Currently Viewing:
ACO & Emerging Healthcare Delivery Coalition® Spring 2017
Michael Griffin on How AHCA Affects Patients in New Orleans
May 04, 2017
Currently Reading
Data Sharing Brings Explosion in Security Risks for Health Systems
May 05, 2017
Lee Barrett Discusses Keeping Protected Health Information Safe
May 05, 2017
Dr Clifford Goodman Highlights a Key Takeaway From the Spring 2017 Meeting of the ACO Coalition
May 06, 2017
Finding Value of Life-Saving Therapies Can Reveal What Matters to Patients
May 06, 2017
Healthcare Reform Needs to Improve Access to Care, Panelists Say
May 06, 2017
As 2020 Nears, Addressing Needs Beyond Clinic Walls Rises on the Healthcare Radar
May 06, 2017
Dr Sachin Jain: Taking Care of Patients in the Context of Their Lives
May 09, 2017
Lee Barrett Explains How Abundance of Health Data Increases Risk of Breaches
May 26, 2017
Michael Griffin's Health Policy Suggestion: Medicaid For All
May 27, 2017
Dr Clifford Goodman: Why Focus on Value Will Persist Regardless of Changing Legislation
May 29, 2017
Dr Sachin Jain: Discussion on Population Health Reveals Causes for Optimism
June 01, 2017
Dr Clifford Goodman on What to Look Forward to at the Fall 2017 ACO Coalition Meeting
June 09, 2017
Lee Barrett on the Balance Between Strong Cybersecurity and Patient Access to Data
June 13, 2017
Dr Sachin Jain Focuses on Bipartisan Healthcare Efforts, Not Policy Changes
June 15, 2017
Dr Clifford Goodman Discusses Evidence-Based Drug Pricing as an Alternative to Legislative Controls
June 21, 2017
Michael Griffin: Katrina's Lasting Effects on New Orleans and Its Healthcare System
June 22, 2017
Lee Barrett: Increased Data Exchange in Value-Based Models Poses Cybersecurity Risks
June 29, 2017
Michael Griffin Discusses Daughters of Charity's Ongoing Technology Initiatives
July 03, 2017
Dr Sachin Jain on CareMore's Mission to Manage Chronic Disease From the Dentist's Chair
July 08, 2017
Dr Clifford Goodman on Possible Drug Pricing Solutions Adapted From Abroad
July 11, 2017
Michael Griffin on Aligning Payers With Population Health and Social Determinants
July 12, 2017
Lee Barrett Outlines Best Practices for Healthcare Cybersecurity
July 15, 2017
Dr Sachin Jain Discusses CareMore's Community Partnerships, Internal Programs
July 18, 2017

Data Sharing Brings Explosion in Security Risks for Health Systems

Mary Caffrey
The rise of accountable care means health systems have more opportunities to share patient information, increasing the opportunities for hackers to penetrate their systems. The question isn't whether a health system will have a breach but when and how it will respond, experts said.
The era of accountable healthcare brings with it a host of new data-sharing requirements—among health system partners, contractors, and patients—and each exchange offers an opportunity for a breach that could cost the health entity thousands in fines and a loss of credibility.

It’s not a question of whether health systems will suffer a breach but when, as well as how they prepare and what plans they have in place to respond, according to a speaker and panelists who took part in an afternoon session at the spring meeting of the ACO and Emerging Healthcare Delivery Coalition®, an initiative of The American Journal of Managed Care® meeting May 4-5, 2017, in Scottsdale, Arizona.

Lee Barrett, executive director for the Electronic Healthcare Network Accreditation Commission (ENHAC), first offered attendees a roadmap of how the new landscape under the Medicare Access and CHIP Reauthorization Act (MACRA) creates new challenges for protecting institutional and patient data, beyond those that were already present under the Health Insurance Portability and Accountability Act (HIPAA).

Later, meeting chair Anthony Slonim, MD, DrPH, CEO of Renown Health, led a discussion among Barrett and Dan Konzen, campus chair, College Information Systems and Technology at the University of Phoenix; and Dan Hurley, vice president for Information Technology at Solera Health, which earlier this year achieved HITRUST CSF certification. The discussion revealed the stunning realities of modern healthcare cybersecurity, including the fact that some hospitals have paid ransom to hackers that threatened to take out their systems (none were named).

Barrett noted that data breaches recorded by HHS’ Office of Civil Rights soared in 2016, with 93 major attacks, representing a 63% increase over the previous year. While huge events like the theft of 78 million records from Anthem get the biggest headlines, Barrett said it’s the small practices that might not be able to recover from an attack, in part due to the reputation loss that could send patients elsewhere. And these small enterprises often think the hackers won’t bother with them, which Barrett said is not true.

More and more, accountable care organizations (ACOs) are must share information with networks providers, with non-healthcare partners, with quality reporting entities, and the government; at the same time, patients are logging into healthcare portals and using wearable devices, while connecting to the health system’s internet with their personal devices. Workers are using email, and contractors access the system. “All of these different streams and connection points add to the potential risk of any of this data being hacked, or having a breach,” Barrett said.

Hackers aren’t going away in healthcare for a simple reason: a stolen healthcare is too valuable, he said. While a stolen credit card will be discovered quickly, a stolen health record may not be uncovered for months, giving the thief time to commit thousands of dollars in fraud, usually by getting drugs or medical devices, which are then resold.

Skimping on cybersecurity makes no sense, Barrett said, because the cost of recovering lost business and reputation after an attack can be $200 per patient record, compared with $8 per record for standard preventive steps, according to PwC.

What are the new standards? Barrett outlined a long list of steps for a security assessment, which he said should be repeated at least once a year. Each health entity must have clear policies that it follows, but that’s not enough. All staff must be trained regularly, and “documentation is a must,” he said. The OCR has requirements for reporting breaches and they must be followed—Barrett said the agency is more active than ever, and it must be taken seriously.

During the panel discussion, Konzen went further, “It’s not a matter of whether your system has been hacked. Every one of your systems has already been hacked, but you just don’t know about it.”

The panelists agreed that most problems start within the organization. Hurley said organizations can run tests—like Solera did—to see if employees click on bogus emails, so they can train staff not to repeat these mistakes.

Increasingly, third parties are a cause for concern—and getting coverage for cybersecurity will likely require healthcare organizations to not only become accredited themselves, but to only do business with vendors who are also accredited. “You’re still responsible for what the third party does,” Konzen said.

At the same time, outside parties can help. Hurley said a third party ran a test of a software platform to uncover vulnerabilities, which had to be corrected.

Going forward, Hurley said that health systems will need to pay close attention to following good procedures and educational plans, and documenting everything. If something happens, an investigator may ask, “Show me proof that you followed this process.”

“Don’t treat it as ‘check the box,’” Konzen added.

As more consumers interact directly with portals, and health systems upload data from mobile technology, the panelists said there will be movement toward a national system of patient ID authentication. Solera, which operates entirely in the cloud, already has multiple layers of authentication for the patients that interact with its system, Hurley said.

Dennis P. Scanlon, PhD, of Pennsylvania State University, asked the panelists if there was any way to streamline the data sharing process for health research, as he encounters vastly different responses from health systems when he requests records. Unfortunately, they said, the answer is likely “no.”

Each circumstance is different, Konzen said. “Everything to be looked at individually. You can’t standardize that.”

Copyright AJMC 2006-2019 Clinical Care Targeted Communications Group, LLC. All Rights Reserved.
Welcome the the new and improved, the premier managed market network. Tell us about yourself so that we can serve you better.
Sign Up