Health IT security is 'a collective problem'

Health IT’s integration into clinical practice will continue growing and it’s time for healthcare to commit to making a connected health landscape safer, according to Tim Zoph, keynote speaker at the Privacy and Security Forum hosted by the Health Information and Management Systems Society and Healthcare IT News.

“We’re heading down a path of sophistication, but we’re not doing it with the foresight of security,” said Zoph, senior vice president and CIO of Northwestern Memorial HealthCare in Chicago. “The reality is there are too few companies investing in cyber security.”

Since 2009, the Department of Health and Human Services has tallied a total of approximately 21 million individuals affected by the list of security breaches to date that involve more than 500 records. Surveys show that nearly two-thirds of patients affected by breaches lose confidence in the organization responsible and nearly one-third have considered changing providers due to privacy and security concerns, according to Zoph.

Security concerns remain despite increased utilization of consumer-grade technologies like smartphones and tablets. Zoph estimated that there were 300 Northwestern employees using personal mobile devices for work-related purposes in 2009 and 2,500 currently. The increased use of mobile devices is not a problem and is probably beneficial to patients and providers, according to Zoph. “The most natural device in healthcare is one that’s mobile and always on. We have those now. It allows our workers to get ever closer to patients.”

However, mobile and other technologies with healthcare applications often offer opportunities to subvert defenses. To make health IT security a top priority, Zoph offered five pieces of advice.  

  • Create a culture of security. Northwestern has “learned how to own this issue institutionally and is safer because of it.” Security extends beyond the healthcare IT and compliance teams to all departments and all executive leaders. Members of the Northwestern leadership take stock of what went wrong when adverse events occur and to understand the nonfinancial costs they place on patients.
  • Simplify the technology environment.  “Complexity is the enemy of many things and especially technology.” IT systems at most healthcare organizations are riddled with duplicity and waste. Streamlined IT architectures are easier to manage, offer flexibility and it doesn’t make sense to lay a security platform on top of an incoherent IT architecture.  Organizations shouldn’t wait to begin the process of simplifying IT systems. “Get it under control because it’s only going to get more complicated tomorrow.”
  • Get the structures right. Creating a secure environment for health information requires strong governance. Decisions about how to secure IT systems and data should be made by multidisciplinary groups and extend “all the way up to the board of directors.”
  • Apply standards-based security model. The lack of industry-wide standards for securing health information has been a barrier to security initiatives in the past. That’s changing with 62 percent of hospitals and 74 percent of insurers subscribing to standards developed by the Health Information Trust Alliance. “Regulations are only going to increase and we’re going to have to talk with one another to figure out how to do it… Let’s close ranks, work together and celebrate a secure future.”
  • Offer proactive leadership. Successful organizations fail because they believe their success will be self-sustaining, blinding them to potential problems. “Security is a blindspot. It has the potential to be the fall from grace.”

Health IT can become a powerful agent of change in healthcare, but the industry first needs to learn how to work with health IT tools without putting patients at risk. Clearer best practices will develop as research and knowledge continue snowballing, and health IT will lead to increased productivity and efficiency, according to Zoph. However, it will take a concerted effort. Security “is a collective problem and it requires every one of us to step up our game. We simply can’t do this alone.” 

Around the web

The tirzepatide shortage that first began in 2022 has been resolved. Drug companies distributing compounded versions of the popular drug now have two to three more months to distribute their remaining supply.

The 24 members of the House Task Force on AI—12 reps from each party—have posted a 253-page report detailing their bipartisan vision for encouraging innovation while minimizing risks. 

Merck sent Hansoh Pharma, a Chinese biopharmaceutical company, an upfront payment of $112 million to license a new investigational GLP-1 receptor agonist. There could be many more payments to come if certain milestones are met.