A dazed awareness of security risks in health IT has bubbled up from the shop floor administrators and conformance directors (who have always worried about them) to C-suite offices and the general public, thanks to a series of oversized data breaches that recentlh peaked in the Anthem Health Insurance break-in. Now the US Senate Health Committee is taking up security, explicitly referring to Anthem. The inquiry is extremely broad, though, promising to address “electronic health records, hospital networks, insurance records, and network-connected medical devices.”
The challenge of defining a strategy has now been picked up by the US branch of the Association for Computing Machinery, the world’s largest organization focused on computing. (Also probably it’s oldest, having been founded in 1947 when computers used vacuum tubes.) We’re an interesting bunch, having people who have helped health care sites secure data as well as researchers whose role is to consume data–often hard to get.
So over the next few weeks, half a dozen volunteers on the ACM US Public Policy Council will discuss what to suggest to the Senate. Some of us hope the task of producing a position statement will lead the ACM to form a more long-range commmittee to apply the considerable expertise of the ACM to health IT.
Some of the areas I have asked the USACM to look at include:
- Cyber-espionage and identity theft
- This issue has all the publicity at the moment–and that’s appropriate given how many people get hurt by all the data breaches, which are going way up. We haven’t even seen instances yet of malicious alteration or destruction of data, but we probably will.
Members of our committee believe there is nothing special about the security needs of the health care field or the technologies available to secure it. Like all fields, it needs fine-grained access controls, logs and audit trails, encryption, multi-factor authentication, and so forth. The field has also got to stop doing stupid stuff like using Social Security numbers as identifiers. But certain aspects of health care make it particularly hard to secure:
- The data is a platinum mine (far more valuable than your credit card information) for data thieves.
- The data is also intensely sensitive. You can get a new credit card but you can’t change your MS diagnosis. The data can easily feed into discrimination by employees and ensurers, or other attacks on the individual victims.
- Too many people need the data, from clinicians and patients all the way through to public health and medical researchers. The variety of people who get access to the data also makes security more difficult. (See also anonymization below.)
- Ease of use and timely access are urgent. When your vital signs drop and your life is at stake, you don’t want the nurse on duty to have to page somebody for access.
- Institutions are still stuck on outmoded security systems. Internally, passwords are important, as are firewalls externally, but many breaches can bypass both.
- The stewards/owners of health care data keep it forever, because the data is always relevant to treatment. Unlike other industries, clinicians don’t eventually aggregate and discard facts on individuals.
- Numerous breaches of public data, such as in Washington State, raise questions about the security of data that is supposedly anonymized. The HIPAA Safe Harbor, which health care providers and their business associates can use to avoid legal liability, is far too simplistic, being too strict for some situations and too lax for others.
Clearly, many institutions sharing data don’t understand the risks and how to mitigate against them. An enduring split has emerged between the experts, each bringing considerable authority to the debate. Researchers in health care point to well-researched techniques for deidentifying data (see Anonymizing Health Data, a book I edited).
In the other corner stand many computer security experts–some of them within the ACM–who doubt that any kind of useful anonymization will stand up over the years against the increase in computer speeds and in the sophistication of data mining algorithms. That side of the debate leads nowhere, however. If the cynics were correct, even the US Census could not ethically release data.
- Patient consent
- Strong rules to protect patients were put in place decades ago after shocking abuses (see The Immortal Life of Henrietta Lacks). Now researchers are complaining that data on patients is too hard to get. In particular, combining data from different sites to get a decent-sized patient population is a nightmare both legally and technically.
- Device security
- No surprise–like every shiny new fad, the Internet of Things is highly insecure. And this extends to implanted devices, at least in theory. We need to evaluate the risks of medical devices, in the hospital or in the body, and decide what steps are reasonable to secure them.
- Trusted identities in cyberspace
- This federal initiative would create a system of certificates and verification so that individuals could verify who they are while participating in online activities. Health care is a key sector that could benefit from this.
Expertise exists in all these areas, and it’s time for the health care industry to take better advantage of it. I’ll be reporting progress as we go along. The Patient Privacy Rights summit next June will also cover these issues.