use easy passwords, we stick our information on post-it notes; and so that’s a real paradox that we information professionals are constantly struggling with. The second thing,” he said, “is the millennial divide. The people who set up these protocols largely are of an older generation. We’re now dealing with a whole generation of people who were weaned on information technology, and who have a very different notion of privacy and security. I’m not saying whether it’s good or bad; it’s just something we need to pay attention to. The third phenomenon is that consumers are taking control. You go to the commercial pharmacy, and they’ve got a nurse practitioner, a pharmacist, a dietician. It’s changing things.”
“I have to agree,” Fenton said. “There seems to be a dichotomy between, I want to share my information, but don’t let it get out to people I don’t want it to get out to. What do you see, in that regard, Alyssa?”
eHealth Saskatchewan’s Daku said, “A few years ago, patient masking was considered to be an enhancement; now it’s an expectation—an expectation that we can control who sees patient information. But there’s also this expectation that my provider can use information easily to support patient care. In Saskatchewan, we have patients who are going to Edmonton or Calgary, and those patients have the expectation that a provider can safely and appropriately access their information in another province. And I don’t think that that’s unreasonable for them to expect that, given the technology. But it does place expectations on us as IT professionals.”
“What does all this mean, in terms of providing services?” Fenton asked her fellow panelists. “We work with organizations across the country, and one of the things we’re seeing is the whole phenomenon of consumer health,” Seaton said. “So every jurisdiction is waking up to the fact that consumers are taking charge of their own health, and the technology industry is cranking up big-time for that. Probably what started this whole thing was the advent of the smartphone. That is many consumers’ entry way to healthcare. And the applications being developed by hundreds, if not thousands, of small start-up companies—all of that is driving a sea change in how we’re having to look at the whole healthcare system.”
Meanwhile, Besko said, “The data breaches are becoming very critical. The focus had been around insider threats. But now, phishing attacks and ransomware issues are accelerating quite dramatically. Here’s a recent statistic I got from Symantec,” he said: “the number of ransomware attacks has increased by 300 percent per day in the first quarter of this year—all of that is problematic. And in U.S. healthcare, the number of directed attacks—just the top 10 breaches last year, 111 million records were compromised.”
What’s more, Besko noted, “With the number of medical devices now being attached to medical devices, as well as wearable devices, you’re seeing a greater extent of vulnerability now. And we’ve seen scenarios in other industries where organizations have been compromised by the addition of these data entry points,” he said. “So we have to think about how the connected medical device affects all this. A lot of these things are changing the risk profile. These things are required by and are demanded by consumers and providers, and as security professionals, we have to figure out how to address the challenge.”
“Yes, there certainly are concerns,” Fenton said. “I’ve heard of where a baby monitor was hacked, and the hacker was speaking to the parents through the baby monitor. So this is really scary stuff. Alyssa, how do you see this?”
“I think the perspective has changed on health data itself, on seeing it as an actual asset,” Daku said. “We had all these pieces of data like lab tests, etc., and then needed data managers to manage all the information. And now we’re starting to see things as data assets, and the need to protect data assets, not only in the context of the provision of care, but with the realization that those data assets have monetary value, including to hackers and on the black market.”
“Brendan, how do you see the security risk involved?” Fenton asked. “Well, the whole technology world has changed in the last few years, with the advent of cloud computing, mobile computing, and the Internet of things,” Seaton replied. “One good thing is that commercial cloud computing vendors have technologies that small providers never did, so that will actually increase security. However,” he said, “with the advent of the health app marketplace, where the apps will start really adding value is when they integrate into clinical information systems, so that lab values, for example, can be seen easily by consumers. However, unless security can be built into these systems, these backdoor systems will end up providing front-door entry to hackers and bad actors. And unfortunately,” he said, “the evidence currently with the Internet of things, is that the front-end security is very, very weak, and is very vulnerable to attack. So those are the things that keep me awake at night. Insecure apps and the Internet of things, keep me awake at night.”
Besko reminded the audience of the contrast between the stealing of credit cards and credit information, and the hacking of protected health information (PHI) in the healthcare context. “A credit card on the black market goes for $1-2, but a health record goes for $10-20,” he noted. “And some people in Canada think that this is a U.S. problem, but the primary reason to steal a record is for identity theft. And it’s more valuable than a credit card, because I can cancel a credit card and start over again. But the medical record includes birth certificates, identity numbers. So I wanted to highlight that, because sometimes, there’s naiveté around that in Canadian healthcare.”
“There’s been a rise in malware,” Fenton noted. “Do they actually take or steal the data, not just block it off?” she asked. “Yes, malware can actually be used to siphon off data,” Besko affirmed. “Malware can be used on a machine to start sending data back to a home system, and to create greater breaches. And you can have situations where devices are being compromised. And situations with ransomware, where systems are actually being held hostage. The data breaches in healthcare are primarily focused on siphoning off information. So with a phishing attack, the first step is that they use that attack to steal credentials and create greater access.”
Working out solutions to managing malware and other challenges
When it comes to fighting back against malware and other challenges, “It seems to me we’re always trying to catch up,” Fenton told her fellow panelists. “So how can we get around this?”
“With our organization, one of the approaches we’ve taken is more of an integrated, enterprise risk management approach,” said eHealth Saskatchewan’s Daku. “So it’s not just about that technical protection when it comes to how we’re protecting that health information; it’s about embedding the privacy impact assessment into our design and processes. So for example, one of the projects I’ve been involved in in the last year has been related to patient portals, and to patients provisioning their access to data.”
In that regard, she said, “What is important is patient care organizations educating their patients and educating their staffs. Our best protection is to have our staff informed and educated, and knowing what to look for. A big feature for us has been focusing on the auditing and monitoring capabilities of our systems. And we are one of the enablers of technology adoption in our product. And we are an enabler, because our providers feel confident that they can access information in a safe and secure way.”
Daku shared a story regarding something that had happened between eHealth Saskatchewan and provider organizations in the province. “We had a situation where we were rolling out our provision health record to local care centers,” she said. “And people weren’t really comfortable adopting that tool within their regions, without some kind of process for auditing the use of that particular tool. As soon as we were able to provide them with real-time auditing that they could implement themselves, that really changed the conversation,” she noted. “So for us, it’s about that integrated risk approach, using that multi-pronged approach—seeing a strange or abnormal use of data. And the challenge will be how we can engage the patients as well.”
“So it’s quite holistic approach that you take?” Fenton asked. “Yes,” Daku said. “And as that becomes so critical to patient care and patient safety, that we become more enablers, the people who figure out ow to do it, not the roadblock that says you can’t do it. And it’s not just about one channel for security or for privacy. It’s about the governance. It’s an integrated task team that helps us better manage processes.
“I agree, taking an integrated approach is very important,” Besko offered. “In addition, one important thing is—everybody’s heard about privacy by design, but I wanted to stress that we need to think about things in terms of layers of defense and controls. So, one aspect is defense in depth, and taking an integrated approach. You’re in a system with different institutional boundaries, but we need to maintain a similar security posture that requires a degree of consistency and application of practices and controls, to make sure we’re not the weak link in the system. Focusing on points in the system doesn’t work; we need to plan programmatically for this, and system-wide.
Getting on top of things from a management perspective
“Brendan, how would you direct a healthcare organization to get on top of system management?” Fenton asked. “I agree with the concept of privacy by design,” he said. “The whole notion of privacy by design sets a framework so that people developing, building and implementing and operating systems, can make sure systems are protected. And we’re starting to see privacy design moving into international systems, as in Europe, where they’re moving forward to demonstrate that they’re providing privacy within the deployment of their applications. Applying the concept is challenging, but the nice people at Canada Health Infoway have produced a document that you can download, called ‘Privacy and Security Requirements and Considerations for Digital Health Solutions.’ It takes that one page of principles and provides 200 very specific pages of guidelines for developers to develop safe and secure systems. And ITAC and Canada Health Infoway are working on a certification system for software. And organizations can look to see that a product has the basic needed features to be deployed safely. It’s an important first step to at least know that some appropriate due diligence has been done before a product moves onto the market.”
“And it’s not if you’re going to have a privacy breach, but when. And I know you’ve done work on a risk management map,” Fenton said, turning to Seaton. “And I’ll reiterate,” he said, “Saskatchewan is one of the first jurisdictions I’ve seen that has created a very integrated model of risk management and information security. When we move into digital health realms, there’s a wide range of issues that need to be considered, and the very worst thing you can do is to silo these things, because they’re all very tightly related. My advice to health systems would be to evolve your risk management solutions to be integrated with regard to privacy and safety—just as you’d deal with prescription management and risks of falls. You should be bringing all of your risks into that risk management framework.”
“And having vendors willing to work with us on security and privacy—that is very important,” Daku said. “We have providers who won’t provide care unless they can access information, including images. Information is no longer an option to providing care, it’s critical to it. So we have to understand that, as risk management professionals, how we protect that, and how we enable that.”