After a few years out of the provider space and working at one of the largest information security firms - - I have the luxury of time and distance to think about some of the issues that providers struggle with from a different perspective. Lately one of the things that I’ve been thinking about has been coming up in conversations with hospital CIOs/CISOs/CTOs, and most recently a large EMR vendor’s Security Architect:
Why is healthcare so bad at IT Risk Management?
Good question. And I certainly have my opinions about that. Last fall I moderated a panel on post-Omnibus security and I got to ask some current and active practitioners (a healthcare security consultant, a long-time healthcare attorney, and a sitting CISO from a multi-hospital system) that very question.
It was the liveliest part of the hour and a-half panel and while we finally had to shift topics it certainly took up the most time and could’ve taken up more. It was also one of the topics discussed at Symantec’s last Healthcare Advisory Board meetings with HIT executives from across the US from all sizes and shapes of providers.
Let me share some of the thoughts:
· A lack of understanding at the senior management and board-level. Discussions at these levels are still missing the target because they are not conducted in a business context. They focus on just the technological risk like a virus, breach or attack—but not on what happens to care if there is a virus outbreak on the network, or what do you do about billing if you’ve had a breach. In their 2013 Global Risk Management Survey, Gartner found that most companies surveyed (not just healthcare) are not communicating risk management data effectively to their board.
· And that’s dangerous, because of the growing interconnection between technology and business risks. No one can argue that we are entering a “digital economy” . . . although healthcare is lagging sectors like retail and the airlines. And since what we do is take care of people that interconnection is more critical than any other business. If you enter the wrong order at the corner restaurant someone gets the wrong lunch. Do that in a pharmacy and someone may never eat lunch again. And I promise not even to discuss medical devices here . . .
· There is increasing pressure to disclose technology risk. Market and industry regulators (from the HHS Wall of Shame to Joint Commission to the FDA and initiatives in almost every state) now instruct the public about what providers are doing with patient information and how they do it and how well they do it. Transparency is a wonderful thing until it is your ugly stuff that’s on display.
· Lack of visibility into key business relationships with third parties. And then there are those pesky Business Associates and sub-contractors. The number of Business Associates (and their Business Associates and subs), and technological exchanges of information (HIEs, ACOs, registries), has skyrocketed, which has increased the level of IT risk exponentially. With potentially 4 – 5 million Business Associates out there, it is much easier to not know what is going on and think the BAA or the Government will take care of it.
Now, these are kind of the big-ticket items. In fact, they aren’t even unique to healthcare. But healthcare unfortunately has a history of lagging technology and siloed approaches to business (or what we sometimes call care) - - both anathema to good enterprise risk management.
Lack of understanding at the highest levels is bad enough, but we have a more serious lack of understanding among the experts who perform the risk assessments. Risk assumes there is an asset - - something to protect. But we are still thinking of assets as “things”: devices, rooms, and pieces of paper. We don’t think of all those magnetic bits and bytes that we have carefully laid down on spinning disks or tape or jump drives or sent through wires or sometimes just the air - - no wires.
That’s the thing: the data is the asset.
We need to change the way we think about the data itself.
We also tend to think if it gets safely to a device or a tape or whatever, we’re done. But the rest of the question is who is looking at it. Just because it is on Dr. Finn’s iPad and that tablet encrypts the data once it is delivered doesn’t mean that only Dr. Finn actually has access to that iPad.
You have to look at access and who gets it and how. Let me share one of the adages I learned as an auditor: “Trust is not a control”. And yes, you still have to trust people but I would never trust things (especially digital things). The Government later turned that into “Trust but verify”.
Historically, healthcare (especially large hospitals) IT risk management has been siloed - - whoever had the technology got to determine the level of risk they were willing to accept. It didn’t matter whether they knew what the risks were or not - - like the lab system in a room in the lab with no special environmental controls, no back up power and so on. And of course, no one perceived any risk until they had a crisis and then they called central IT.
Only with widespread implementation of the EMR/EHR did we begin to understand that the risk to one part of the organization is actually shared by everyone using that system. And we haven’t always successfully made that leap. Everyone who has gone from stand-alone billing, lab, ADT and other systems into a single-integrated model can appreciate that.
It was easy for Cardiology to blame billing when you shipped them the paper or digital data and someone had to get it into the billing system. Not so much anymore; billing can see what Cardiology actually did input and it is harder to hide behind bad IT interfaces, bad input by billing or coders. You really need to be correct before you blame someone else because it is much easier to see where the problem is. Oh, and we actually know who did it and when now, too.