Healthcare Online User Group

Why is Healthcare so Bad at IT Risk Management? (Part 1 of 2) 

02-13-2014 03:42 PM


After a few years out of the provider space and working at one of the largest information security firms - - I have the luxury of time and distance to think about some of the issues that providers struggle with from a different perspective.  Lately one of the things that I’ve been thinking about has been coming up in conversations with hospital CIOs/CISOs/CTOs, and most recently a large EMR vendor’s Security Architect: 

Why is healthcare so bad at IT Risk Management?

Good question.  And I certainly have my opinions about that.  Last fall I moderated a panel on post-Omnibus security and I got to ask some current and active practitioners (a healthcare security consultant, a long-time healthcare attorney, and a sitting CISO from a multi-hospital system) that very question.

It was the liveliest part of the hour and a-half panel and while we finally had to shift topics it certainly took up the most time and could’ve taken up more.  It was also one of the topics discussed at Symantec’s last Healthcare Advisory Board meetings with HIT executives from across the US from all sizes and shapes of providers.

Let me share some of the thoughts:

·      A lack of understanding at the senior management and board-level.  Discussions at these levels are still missing the target because they are not conducted in a business context.  They focus on just the technological risk like a virus, breach or attack—but not on what happens to care if there is a virus outbreak on the network, or what do you do about billing if you’ve had a breach.  In their 2013 Global Risk Management Survey, Gartner found that most companies surveyed (not just healthcare) are not communicating risk management data effectively to their board.

·      And that’s dangerous, because of the growing interconnection between technology and business risks.  No one can argue that we are entering a “digital economy” . . . although healthcare is lagging sectors like retail and the airlines.  And since what we do is take care of people that interconnection is more critical than any other business.  If you enter the wrong order at the corner restaurant someone gets the wrong lunch.  Do that in a pharmacy and someone may never eat lunch again.  And I promise not even to discuss medical devices here . . .

·      There is increasing pressure to disclose technology risk.  Market and industry regulators (from the HHS Wall of Shame to Joint Commission to the FDA and initiatives in almost every state) now instruct the public about what providers are doing with patient information and how they do it and how well they do it.  Transparency is a wonderful thing until it is your ugly stuff that’s on display.

·      Lack of visibility into key business relationships with third parties.  And then there are those pesky Business Associates and sub-contractors.  The number of Business Associates (and their Business Associates and subs), and technological exchanges of information (HIEs, ACOs, registries), has skyrocketed, which has increased the level of IT risk exponentially.  With potentially 4 – 5 million Business Associates out there, it is much easier to not know what is going on and think the BAA or the Government will take care of it.

Now, these are kind of the big-ticket items.  In fact, they aren’t even unique to healthcare.   But healthcare unfortunately has a history of lagging technology and siloed approaches to business (or what we sometimes call care) - - both anathema to good enterprise risk management.

Lack of understanding at the highest levels is bad enough, but we have a more serious lack of understanding among the experts who perform the risk assessments.  Risk assumes there is an asset - - something to protect.  But we are still thinking of assets as “things”: devices, rooms, and pieces of paper.  We don’t think of all those magnetic bits and bytes that we have carefully laid down on spinning disks or tape or jump drives or sent through wires or sometimes just the air - - no wires.

That’s the thing: the data is the asset.

We need to change the way we think about the data itself.

We also tend to think if it gets safely to a device or a tape or whatever, we’re done.  But the rest of the question is who is looking at it.  Just because it is on Dr. Finn’s iPad and that tablet encrypts the data once it is delivered doesn’t mean that only Dr. Finn actually has access to that iPad.

You have to look at access and who gets it and how.  Let me share one of the adages I learned as an auditor:  “Trust is not a control”.  And yes, you still have to trust people but I would never trust things (especially digital things).   The Government later turned that into “Trust but verify”.

Historically, healthcare (especially large hospitals) IT risk management has been siloed - - whoever had the technology got to determine the level of risk they were willing to accept.  It didn’t matter whether they knew what the risks were or not - - like the lab system in a room in the lab with no special environmental controls, no back up power and so on.  And of course, no one perceived any risk until they had a crisis and then they called central IT.

Only with widespread implementation of the EMR/EHR did we begin to understand that the risk to one part of the organization is actually shared by everyone using that system.  And we haven’t always successfully made that leap.  Everyone who has gone from stand-alone billing, lab, ADT and other systems into a single-integrated model can appreciate that. 

It was easy for Cardiology to blame billing when you shipped them the paper or digital data and someone had to get it into the billing system.  Not so much anymore; billing can see what Cardiology actually did input and it is harder to hide behind bad IT interfaces, bad input by billing or coders.  You really need to be correct before you blame someone else because it is much easier to see where the problem is.  Oh, and we actually know who did it and when now, too.

0 Favorited
0 Files

Tags and Keywords


07-09-2014 06:31 PM

   Thanks, -Rd.  I could not agree with you more and you raised many more issues than I even touched on.  To your point, however, already this year we are seeing the massively larger fines that are allowed under Omnibus - - $4M for a single "small" breach - - that gets people's attention.  While the audit program has been delayed, the program that was just announced is significantly larger than the first and addresses Business Associates.  And indeed, while some people site the reporting requirement as a reason healthcare leads all industries in the number of breaches (not the number of records) - - so, yes, healthcare is a big "data leaker" and is a targeted industry.

   Thanks for your comments.

07-09-2014 05:50 PM

This is a huge issue, glad you brought it up, with imbedded systems still running Windows XP Embedded, proprietary HL7 scripts, huge amounts of specialized software in the portfolio of implementations, external offices accessing hospital system (Using a single log on for multiple people ( Yes, I've worked for years in Healthcare.) The inherent risk of DICOM images, each of which carries "tagged" patient identifiable identification.
Sloppy data handling, and disposal ( I once found an entire radiologists old x-rays just tossed in the trash!) Not that healthcare hasn't taken strides, mostly third-party paper shredding companies. Is there a list of patched vulnerabilities as in the US-CERT alerts for EMR's/ EHR's /PACS? Sloppy use of Wireless networks ( I scanned the local area, found so many wireless networks still using WEP! ) the issue is like that of a sedimentary rock the new placed over the old, in layer after layer. Ancient (old) EMR's still on-line, years after the systems are outdated, just because "Medical records still sometimes access data over eight years old." It is time that the medical industry takes a top-down look at its security policies, practices and keeps tighter reins on their suppliers, their SLA's and OLA's, and take a real close look at their liability in using "cloud based EMR's that use a browser." I could continue, yet I shall wrap it up. With the "Hall of Shame" penalties are going to double and triple, with American's fed up with hearing about data breaches, with stolen insurance cards selling for more than a Social Security numbers on miscreant web sites. Healthcare leaks more PII than our own government.

04-18-2014 06:47 PM

   Yes, healthcare is a broad term but in terms of IT risk management, I'm talking about providers (large and small - - from large multi-hospital systems to a single physician practice to, yes, urgent care clinics.  And payers (health plans and insurance companies).

  And really only those that are required to do electronic health data exchange (treatment, payment, operations).  True, a Traditional Chinese Medicine or an Ayruvedic practitioner don't typically bill electronically, for a variety of reasons.  But anyone who is required to have an EHR in this country today, is probably not doing risk management around those systems on an on-going, near real-time basis.  Most don't think about it until they are in the middle of some technical shut down or disaster.

04-16-2014 08:28 AM

Health care is a broad term, under which we are getting different types of health care service at affordable cost. But in most of the cases we have found that people were still suffering from lack of proper health care strategies; so therefore they need to go for different health care policy and plans.

Urgent care clinic Hattiesburg, MS

Related Entries and Links

No Related Resource entered.