As always, Mac McMillan laid it on the line in a way that allowed for no misunderstanding. Leading off as the keynote speaker at the “Health Information Executive’s Guide to Cyber Security, a CHIME LEAD Forum event in collaboration with iHT2”—sponsored by the Ann Arbor, Mich.-based College of Healthcare Information Executives (CHIME) and the Institute for Health Technology Transformation (iHT2—a partner organization to Healthcare Informatics), and being held Dec. 9 at the Royal Sonesta Galleria in Houston, McMillan nailed it when it comes to systemic flaws around data security.
“The events of this past year ,” McMillan, CEO founder of the consulting firm CynergisTek Inc., told his audience, “have begun to show what’s going on, that the folks who want to do harm to us in healthcare have absolutely found us, and they’re not going away.” McMillan cited and briefly summarized 12 different, very serious, data breaches in 2014 that in a variety of ways are illustrative of all the threats facing patient care organizations in the U.S. What’s more, as he pointed out, the external threats—from hostile foreign governments, foreign-based criminal syndicates, and other entities—are beginning to emerge as potentially devastating for the U.S. healthcare system.
Still, McMillan said, things are beginning to change, as healthcare and policy leaders alike are beginning to rethink the data security conundrum. “Yesterday,” he said, “I was talking to folks at a health insurance company, who realized that perhaps data security is part of their responsibility. They were even discussing, does the way the physician handles the medical record, is that part of his professional responsibility from a liability standpoint? We’re also seeing more action at the federal and state level. We just saw a radiologist put in jail. There are two other physicians, in a northern state, who are about to be put in jail. They had left an organization but still had access to the EHR, and stole data. Now, hospitals are beginning to turn those folks in and are treating it not just as a breach or inappropriate access, but as actual theft. And law enforcement people are recognizing that perhaps that is a legitimate thing to go after.”
The radiologist case that he cited in his presentation, McMillan told me later, is significant as a bellwether case in this area. In that instance, a radiologist races three misdemeanor chargers for allegedly stealing the protected health information of nearly 97,000 current and former patients of the Long Island, N.Y. medical practice where he worked. In a separate case in New England, two physicians have been arrested for stealing the records of thousands of former patients, at a moment when they had left their affiliation with a particular hospital organization, and were seeking to build their new practice. Such prosecutions, he told me, show that law enforcement leaders are beginning to recognize the seriousness of these issues.
In any case, McMillan once again drove home the point that healthcare leaders in the U.S. need to step up to the plate, now, and lead the way into the future in this key area. And they won’t be doing so in a vacuum: as he noted, the Office of the Inspector General (OIG) in the Department of Health and Human Services has just performed its first meaningful use audit of an electronic health record (EHR) system, performing a vulnerability scan not only of the EHR, but also of the systems behind the EHR. “They did web-based scanning of the port; and asked for the same kind of data from the institution in terms of their testing,” he noted. “And they made their observations based on the technical integrity of the EHR and the database environment and web portal environment associated with that EHR. They’ve just begun those audits, and will focus on them,” he added.
The takeaway message, as always, was this: the leaders of patient care organizations are woefully behind the curve when it comes to ramping up their data security capabilities, McMillan noted. First, only about half of patient care organizations have even appointed a chief information security officer (CISO); and many of those with the title are in their first job of that kind, and some even lack IT experience.
“We need to make investments in several areas, but most of all, in technology and in people,” he urged his audience. The fact is that most patient care organizations are still spending less than 5 percent of their IT budgets on data security, McMillan reported, when even 10 percent of IT spent on data security is simply a “maintenance” level, given the rising threat levels, he said. Still, he said, in answer to a question from the audience, he is optimistic that healthcare leaders will eventually get to where they need to get to, in managing the rising and already huge challenge of data security. But time is of the essence, he urged his audience-and so is vision.