Scott Breece, VP and CISO of Community Health Systems, discusses the rising security threat in healthcare with M. Eric Johnson, Dean of Vanderbilt University’s Owen Graduate School of Management. Scott highlights how health IT is transforming healthcare, improving the patient experience and outcomes. However, digitization of healthcare data also creates new risks for the healthcare system. Scott discusses how Community Health Systems is staying ahead of those threats and securing patient data. This video was partially supported by the THaW project, which is co-led by Eric Johnson.
In an article in the most recent issue of the Communications of the ACM, the authors (Kotz, Fu, Gunter and Rubin) state:
The benefits of healthcare IT will be elusive if its security challenges are not adequately addressed. Security remains one of the most important concerns in a recent survey of the health and mHealth sectors, and research has illustrated the risks incurred by cyber-attacks on medical devices such as pace-makers. More than two-thirds (69%) of respondents say their organization’s IT security does not meet expectations for FDA-approved medical devices.
Privacy protection is also critical for healthcare IT; although this column focuses on security, it should be noted that many security breaches lead to disclosure of personal information and thus an impact on patient privacy.
The authors identify three critical research challenges:
- Usable authentication tools
- Trustworthy control of medical devices
- Trust through accountability
For more information on the challenges facing securing healthcare IT please see Communications of the ACM.
THaW PI Kevin Fu was quoted in an article published this weekend in the New York Times. Describing a scene from an episode of the Showtime Network’s series Homeland, the Times story questions how realistic it is that a person’s computerized defibrillator could be hacked. In a recent 60 Minutes episode, former Vice President Dick Cheney and his cardiologist thought the threat was credible enough to shut off the wireless programming functionality of his own defibrillator.
In the article, Kevin describes some of his research on the topic, including a 2008 paper that he co-authored warning of just such a scenario. According to Kevin “security was not on the radar yet for the medical device community…But there was a rapid trend toward wireless communication and Internet connectivity. We definitely raised awareness.”
Read the full New York Times article published on 10/27/13.
In most areas of health care the adage that “an ounce of prevention is worth a pound of cure” holds true. But for information security professionals in the field, the answer has not been so clear. Debate continues between two camps of researchers: one group maintains that it’s far more efficient to learn from the past and use that information to thwart future attacks; others advocate investing in preventive measures, saying that proactive organizations build a deeper understanding of both their own weaknesses and future threats. Continue reading
In the previous post we described the current landscape for healthcare information technology. In this post, we note how healthcare information systems increasingly face daunting security challenges due to five economic and technological trends. First, the locus of care is shifting, as the healthcare system seeks more efficient and less-expensive ways to care for patients, particularly outpatients with chronic conditions. Second, strong economic incentives are pushing health providers to innovate by rewarding providers for keeping their patient population healthy, rather than paying only to fix patients when they are ill. Third, the treatment of chronic conditions and the implementation of prevention plans entail more continuous patient monitoring, outside of the clinical setting. Fourth, mobile consumer devices (smartphones and tablets) are quickly being adopted for health & wellness applications, both by caregivers and patients, in addition to their many other uses – making it difficult to protect sensitive health-related data and functions from the risks posed by a general-purpose Internet device. Finally, significant emerging threats are targeting healthcare information systems, while new regulations strive to protect medical integrity and patient privacy. Let’s look at each of these five trends in more detail.
The United States spends over $2.6 trillion annually on healthcare. This amount represents approximately 18% of the gross domestic product (GDP), a percentage that has doubled in the last 30 years and is the highest of any country in the world . Over 75% of these costs are due to the management of chronic diseases, which currently affects 45% of the U.S. population. By 2023, it is expected that costs to manage chronic diseases alone will rise to $4.2 trillion . Many look to information technology to help reduce costs, increase efficiency, broaden access to healthcare, and improve the health of the population.
Meanwhile, recent years have seen a dramatic shift in the nature of computing with the advent of smartphones and tablet computers; the latest surveys estimate that over 50% of Americans have smartphones . This wide-spread availability of a powerful mobile computing platform, with a rich interface and a variety of built-in sensors, has created a boom in mobile health (mHealth) applications like RunKeeper and Fooducate ; mHealth application downloads increased from 124 million in 2011 to 247 million in 2012 . These mHealth apps and devices are becoming more prevalent due in part to the rising cost of healthcare and their suitability for managing chronic diseases, particularly in the aging population [5, 6], and in prevention and wellness programs .
Smartphones and tablets are rapidly moving into the clinical workplace as well. A recent estimate indicates that as many as 62% of doctors use mobile tablets . Although some hospitals embrace smartphones and tablets by distributing them to their staff , a 2012 survey found that 85% of hospitals allow their clinicians to bring their own device to work .
Furthermore, universal connectivity (cellular, wireless, and home broadband) has enabled a tremendous variety of services to move to the “cloud.” Services like Dropbox and Google Drive make it easy for individuals to store, manipulate, and share content on cloud servers located in distant data centers. Services like Amazon S3 and Google App Engine make it easy for developers to build scalable computational backends without installing or managing their own infrastructure. These trends are pushing more individuals and enterprises to push an increasing fraction of their computing into Internet-connected servers run by other organizations – raising important questions about security and privacy.
Finally, recent years have seen rapid developments in smart, miniaturized, low-power, adaptive and self-calibrating instrumentation, enabling the emergence of mobile devices for monitoring and managing individual health conditions; examples range from wearable devices that measure physical activity (such as the BodyMedia armband) to Wi-Fi enabled bathroom scales (such as those from Withings or Fitbit) to stick-on ECG patches to monitor heart conditions (such as those from Corventis) to implanted insulin pumps (such as one from Medtronic). Most are wireless, able to upload data to a smartphone or to a cloud server for analysis and access by both the individual and caregivers.
The dynamic healthcare ecosystem and rapid technology evolution lead to new challenges in securing tomorrow’s healthcare information infrastructure. More on that in the next post!