Privacy and Security: Trust is Greater than the Sum of the Parts

In my last blog, I discussed some of the actions that the legislative and executive branches of the federal government have taken to deal with cyber threats. The healthcare security and privacy issues are extremely challenging to solve and will continue to grow more complex. CMS security leaders spoke recently at their monthly “Tech Topics” forum about how they are moving towards a more holistic framework to deal with security risks instead of a focus on correcting individual risks.

CMS feels that each identified risk should be looked at as to how they relate to each other for the overall enterprise security risks and less as discrete entities. I think that is the right approach. My biggest concern as CIO was unknown risks more than the those I was already aware of. Ensuring appropriate security and privacy is a moving target, tied not only to IT risks but also business risks, including potential financial damage, reputation, and blowback from various stakeholders. Too often both privacy and security are looked at from an “audit mentality” instead of being seen as an integral part of doing business in today’s increasingly networked environment. Good security and privacy practices really depend on several factors:

1. Having and enforcing the right security and privacy policies, processes, and framework to minimize risks as much as possible. HIPAA is a floor, HiTrust certification is more encompassing. Policies need to be flexible and able to evolve as the technology and business models continue to change.
2. Getting all stakeholders engaged and recognizing that security and privacy are not just an IT shop problem or a privacy official problem. A lot of what happens to compromise PHI or create a security breach, is poor “hygiene” and lack of diligence, often by the business side.
3. Constant education, not from a gotcha or audit standpoint –which is often the theme of security end user training–but more as a shared partnership where both the business and technical teams take an active role; both needing to understand how to balance various risk and business factors.
4. Good communication is critical. Many organizations try to hide vulnerabilities or treat a breach or disclosure as a publication relations issue rather than fully educating those impacted.

There are also actions that need to be done for the overall ecosystem including:

1. HHS really needs to begin to step up providing a leadership role, not just an auditor, but doing more to promote and reiterate best practices and working with other parts of government to deal with new threats. Many private players also need to step-up, but HHS needs to lead, especially given the critical importance of healthcare as almost 1/5 of the US economy. I agree in principle with the idea of an overall HHS-lead, but that position needs to have sufficient clout and resources to be more than a title.
2. HHS, because of its vast reach into the healthcare sector, has a tremendous ability to communicate with all the players in the industry. They need to leverage the infrastructure of CMS’ and other Department regional offices, the Quality Improvement Organizations, and other resources to integrate good security training and education for providers and others into their overall outreach and oversight work.
3. Dedicated NIST, DHS, and other government security expertise need to be fully integrated with HHS and its operating agencies. Steps have taken in this direction but more needs to be done.
4. The private sector technology companies who are making big bets in the health space need to show more leadership to bringing best security practices to healthcare that they have learned from their work in other sectors such as financial services. This is not just about selling products and services but contributing information for the common good.
5. Congress needs to hold HHS and industry accountable for ensuring that they have the appropriate privacy and security safeguards in place, not only for today’s environment but also preparing for the world that is coming in the very near future: 5G networks, more entities not covered by HIPAA, vast new sources of data coming from disparate sources, etc. Congress also needs to look at HIPAA and other legislation to see where changes need to be made.
6. HHS and others need to facilitate a standards and business policy infrastructure that allows for much faster innovation of new technologies that can help improve healthcare security and privacy. The current standards processes are not set up to support the world of blockchain and other promising technologies.

Healthcare is the largest segment of the US economy and provides more jobs than any other sector. It is also a complex industry with increasing cost challenges as well as quality concerns. Healthcare needs innovation to build better business models and take full advantage of new technologies that are changing other industries, but innovation must occur in a way that ensures privacy and security are prioritized and not compromised. If not, there could be catastrophic effects on the healthcare system with losses in lives, services, and perhaps most importantly the public’s trust in digital health.