In this era of Big Data or “metadata,” security is a lot like a flu shot. When you peel back the layers of marketing hype and media frenzy, you learn that the annual flu shot really covers only about half the strains floating around and being transmitted. It’s akin to a weather forecaster’s perceived accuracy rate.
Similarly, Big Data security efforts seemingly don’t prevent all of the threats, thefts and intrusions, according to a New York Times editorial in late January. So much for erecting those sturdy firewalls.
But is that good enough?
Should the healthcare industry resign itself to the idea that Big Data’s not-so-impenetrable HIPAA-fortified electronic fortress merely reinforces a wary confidence and conscience until a swarthy hacker violates its faith and trust in the “system”?
Healthcare experts admittedly stop short of labeling the Big Data concept the panacea or silver bullet to solve the industry’s considerable challenges – even as the information collected can be analyzed and used to foster burgeoning population health initiatives, one of the latest strategic catch-phrases making the clinical and trade show circuit.
Yet underneath the zeal surrounding population health, on-again-off-again ICD-10 conversion measures and the reams of data amassed on their way to becoming “useful information,” more healthcare organizations fret about privacy, protected access and security amid equipment thefts, hackings and illegal, if not accidental, exposure to data. Nothing can send the promise of healthcare reform spiraling into the abyss of doubt and uncertainty faster than data breaches, causing faith and trust in the system to collapse as quickly as the firewalls seemingly erected to prevent them.
Well-publicized IT breaches plaguing the retail market seem to be infecting healthcare providers, too, as the media reveal more outbreaks. And this is happening concurrently as healthcare organizations rely on Big Data analytics as a fix for short-term and long-term problems exposed under reform initiatives.
So what can and should healthcare organizations do to address – and quell, if possible – these breaches and fears? Health Management Technology contacted a group of IT experts to explore insightful and actionable strategies and tactics that make sense.
For context, HMT posed an overarching question to sources about the one thing that concerns them about the concept of Big Data and offered them six options from which to choose:
- Costly hardware/software investments/upgrades;
- Understanding how to make it work/capitalize on it for my organization;
- Finding the right “solutions” partner that has my best interests in mind;
- What the heck “Big Data” really means; and Other (please specify).
Two of the six, including the open-ended “Other,” were more popular.
If there’s one thing that concerns you about the concept of Big Data it is:
- Ahmad Kasmieh, Chief Technology Officer, Alere Analytics: “Understanding how to make it work/capitalize on it for my organization.”
- Steve Matheson, Vice President, Product Management, BridgeHead Software: “Other (please specify): Healthcare cannot effectively analyze “little data” to measure patient outcomes or cost, which is why it cannot calculate value, e.g., value = outcomes/cost. Why do healthcare business executives believe doing it with more complex and magnitudes-larger data sets will solve their challenge?”
- Frank Negro, Practice Leader, Global Healthcare Consulting, Dell Services: “Other (please specify): Effective transition to Big Data processes. I believe the biggest concern for organizations considering the use of Big Data is the lack of clarity around how to convert from a transactional data-processing organization to one that uses data strategically to inform, to influence and, eventually, to drive organizational strategic decisions. These may be decisions around healthcare delivery, including treatment protocol outcomes, or decisions around business, including the prediction of movement of key process indicators when strategies change.”
- David Dimond, Chief Technology Officer, EMC Global Healthcare Business: “Understanding how to make it work/capitalize on it for my organization. Too often we see healthcare organizations focus on building business intelligence and analytics capabilities from a technology standpoint and from the bottom up. With Big Data initiatives, it is critical to think big and solve high-value and time-critical problems from the top down.
For organizations to be successful out of the gates, they need to approach Big Data in the context of solving big problems. As an example, consider the business impact of hospital acquired conditions (HAIs). A popular study on the HAIs sepsis and pneumonia determined that more than 48,000 people in the U.S. were impacted with this type of HAIs, amounting to $8.1 billion in additional healthcare costs in one year alone. These numbers are staggering. For most hospital organizations, it’s a worthy problem to be solved with new Big Data initiatives.”
- Anil Jain, M.D., FACP, Chief Medical Officer, Explorys Inc.: “Finding the right “solutions” partner that has my best interests in mind.”
- Jason Williams, Vice President, Business Analytics, McKesson: “Other (please specify): As a technology vendor, we’ve seen that healthcare organizations have their bandwidth consumed with projects like Meaningful Use, so generally they aren’t building their own Big Data solutions that would require new skilled resources and technology. This leaves a combination of understanding how to make it work and finding solution partners.
Fundamentally, the concern is avoiding getting distracted by Big Data and instead defining organizational problems that require identifying a big enough quantity of the “right” data to convert to simple insights for a large volume of stakeholders within the organization. This approach focuses the Big Data project and limits the security exposure, as most folks benefiting from the data are not accessing it directly. It’s like getting coupons at the grocery checkout. Big Data is accessed to deliver value to a stakeholder transaction in a simple way.”
- Siva Namasivayam, CEO, SCIO Health Analytics: “Understanding how to make Big Data work by capitalizing on it for my organization and clients, including proving a ROI for the costly hardware and/or software investments.
The biggest challenge among SCIO’s clients is the ability to manage and gain valuable insights from their healthcare data. Big Data is the buzzword these days. While in concept it promises a greater understanding of the consumer and healthcare market, in practice, it comes with a costly investment with an unknown return in most cases. Given that most companies are not able to utilize their current data properly, throwing more data into the mix will only exacerbate the issue.
Those who need healthcare data for populations, whether it is an organization or population of a PBM, are investing in costly hardware and software upgrades to manage Big Data. Solutions that allow clients to better manage their data, gain actionable insights and show an ROI for their investment are the most beneficial from an ROI perspective.”
- Steve Deaton, Vice President, Sales, Viztek: “Understanding how to make it work/capitalize on it for my organization.”
- Chris Schremser, Chief Technology Officer, ZirMed: “Understanding how to make it work/capitalize on it for my organization.”
Given the explosion of IT capabilities – including online access to data – in the last 20 years, do you feel a healthcare organization’s Big Data is more or less secure today than it was two decades ago and why?
Kasmieh: Yes, healthcare information in general is less secure now than it was 20 years ago, but it doesn’t have anything to do with the rise of Big Data. The reason it is less secure now than in the past has largely to do with the fact that data was stored in mostly disconnected silos. For the past 20 years, as communication technologies have evolved so rapidly, including and especially Web-based communications, desired and undesired data access requests have continually increased. So, as technologies to store and share data have developed and advanced, the ability to hack into networks that house data has also advanced. Companies are often focused on developing the latest data-sharing techniques, but they also must be concerned about keeping up with the latest security methods.
Matheson: Big Data environments mainly reside in most healthcare providers’ and payers’ central data centers. These have much more security, both physical and logical, wrapped around them than anyone would have considered or deployed 20 years ago. Unfortunately, there are many more bad guys focusing on reading and copying the data via network access.
Data being pushed to and pulled from the edge of healthcare (e.g., clinician practices, small imaging centers, independent laboratories) has the same attractiveness to bad guys and will likely not have as rigorous a security perimeter around it.
Negro: Less secure. The habits today that relate to the relatively poor practices have not changed, but the scope and landscape as they relate to Big Data have. Healthcare organizations are increasingly forced to rely upon external parties, such as business associates, third parties and HIEs, that may not have the focus, depth and expertise in managing privacy and security. At the same time, organizations are being pushed toward and increasingly utilizing services provided by others such as the cloud.
Dimond: The popular industry definitions of Big Data are framed around volume, variety and velocity. From our experience, it’s really about the veracity of data which requires the liquidity by getting it virtualized into one place. Prior to Big Data initiatives, a healthcare organization really didn’t know where all of its data was located due to data silos. When you virtualize data and bring it all together, you can better understand its value and the threats related to breach, corruption and general misuse. The healthcare industry can learn from the banking industry, where the value of the data is well understood and thus, it is well protected.
Jain: Organizations are attempting to standardize privacy and security practices around their Big Data, which is a positive direction. Today, organizations have tools and policies to make data more secure than it has ever been by using the latest software and hardware encryption technologies, as well as roles-based access control and intrusion prevention. Moreover, cloud-based solutions divide the hefty costs of that security across all of their customers.
Twenty years ago, there were silos of data in various places across health systems with little emphasis on data governance, data use agreements and the absence of consistent regulatory oversight. Recall that HIPAA, although enacted in 1996, had only begun to be enforced in 2003. The health systems’ silos of data were seen as a necessary byproduct of various vendor platforms, and there were few, if any, tools that would harmonize the data and policies around the data. Today, we have those tools and companies, such as Explorys, that partner with health systems to make Big Data more secure than it has ever been.
Williams: Less. Because data growth is up tremendously, threats are up tremendously as more data is available via networks, but, at the same time, healthcare organizations’ capabilities and data management have not developed at the same rate. This is why there has been a march to the cloud for security, storage and analytics
Dennis Syrmis, Director, IT Operations, SCIO Health Analytics: Over the past 20 years, there has been an increase in Big Data’s capabilities and visibilities, including threats, and an awareness that all of this information is “floating” out there somewhere. But it’s what the public doesn’t know about how Big Data is handled that scares healthcare organizations.
With heightened concerns and growing compliance needs come increases in security and monitoring. The more mature and evolved an organization is, the more likely it will understand the risks involved and, as such, the more investments it will make in instituting security measures. For example, 20 years ago, IT security was handled by the same staff that handled the day-to-day operations of an organization. Today, there are dedicated teams focused on ensuring data security. In fact, we’ve seen a significant increase in security jobs for Big Data. It is obvious that organizations are becoming more and more committed to ensuring the security of their data.
Deaton: I feel that Big Data is less secure today than two decades ago, but not because of IT adoption making it online. It is less secure because there are more businesses wanting access to the data, generating demand for a supply of this information. The demand is high for large samplings of data that might be valuable to hundreds of medical manufacturers, suppliers, pharmaceutical companies, etc. Companies realize that they can obtain, legally or not, mass samples of data that can provide guidance to areas of potential revenue.
Schremser: Big Data can mean different things to different people, but certainly the proliferation of enterprise and personal IT in the last decade has resulted in healthcare organizations having much more digital data than ever before. That much data, and that many access points, means more opportunities for data to be compromised and in larger volumes. It also means more ability to track data access, create audit trails and hold folks accountable.
What are some of the myths about healthcare IT system security that should be “busted” and why?
Kasmieh: Some people perceive that healthcare IT security is a bigger mess than it actually is. Their impression could be that things are out of control and patient data is extremely vulnerable. That’s not the real situation. A lot of organizations are working very hard to regulate health IT, while others are deploying various security measures to keep patient information safe. Data breaches are the exception, not the rule.
Matheson: Healthcare providers have many older IT systems still in use – some older than 10 years. Many were developed on operating system versions that are not supported by the most current security software. Further, many cannot utilize encryption.
Healthcare cannot agree on how long it must keep data. Thus, the default is [to] keep it until someone tells IT not to. The problem is it must be migrated forward constantly. Many IT organizations do not do this. Instead, they have written to portable media, CD-ROMs or optical, tape, and there it stays. It’s portable and generally not cataloged. This is when internal data theft becomes a problem.
Negro: Here are a few, from the “Guide to Privacy and Security of Health Information” by ONCHIT, focused around the risk analysis requirement:
Myth: Installing a new, certified EHR system satisfies the Meaningful Use requirement for a security risk analysis. Fact: You have to conduct a security risk analysis even though an EHR system is certified. Healthcare information security requirements cover all data within your organization, not just what’s in an EHR. There were early comments scoping the risk analysis just to the EHR, but they never made the final language.
Myth: You can satisfy the security risk analysis through a checklist. Fact: Checklists may be helpful, but they just verify controls are in place and do not analyze risk. The requirements are different.
Myth: Your security risk is limited to your EHR. Fact: No, it includes copiers, mobile devices, personal devices that may be utilized, smart IV pumps, everything.
Myth: You have to eliminate all risk before you attest to Meaningful Use. Fact: You actually need a risk management process, and the requirement is to reduce risks you identify in accordance with that process.
Dimond: I think the primary myth is that point solutions can be used to solve specific IT security problems. Health information is often a target for malicious activity, and 61 percent of global healthcare organizations have experienced a security-related incident in the form of a security breach, data loss or unplanned downtime at least once in the past 12 months.
Jain: We often hear healthcare leaders say that healthcare systems cannot possibly leverage “cloud” technology because of the nature of healthcare data, HIPAA, etc. That is a myth, as most healthcare technology leaders understand that the “cloud” infrastructures really are highly secure data centers that provide state-of-the-art computing platforms to provide privacy, security, redundancy, backup and disaster management capabilities at a fraction of the cost if the health system wanted to do it themselves. Moreover, companies such as Explorys add parallel computing and storage features that significantly enhance the solutions that can be offered. Because of the economies of scale and the nature of today’s data centers, IT system security for healthcare does not suffer just because a health system chooses a cloud-based solution.
Williams: The biggest threats an organization faces are from internal threats and carelessness, rather than those coming in from external vectors.
Donald Spinelli, Information Security Officer, SCIO Health Analytics: Moving data to a cloud environment can make compliance difficult. Often, worries about IT compliance can be perceived as a significant impediment for healthcare data cloud adoption. However, if security compliance is the top concern for your population, some cloud providers may actually make compliance audits easier for customers rather than harder for two reasons:
- Most providers deal with audit conditions day in and day out, not requiring you to staff up to handle them. Comparing that to an organization that only deals with audits on an annual basis is a huge advantage.
- The process of moving data to the cloud will lead you to examine the data and work on a system segmentation that will greatly reduce the scope of your audits.
Deaton: Healthcare IT should not be treated differently than a person’s banking records, government records or other personal financial information. These items should remain secured, and companies need to offer people protection services for their health data just like other markets protect end users from fraud. A person’s healthcare data is not necessarily more important than their identity or financial information, in the case of identity fraud, for example. It seems that many IT companies have stayed at arm’s length from healthcare IT because of the fear of government penalties, but the data is similar to other industries.
Schremser: The biggest myth about healthcare IT systems security is the general perception that healthcare technology has to be secure because it is overseen by the government. More specifically, there is a perception that HIPAA brought healthcare ahead of the pack in terms of the required security of the systems we manage, but many healthcare organizations are doing only what they need to do to “check the box” on compliance.
When organizations only want to meet the minimum privacy requirements, they will often overlook fundamental flaws in security infrastructure. For example, many of the biggest breaches in the financial industry have occurred at PCI-compliant organizations. What the company was missing was a comprehensive view of security. Healthcare organizations that are simply “checking the box” on compliance, but aren’t investing the time and resources necessary to proactively protect their data, are not making security a priority, and therefore facing higher risk.
HMT: What are some key best-practice strategies IT execs should employ for Big Data security?
- Make data security a top executive priority by employing a Chief Security Officer who is responsible for infrastructure, data security and implementing the best industry practices on data control and safety. Give him/her the proper resources, continuing education and staff necessary to do this. Security is everyone’s shared responsibility.
- Make it company policy to minimize access to PHI data and the production environment whenever possible. Be vigilant about controlling and auditing access to physical and digital data assets.
- Protect and monitor your data network in real time so your staff is able to detect and quickly address any security issues as soon as they arise.
- Update your security software continuously. Implement new practices when they make sense for your organization. Ensure selection of security software that can keep up with the massive data traffic.
- Work with business partners who value and share your practices around data security.
– Ahmad Kasmieh, Chief Technology Officer, Alere Analytics
- There is no single solution. You need a layered approach to security.
- Limit access.
- Be concerned about external threats, but be doubly concerned about internal threats.
- Do not publish raw data. Use properly de-identified, aggregated data to limit exposure.
- Find a trusted partner who can handle as much of this as possible.
– Jason Williams, Vice President, Business Analytics, McKesson
There are a number of security controls established by organizations specializing in security that can help guide healthcare executives on where to invest time and energy. At ZirMed, we have implemented SANS 20 critical security controls because they are based on the forensic analysis of real-world breaches. Every healthcare organization needs to find and deploy a security guidance policy that is appropriate to the organization and do an internal risk assessment to see if it has the controls in place to mitigate risk and protect data.
– Chris Schremser, Chief Technology Officer, ZirMed