Health IT Trends

2014 was a year of contrasts and contradictions in Health IT privacy and security. AtHealth Datapalooza (hosted by the Health Data Consortium in Washington DC) the message was clear: open up the data. The conference collectively argued that only by freeing massive amounts of patient and provider information to innovation and analysis (albeit in a responsible and collaborative way), would we generate new insights and discoveries in patient care. In stark juxtaposition, and just a few days later and only a few miles away in DC, we heard a different story at the Health Privacy Summit (hosted by Patient Privacy Rights): lock down the data. This conference was founded on the premise that as health data become increasingly interconnected, the number of health privacy breaches increases and access to health data needs to be controlled in order to secure private health information.

While there is plenty of common ground between these two positions, there remains a significant chasm to cross before a reasonable framework is agreed upon. Leaders in the healthcare industry, both private and public, have been put in the unenviable position of being accountable for using healthcare data effectively without compromising the security and integrity of patient privacy or systemic integrity. This conundrum was at the forefront of the discussion at this year’s Security & Privacy CXO Priorities (HTRAC) and GOV/CXO Collaboration (GTRA) in Lansdowne, VA.

From Dec. 7th to 9th, I had the opportunity to jointop executives from hospitals, insurance companies, government agencies, and service providers to discuss the security and privacy threats facing the healthcare industry and the solutions that are overcoming these challenges. What stood out to me as different from other Health IT gatherings and discussions was a frank and humble approach to systemic weaknesses, and a collective determination to find practicable and meaningful solutions.

We’ve all read the headlines – Health care data breaches have hit 30M patients and counting, Healthcare vulnerable to cyber attacks, 80 percent of patients worry about health data security, Hospital to pay millions after data exposed, and the list goes on. The challenge, however, is the ignorant bliss that forms the foundation for many organizations’ cybersecurity posture. “That will never happen to us. Our data is safe.” However, the realities of data sharing among business associates, health information exchanges, and data collaboration in general lead to an increased likelihood that anyone can be breached. These days, it’s not whether or not you’ve been breached, it’s whether or not you know about all the breaches that have inevitably occurred.

Gen. Keith Alexander, the former commander of U.S. Cybersecurity Command discussed how the changing rate of technology is evolving many CIOs roles and responsibilities in the healthcare industry. Healthcare organizations are hiring more CISOs too as the number of breaches increases. Speaking to healthcare executives, administrators, managers and beyond, the former general put it bluntly, “You all have a tough job.” As we dug further into these issues, this became more and more apparent.

Discussions at the summit alternated between panel discussions and breakout table conversations. While the panel discussions were both informative and insightful, it was the table conversations that I really enjoyed. Groups of 5-10 individuals would share a table and embark on a 30 minute discussion that usually started with a prompt, but always resulted in a candid discussion about shared experiences. At first glance, the backgrounds of group members seemed rather disparate in perspective and needs– one wonders what a hospital CTO, a vendor COO, a physician, and a database engineer all have in common.However, from this diversity, as so often occurs, came insight – several of the issues discussed resulted in a potential solution or at least something worth trying. For instance, onesecurity manager had an issue with confusing data that was confounding her audits. An engineer from a completely different organization had experienced a similar issue and it turned out to be a result of physicians using multiple sign-ins. They exchanged emails, and the beginnings of a solution was born.

In his keynote address, Frank Baitman, CIO of the US Department of Health and Human Services (HHS), said that the three most important aspects of Health IT are privacy, security, and collaboration. While protecting private health information is a top priority for healthcare execs, building security and privacy in healthcare requires trust and transparency.

Even more than this bidirectional communication, organizations need to be willing to admit externally when they have been breached. Regardless of whether the fault is from employee error or an external hacker, sharing contextual information about privacy and security breaches can help protect others and increase the speed at which we learn how to better manage various types of threats. Only recently were companies required to report breaches to public, but fines and regulations can’t be our only motivation for being better communicators.

One exec went as far as to suggest collaboration with competitors. “See what others have for challenges and how they compare to yours.” This type of vulnerable professionalism is hard to come by in today’s business world. Generally, it’s a cultural challenge for healthcare organizations that must battle between the spirit of research versus protecting its customers.

It was mentioned several times at the summit that everyone in an organization plays a role in security. Breaches that cannot be prevented need to be caught quickly, and all employees need to have the means, knowledge, and initiative to report vulnerabilities or suspicious events. But this means more than training. Employees should feel safe to bring up security and privacy risks without compromising their title or position.

Information cannot stay in a debrief meeting either. While risk management is an executive level responsibility, everyone throughout the organization needs to be informed on security threats and practices. One privacy officer stressed that middle managers need to have more stake in the game as well. This tier typically handles medical errors and complaints anyway, but is often not treated as part of the solution when it comes to cybersecurity.

There were some truly tough practical and ethical questions posed at this summit. One health care administrator posed this hypothetical: How do you recover from 72 hours of no access to electronic medical records? It’s a great (albeit terrifying) question. If a retailer lost access to their data system, they could still just take cash, and keep a ledger. But what would a hospital do? Does your organization have a protocol for this type of threat?

Not every question was met with a perfect answer. Nevertheless, it’s clear that many leaders in the healthcare industry are stepping up to the plate, ready to acknowledge the problem, share their organization’s mistakes, and help solve this problem. I think Frank Bateman put it best: “IT is the foundation for all change in Healthcare.” So how can we leverage technology to ensure it pushes health care in the right direction? Get everyone involved, share ideas, and facilitate an environment open to thecritical feedback that drives change and innovation.

About the Author: Nick Culbertson is a medical student at the Johns Hopkins University School of Medicine. Nick participated in the HTRAC/GTRA summit as the first member of our Student Leaders program. (or something like this)


Resource Allocation, Strategic Recruitment, Metrics

Medical Device Security

Threat Assessments, Stakeholders, Compliance


HIPAA, HITECH, Meaningful Use, ONC Audits

Cloud Security

Vendor Selection, Identity/Access Management, Disaster Planning

Cyber Security

Attack Types, A&IM, Monitoring, Metrics, Awareness/Education

Mobile Security

BYOD, MMS/SMS, Cultural Adaptations

Data & Patient Privacy

PHI/PII, Migration, Sharing, Storage, Encryption

Risk Assessment & Management

Risk vs Opportunity, Proactive Strategies, NIST 800-53