Every year, I see Mac McMillan at HIMSS and wonder if he’ll ever be positive.
Of course I’m joking, but in a way you can’t blame McMillan—a renowned data security expert, chair of the Healthcare Information and Management Systems Society (HIMSS) Privacy and Security Policy Task Force, and CEO of the consulting firm, CynergisTek—for being a “Debbie Downer.” Data security in healthcare has been and is abysmal.
Every year, the Traverse City, Mich.-based Ponemon Institute releases its annual patient privacy and security study and the results are somewhat startling. This past year, 90 percent of respondents say they’ve had at least one data breach over the past two years, while 38 percent have had more than five data breaches in the same time period. The economic impact of a breach has remained steadily high.
And this is just one study of many, one voice of many, and one indication that healthcare has a big problem with data security. It’s not exactly far-reaching to say we have a long ways to go if these abysmal statistics are to reverse.
Moreover, it could get worse before it gets better. Hackers are now starting to target healthcare data holders. This week, Jason Roos, CTO at Stanford Hospital & Clinics and Stanford University Medical Center in Palo Alto, Calif., explained to me why the exposure of the threat is significant in healthcare, compared to other sectors.
One of the big problems is that it seems like a lot of high-level executives in hospitals don’t care about data security until it’s too late. They don’t want to be put in protections, do a risk analysis, and pay for extensive training until they have the Department of Health and Human Services’ (HHS) Office of Civil Right (OCR) knocking at their door.
It’s not just healthcare that lags in this way. The retail, entertainment, finance, education, and government sectors seem to have this problem too. In our podcast conversation, McMillan called 2014 the year of the incident. You could say that again. Sony, JP Morgan, Community Health, Home Depot all had high profile breaches. Incidents were everywhere in 2014.
I guess that’s why I was excited to read about President Barack Obama’s dedication to data security, which made the news this week. Specific information on his proposal is sparse, with most details expected to be announced during the State of the Union on Tuesday, but let’s just acknowledge that something is better than nothing. As a privacy expert said in this CNET article, "This is a huge shot in the arm to a much-needed advancement for our legislative protections.”
A nationally recognized data security policy tells every higher up, whether they are in healthcare or not, “Respect the threat. Be prepared.”
In New York, Attorney General Eric Schneiderman quietly took it a step farther. He proposed a bill that would expand the definition of private information to include email addresses in combination with a password or security question and answer; require entities that store private data have reasonable technical and physical safeguards, assess risks regularly, and obtain third-party certifications showing compliance with these requirements; incentivize companies to provide higher levels of data security and share forensic reports with law enforcement officials. I admire the fact that he wants the strongest data security law in the country.
While these measures are not directed at the healthcare industry specifically, they very well could have a trickledown effect that gives it the kick start that is so desperately needed. In other words, maybe in a few years, I’ll go to HIMSS and Mac McMillan will be a little less annoyed at the way things are with data security in healthcare.
Please feel free to respond in the comment section below or on Twitter by following me at @GabrielSPerna