There is a data security crisis looming in healthcare. The recent theft of 4.5 million patient records from Community Health Systems is a case in point. Nobody expects attacks like this will stop anytime soon, and the next one could happen today or tomorrow. It is like a perfect storm. First, healthcare is going through the honeymoon period of IT adoption, trailing many industries who accomplished this decades ago. Second, they are continuously generating exquisitely sensitive, HIPAA-protected data. And third, we live in a time where attack sophistication reaches new heights every day!
Is this tremendous risk high on the minds of people? Are we even aware? For sure, healthcare CIOs are, but concern has not yet sparked widespread action. The healthcare industry as a whole struggles when it comes to protecting sensitive patient information against new threats. And patients only seem to notice when, all of a sudden, they are notified about an incident by their local or regional, “data security-challenged” healthcare provider.
At a time when Meaningful Use, the Cloud, and Big Data are transforming healthcare, there is no broad awareness of healthcare data security risks. Instead, the focus is on Target, Home Depot, and others -- all of which have had major incidents this year.
Why is awareness so low? One reason is the sheer number of attacks. According to 2013 data from the Trustwave Global Security Report which analyzed nearly 700 incidents, retail is the leading sector with 35% of attacks -- healthcare sector attacks are only 2%.
Another reason is the fragmentation of the healthcare industry. In the US, there are more than 100 academic medical centers, nearly 6,000 hospitals, and 800,000 physicians. Compare this to the banking sector, where we see the fewest U.S. banks since the Great Depression.
While healthcare consolidation picks up in the wake of the Affordable Care Act, the effect of most individual attacks is local or regional and only rarely crosses state borders. So awareness builds slowly, and the quest for data security in healthcare, mandated by HIPAA, largely remains uncoordinated and isolated. The net result is very heterogeneous levels of protection.
The challenges will only become bigger. Pressure is mounting from many sides. Today, millions of consumers use Healthcare.gov and other sites to buy health insurance or to log into patient portals of their local healthcare provider. At the same time, large EMR providers are moving to browser-based front ends, and a growing number of healthcare providers create remote access to HIPAA-protected data for their physicians and other healthcare professionals. Practice Fusion, a cloud-based medical records company, holds data from more than 80 million patients. As healthcare gets ever more connected, entry points for attacks multiply.
Healthcare organizations must rapidly implement comprehensive data security solutions and practices. To reap sustained success, they need to instill a data security mindset in their people. Awareness needs to come first and hopefully not in the form of a disclosure.
Dr. Jasper zu Putlitz is the Founder and Managing Director of ansacloud LLC, a consulting firm focused on the health and life sciences industry. Dr. zu Putlitz was the president of Robert Bosch Healthcare Services, Inc, and was a partner of McKinsey & Company. Dr. zu Putlitz holds a Medical Degree from the University of Munich, and was a Research Fellow at the Harvard Medical School.