The Cloud can Help Solve the Healthcare IT Crisis… with a Well-Planned Journey
Part 1 of 5 of “Moving Healthcare to the Cloud”
Time to perk your ears up! If you haven’t been paying attention, the healthcare industry, whether you’re ready to admit it or not, is in the midst of an IT crisis. With an ever-increasing influx of security threats looming, healthcare IT leaders, now more than ever, need to embrace the power of change to transform how doctors, nurses, staff and patients consume IT. This was just one of the key themes presented back in March at the HIMMS18 conference in Las Vegas.
Threats are coming in from several fronts. Here are a few reasons why many CIOs and CTOs are finding it hard to get a good night’s sleep:
The fallacy of thinking compliance = a strong security posture
Some organizations think that abiding by regulations such as HIPAA makes them safe, but this has been proven to be incorrect. Let’s take a real public example. In February 2015, Anthem disclosed that criminal hackers had broken into its servers and had potentially stolen more than 37.5 million records that contained personally identifiable information. 20 days later, Anthem raised the number to 78.8 million records. According to Anthem, the data breach extended into multiple brands that Anthem uses to market its healthcare plans, including Anthem Blue Cross and Blue Shield, Amerigroup, Caremore, and UniCare. The security breach occurred even though Anthem was HIPAA compliant.
Vulnerable legacy equipment
For decades, manufacturers like Siemens, Bosch, Honeywell and others have built embedded systems that run on operating systems from the Stone Age—unpatched, insecure and vulnerable. An example of this includes Siemens medical scanners. Hackers can exploit trivial flaws in the network-connected devices to run arbitrary malicious code on the equipment. These remotely-accessible vulnerabilities lurked in all Siemens positron emission tomography and computed tomography scanners running Microsoft Windows 7.
Too many compliance mandates
It’s hard to keep up with changing mandates because healthcare organizations have patient data dispersed in many databases across the cloud, the network, and a multitude of endpoints. Sometimes they rely on paper as well. This makes it difficult to comply with the stringent regulatory requirements of HIPAA and HITECH and to safeguard PHI, PII and EHR. In addition, medical teams need to access this information quickly in order to meet the demands of timely care. Security teams are thus challenged to find a balance between patient data security and providing easy access to the information.
Ransomware continued to make the news in 2017 and the healthcare industry was not immune; in fact, it was a leading victim—Hollywood Presbyterian declared a state of emergency over a ransomware attack in February last year. The hospital isn’t saying exactly when it paid the ransom, but it looks like they waited at least a week to end the file-hostage situation. The hospital said the payment was 40 Bitcoin, which was worth around $17K at the time. An unnamed doctor told the press that the systems responsible for CT scans, documentation, lab work, pharmacy functions and electronic communications were out of commission. Email was also down, so the staff relied on pencil and paper. It was also reported that radiation and oncology were temporarily shut down.
Severe shortage of IT security personnel
According to Cybersecurity Ventures, there will be 3.5 million unfilled cybersecurity jobs by 2021. And for qualified security personnel, healthcare IT is not the preferred destination of choice: Facebook, Google, AWS and other high-tech innovators are more attractive.
New age disruptors
Healthcare organizations have to manage insanely large data sets to make their training algorithms better and more robust. But an even bigger and more disturbing challenge is that non-health entities can now play ‘doctor.’ Findings of the research conducted by the Computational Story Lab, a group led by Chris Danforth and Peter Sheridan Dodds of the University of Vermont, show that Instagram knows if you’re depressed, Twitter can indicate PTSD, and Facebook posts can describe a region’s relative public health.
Identifying the right steps to take in the cloud journey
So, with all these developments as a backdrop, and as healthcare organizations look to the cloud as a panacea for everything, there needs to be a reality check on how to look at the cloud in the context of the current state and where healthcare is headed. To help organizations take on this challenge, this blog series will walk readers through the why, the what, and the how of ‘Cloud and Healthcare.’
The series will show how to identify what steps to take in the cloud journey. It starts with the next blog, which will focus on the why—Making the Business Case for the Cloud. The following chapter will delve into understanding what systems are ready for this journey, and frankly, which aren’t. We’ll also look at how you can make that distinction without bias.
The next blog will address the issue of how to assess the appropriate levels of risk for all the assets you are moving (or will be moving) to the cloud to ensure confidentiality, integrity, and availability. The fifth installment will focus on how to operationalize security. This includes the policy controls to put in place beforehand, how to monitor security, and how to react to any indications of breaches or potential breaches. It’s a team effort, so make sure you know who the players are and get your team ready!
Finally, we will look at the advent of artificial intelligence and machine learning, and how there is going to be an opportunity to gather more and do more with patient data, research, and analysis. But all of this should be backdropped with a clear ‘Code of Ethics.’ If you fail in the ethics arena, the fallout could be cataclysmic.
The need to embrace education
The cloud provides an amazing path for your healthcare organization to take a leap forward. You can not only address the security sins of the past in a comprehensive manner, but also set yourself up for success in this new age of healthcare IT that includes the Internet of Things, artificial intelligence and predictive medicine
But, to use the cloud effectively, securely and consistently—truly understanding what the cloud can do for your organization and your patients and to set your organization up competitively—requires you to embrace the need for education without bias. Hopefully, these blog series did just that!