There were multiple IT security and ransomware sessions, which represented many of the most highly attended sessions at HIMSS this year. And there were also many security statistics shared at the sessions — ranging from more than 100 million patient records have already been hacked, representing approximately 30% of American citizens; to the Department of Defense (DOD) hack in 2015 for 4 million patient records. We also heard about how a skimmed credit card fetches about $3 on the black market, compared to about $60 per patient medical record file.
The healthcare industry identity and access management has historically been managed as part of on-premise infrastructure. This practice, coupled with aging networks, end points and the explosion of connected “smart” devices — from network printers and laptops, to patient health management devices — not only makes the healthcare industry enticing for hackers, but extremely soft targets resulting in huge paydays for them.
Though we can easily cancel credit cards, our date of birth, blood type, address, employment history and Social Security number are more difficult to change — and therefore can be used indefinitely for fraudulent purposes.
We are also seeing ransomware attacks like the recent one at Hollywood Presbyterian Medical Center in Los Angeles. In this case, hackers took over the hospital’s computer systems, including email and Electronic Health Records (EHRs), and demanded a ransom to give the facility back control of these vital assets.
Moving identity and access management solutions off premises to the cloud makes great security and financial sense. Plus, it helps enable role-based, multi-factor, affiliate-clinician access for new community-care delivery models.
There is no magic bullet solution. There are ways, however, to begin improving your Identity and Access Managent (IAM) and security.
Re-engineer your risk analysis and plan. Angela Rose, director of health information management practice excellence at the American Health Information Management Association says annual risk analysis is no longer sufficient. “If your risk analysis is more than three months old, it’s out of date.”
Move identity management off premises. Is your health system a Microsoft Active Directory on-premise shop? If so, investigate moving your Active Directory off premises to the cloud, and leverage the Azure Active Directory Premium for both enterprise and Bring Your Own Device (BYOD) users with the Enterprise Mobility Suite. Microsoft spends more than $5 billion dollars a year on security and IAM. If for the sake of argument, your health system was investing a billion dollars a year on this, you would still be about $4 billion a year behind on what Microsoft is investing. Not using Microsoft? Investigate more secure, cloud-based solutions. Is your organization culturally concerned about cloud? Remember, this is helping secure and maintain provider — and patient portal — identities. However, this does not mean moving all your patient records to the cloud overnight.
The business-to-business and emerging business-to-community IAM and multi-factor authentication solutions that enable a number of customizable, trusted attribute sources are the way of the future in helping not only define identity — they also link it across the health experience, and protect it much more effectively.
Many health systems are purchasing a minimum license, likely receiving some funding from Microsoft. Then they engage system information partners like BlueMetal to have their own Azure Active Directory instance, point-of-care sandbox set up. From there, it takes about six weeks to begin evaluating further. Is your health system preparing to deliver community-based care with mobile full-time equivalent and/or affiliate organizations? Enterprise Mobility Suite allows health systems to immediately terminate access to lost or stolen devices, even if they are employee-owned.
Is your primary PC operating system still Windows XP? Since the DOD hack and the post-mortem evaluation, the department has mandated a full enterprise-wide PC operating system upgrade to Windows 10. This way, the DOD can leverage modern and continuously updated asset management security, and terminate access to any lost or stolen devices.
Perform a smart device assessment. Smart devices, such as network printers, are easy targets to infiltrate health systems. As more devices begin connecting to your network, make sure — at a minimum — they have built in capabilities to secure and encrypt them. Find the devices in your organization that don’t have any firmware ability and dispose of them.
In addition, engage with your partner(s) to assess your network hardware. Plus, develop a software update strategy for hardware that can be modernized, and an update strategy to replace hardware that can’t meet your security bar.
One of the best pieces of advice I’ve ever received in my 17 years in global health IT and solutions was from a large health system CEO who said, “We are like a fingerprint or DNA. Every health system has similar traits, but there is not one other health system exactly like us with our history, IT systems, and mergers and acquisitions activity.”
The market is flooded with a multitude of point solutions and emerging EHR vendor capabilities to address rapidly emerging industry needs. Before spending a small fortune on any point solution, spend a few weeks of discovery and advising your leadership team. Help them understand how quickly and affordably customized solutions that meet your health systems’ needs exactly can be created and deployed, especially regarding collaboration, data interoperability and advance analytics.
We regularly will take a vertical slice of a client health systems’ challenge and solve it in four to six weeks. Then we evaluate and begin solving more of the problem in other lean engineering and development sprints. I regularly meet with executives of health systems. Let’s say they have the latest and greatest EHR full-stack implemented. I don’t focus on the value they are getting. I focus on learning the questions the executive team would love to ask of their data but their systems can’t give them the answer to, then spend four to six weeks to solve it.
Please join my call to action for HIMSS17. I want to develop a solutions innovation comprised of modern applications that use existing systems and investments, and were built and deployed in less than six months for under $250,000 with demonstrable Return On Investment (ROI). That’s possible today, and there needs to be a forum to learn and leverage rapid innovations that can be modular, role-based and easily customizable.
HIMSS 2016 was a great industry rally point in our shared journey to transition from traditional fee-for-service to value-based care delivery, which represents the greatest transformational care delivery effort in our nation’s history. There are more technology and solutions than ever to help health systems — from identity and access management, to population health, care coordination, and predictive and prescriptive analytics to support both business- and care-delivery optimizations.
I commonly hear from chief information officers each year at HIMSS, “There is a lot of great solutions and technology, but I can’t afford all of it and don’t have any of this deployed in my health system.” While this recurring statement is true, the questions that need to be answered are: