Cyber Security is a Major Concern for Health IT


When the average consumer considers the term cyber security they initially think about identity theft or credit card fraud.  Rarely would someone equate data breaches to the healthcare world.  In February 2015, all of that changed when it was discovered that the personal information of 80 million customers and employees of Anthem, Inc. had been compromised in a major database breach.  With the FBI investigation still ongoing, it is believed that the compromised data could include: names, dates of birth, Social Security numbers, addresses and email addresses.  Investigators do not believe that credit card or medical information was included in the breach.

This cyber-attack on the Anthem servers is the second breach in three years raising red flags and sounding alarms throughout the industry.  The exposure to additional data security attacks is not insignificant when you examine the variety of ways that the information is handled.  The sheer volume of storage locations and proprietary protocols makes this a problem that needs addressing sooner than later.  Computer servers in thousands of hospitals, medical practices, and insurance companies around the world, store patient information.  All of these systems contain site- or company-specific programs and hardware.  Compounding this issue is the recent creation of the national health care exchanges for the Affordable Care Act, readily exposing the magnitude of the problem.

Internet security experts predicted that an information breach of this scope was inevitable, and, in this case, the compromise encompassed all of the Anthem Blue Cross brands and other lines of business.  While this latest cyber-attack was not unexpected, the question remains: How do we prevent future breaches?

The question itself is simple enough. However, the answer is far from it.  Healthcare IT experts are currently being pulled in multiple directions.  On one front, they are working on federal regulations requiring the adoption of electronic health records (EHR’s) designed to ensure that providers have patient medical information at their fingertips.  On the other hand, they have to strike a balance in building security into the equation to protect the very patient data they are tasked with making available.  The result is an unprecedented expansion of resources being diverted to Information Technology by healthcare organizations.

In February of 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law as part of the American Recovery and Reinvestment Act.  HITECH promoted the expansion of EHR’s through incentives and grants.  At the same time, HITECH strengthened civil and criminal enforcement of patient privacy and security concerns.  A final piece of the Act provides for the establishment of fines and penalties for health care organizations that are not demonstrating “meaningful use” of EHR’s.  Some experts argue that the legislation has contributed to an environment where organizations and providers have focused on implementing EHR’s to avoid penalties.  Subsequently, the lack of collaborative solutions has led to a continuation of proprietary and insular solutions.

No one will argue that the recent cyber-security issues haven’t been extremely disruptive to health care providers and insurance companies here in the United States, and around the globe.  However, the situation is not all doom and gloom.  The attacks have shone a very bright light on the subject of data security and created an environment where technology experts are being forced to re-think their approach to managing health care data.  Reinforced by provisions in the Health Insurance Portability and Accountability Act (HIPAA), organizations are quickly learning to strike the right balance between data accessibility and secure data storage and management.  Another takeaway for the industry is that the data security solution is not all system-based.  Instead, it is a comprehensive approach combining software and infrastructure, hardware security, and staff awareness and training.



Post new comment

Optional. Will replace Full Name for comment if provided.
Required but will not be shown publicly.