Where’s the Interest in Healthcare Cybersecurity?
By Matthew B. Smith
The President’s State of the Union (SOTU) address mentioned cybersecurity concerns and might serve as a rallying cry for greater adoption in the healthcare industry. We certainly must hope the address will spark a more forceful interest in healthcare cybersecurity.
It is curious how the many non-healthcare breaches (principally banks and retailers) that have received national attention and the financial penalties to healthcare providers under HIPAA and HITECH who have suffered lost and breached patient data (though less well-publicized in the national media) have not caused the groundswell of attention to this issue. As patients assume a far greater role and informed involvement in their care, the security of their personal medical information should elevate as a concern.
However, I do expect that the older generation, as characterized by the Baby Boomers, will express a far greater concern about medical data security. The Xers and Millenials don’t seem to hold personal information in the same high regard as the oldsters and may not be as demanding about its importance. Social media seems to have not created a concern about personal information security among them. It would be a great mistake to assume that this is the standard for healthcare cybersecurity. The higher medical users (chronic and elderly) will be the drivers of this requirement as they will be in more consistent contact with the system.
It is curious that medical device, equipment, and instrumentation (DEI) manufacturers have not stepped up in unison to include cybersecurity as a component of their products. I suspect that EHR vendors and providers (especially those with foresight) who see mobile diagnostics and therapeutics as a reimbursable and cost-effective (we hope!) means of care delivery will be the motivators of this adoption. Patients as consumers will also drive this for reasons noted above. What also is desperately needed is national healthcare cybersecurity standards or certifications so that DEI makers will have an easier time incorporating these much-needed technologies to secure medical information, regardless of the source or the recipient of the medical data.
As a frontline participant in the battle for total healthcare data security, we are finding the education of the DEI makers to be the evolutionary equivalent of watching dinosaurs become extinct. The way to true healthcare data security will have to make it easy for DEI makers to adopt independent third-party data security. Too few have shown the foresight to lead in this setting, citing communications with EHRs and other issues as more pressing coupled with them not hearing a demand from their provider clients. Perhaps they are not listening very well.
National technical standards, well documented for other industries, hold the answer for our industry as the approach so the DEI folks can simply pick and choose a qualifying technology that meets the standards. The DEI folks also show a bewilderingly sad understanding of where the Affordable Healthcare Act is taking reimbursement, which we fundamentally believe will do away with the DEI capital budget and replace it with access to these products on a monitored per use/per subscription/per census day or equivalent acquisition payment mechanism with healthcare cybersecurity monitoring embedded in the payment schema.
The precedents for this movement can be seen in the historic reimbursement changes wrought when DRGs were instituted, when cancer centers were developed, and when patient advocacy services arose. All met opposition, but became new ways of conducting business in the industry. Now is the time for the insistence upon healthcare cybersecurity information technology.