All In: Embracing Cybersecurity Across the Healthcare Enterprise | eBook Series

Introduction

Raymond Willis

CYBERSECURITY

Collective brain trust

Director, Privacy and Security. HIMSS

Commitment toimprove

Sharing know-how and resources

what?

Are people the problem?

These two security professionals emphasized that data security breaches most commonly happen because of people, not necessarily technology. Therefore, that’s what organizations need to concentrate on to protect their data.

Genomics in

action

The state of healthcare IT security

An #HITSecurity Twitter post highlighting the Fortinet Health study was one of the most re-tweeted at HIMSS17, exposing the message to some 290,000 followers at HIMSS17.

$10.85 Billion

The healthcare security market will hit $10.85 billion by 2022, according to Fortinet Health.

Transforming traditional healthcare organizations into research enterprises requires reorganizing health IT resources, whether participating in large-scale research projects or building targeted treatments in-house. Partnerships can provide the processing power and virtual storage needed.

Pulling in biomedical data

The HIMSS17 Cybersecurity Forum brought together a variety of stakeholders to explore current challenges and the road ahead in the cybersecurity journey. Some of the valuable lessons learned were shared.

Cybersecurity Forum lessons

Research conducted by HIMSS Analytics shows that the average number of internal and external employees fully dedicated to security rose from 58 in 2015 to 68 in 2016. And the number of IT employees dedicated to security from to 29 from 17 over the same time period.

The state of healthcare IT security Consider the following...

A report from Symantec

Our Collective… Intelligence Capabilities Know-How

Commitment to improve the security

THREAT!

The flax plant, an ancient crop, yields the fibre from which linen is woven, as well as seeds (linseed or flaxseed) and oil. The oil, also called linseed oil, has many industrial uses – it is an important ingredient in paints, varnishes and linoleum for example.

Hearing Aids To Best Suit Your Needs

Sync for Science Privacy and Security: wants to create and adhere to best practices for safe handling of those data sets

Sync for Science: hopes to find an easy, safe way for patients to share EHR data with researchers

Among the Pilot Programs...

According to presenters Jason Levine, MD, from the National Institute of Health, and Adbul Shaikh, PhD, MHSc, of PwC, the following biomedical data can bring the most value to precision medicine programs

Types of biomedical data

Not likely to subside

Security challenges:

There’s no rest for the wicked – and, therefore, no rest for their virtuous counterparts who are trying to keep healthcare data safe. Indeed, challenges are growing more and more difficult as time marches on, according to two leaders whom HIMSS17TV interviewed:

While taking these actions, the VA has relied on the Department of Homeland Security’s principles to secure IoT:

Prioritize security measures according to potential impact

Promote transparency across IoT

Incorporate the security at the design phase

6 strategic principles...

Connect carefully and deliberately

Promote security updates and vulnerability management

how insurers there’s support for precision medicine.

Build on recognized security practices

Who’s afraid of the cloud?

SECURITY

Cybersecurity is not just a topic discussed at security conferences anymore. Instead, cybersecurity is the topic of discussion everywhere – including at HIMSS17. Everyone has at least some comprehension of what cybersecurity means. The health sector, though, has had to come to terms very quickly with these quintessential questions: “How do we do this? Who do we need? What do we need? And, do we have adequate resources to do this?"

The Critical Role of IT

Grand Vision of Precision Medicine

Tom Sullivan

editor-in-chief Healthcare IT News

Take cancer, for instance, as it’s everyone’s favorite example. Whether the federal government’s Cancer Moonshot or cutting-edge providers undertaking work of their own, precision medicine initiatives promise the ability to analyze massive data sets, pinpoint large-scale trends within broad patient populations and then, in turn, apply that knowledge to personalized treatment regimens. And that will require transforming data from a raw material into the actionable asset that is information.

Precision Medicine in Action...

WHERE DO WE GO FROM HERE

Chuck Spurr

“It used to be that data in the healthcare world was the second tier [for hackers]. People weren’t going after it. Now people are going after it a lot harder and faster. They no longer just want the social security number. It is the entire medical record they really want. Now you have to protect yourself completely. Now, we are moving into telemedicine and other things and we are expanding all of our tools. So as we expand our tools out we are expanding our footprints and risk, and that really gets very difficult. So it is much more complicated than it was five years ago.”

CIO, Shields Health Care Group

“We’ve reached a tipping point...”

Executive Director, Medical Device Innovation, Safety and Security Consortium (MDISS)

HIMSS17 Social Media Ambassador and previous Chief Innovation Officer, Conduent Health

“Despite Gartner's caution, a lot of people believe there's going to be momentum and acceleration. Blockchain will not replace, but will re-architect many incumbent systems to remove friction and provide for new business models and greater efficiencies in healthcare. It’s time to bring healthcare infrastructure into the future. The question is . . . will we take it?”

Cybersecurity Forum lessons

Frank Abagnale

“Every breach occurs because someone in that company did something they were not supposed to do or because someone in that company failed to do something they were supposed to do." Indeed, instead of trying to penetrate through complex technology safeguards, hackers are more likely to forge attacks by looking for one of those people who failed to do something they were supposed to or did something they were not supposed to do.

Additionally, there’s a wealth of data being generated by consumer wearables that provides physicians important feedback and patients with more accountability to follow care plans.

Providing physicians important feedback

A wealth of data being generated by consumer wearables

Better Leveraging EHRs

Empowering patients with more accountability to follow care plans

the next big thing?

Blockchain:

Chief among the mare security and privacy concerns. In a preconference interview, biomedical informaticist Nephi Walton warned precision medicine will not be fully realized until data siloes are gone and central repositories are available to clinicians worldwide.

The Solution?

#2 Technical, Legal & Cultural Hurdles

A recent NEJM Catalyst Insights survey...

“The landscape is shifting from one of despair over the unfulfilled promises of big data to a more realistic vision of what sophisticated analytics can do to transform care delivery,” wrote Amy Compton-Phillips, MD, a chief clinical officer for Providence St. Joseph Health.

“

When considering the possibilities presented by precision medicine, work being done in genomics and pharmacogenomics typically comes to mind

Genomics on the frontlines

Who’s leading the charge?

One organization pushing the envelope is the Inova Translational Medicine Institute, which does research and clinical applications in genomic medicine: using what is known about the human genome to improve patient care.

Who’s leading the charge?

MD, interviewed for HIMSS17 TV on the showroom floor.

“I think the best example we know of right now is cancer risks. We know patients can have variants and preexisting conditions that expose them to cancer, and that feels well developed.”

John Deeken

Genomics in action

Case Study: Tonsillectomies

Now researchers are discovering genomic underpinnings to a wide range of diseases – both pediatric and adult illnesses. They are leveraging genomic sequencing to apply more precise treatment plans and reduce adverse effects from medications.

What we must achieve through Cybersecurity

Cybersecurity is not just about technology solutions – although we do need technology solutions to help secure the technology that we do use. Cybersecurity’s main objectives are to ensure confidentiality, integrity and availability of information, such as patient information, business information and other types of information that an organization either needs to protect or needs to use in some shape, way or form. Unauthorized destruction, alteration and disclosure constitute the antithesis of what we want to achieve.

What we must avoid through Cybersecurity

▪ Confidentiality ▪ Integrity ▪ Availability of Information

▪ Unauthorized Destruction ▪ Alteration ▪ Disclosure

“Our genes don’t change, so those results are good for their lifetime.”

Improved cancer care remains a top priority for those working in precision medicine. It also means organizations serious about more individualized care plans must have IT ecosystems that can scale quickly and share clinical data securely across a wide range of platforms.

Shooting for the Moon: IT Infrastructure Requirements for Data Sharing

In this popular presentations on precision medicine, Syapse founder Jonathan Hirsch and Paul Tittle, systems director for Providence St. Joseph Health, gave real- world examples of data pools across multiple institutions intercommunicating to gain treatment insights. Their recommendations included early lessons learned from the Oncology Precision Network (OPeN) that is expected to handle

136,000 cancer cases annually and involve almost 600 oncologists and 241 hospitals when fully rolled out...

Reimagining HIT

and cancer care

2017

Fast forward to today and blockchain is all the buzz in healthcare. In fact, Tamara StClaire, a HIMSS17 social media ambassador and previous Social Media Ambassador and previous Chief Innovation Officer at Conduent Health (formerly known as Xerox Healthcare), made the case that the bitcoin-derived secure digital ledger technology might offer the answer to a variety of long-standing healthcare challenges during Blockchain in Healthcare: A Rock Stars of Technology Event.

Blockchain & Bitcoin

Cybersecurity

2008

2017: Blockchain & Healthcare

Blockchain & Healthcare

Use Cases

Blockchain: the next big thing?

2008: Blockchain & Bitcoin

Cybersecurity is one of the applications that often pops up in these blockchain discussions. Blockchain can build on trust by providing a new dimension to security with cryptography techniques that create privacy and confidentiality to data and transactions. In addition, having multiple checkpoints rather than one single gateway for sensitive data can also improve security.

In 2008, a person using the pseudonym Satoshi Nakamoto published a white paper introducing bitcoin and the applications of blockchain. Blockchain is the underlying layer for “bitcoin and is a design pattern consisting of three main components: a distributed network, a shared ledger and digital transactions.”

Potential

“The only way we’re going to move the standard of care ahead for cancer is with research. What genomics is helping us do is be smarter about how we treat cancer.”

Mark Lewis

Gastroenterology Oncologist and HIMSS17 Precision Medicine Symposium keynote speaker on how Utah’s Intermountain Healthcare’s precision medicine program had improved cancer patient outcomes while reducing treatment costs.

However, while healthcare leaders might not be quite as tenuous as they once were, they are still proceeding with caution...

Protecting PHI

A CIO’s journey

Like the frontiersmen who led the first expedition into the western United States, technology providers are teaming with renown cancer centers to discover new ways to leverage genome sequencing for more tailored treatment plans that aid individuals and contribute to population health.

exploration of precision medicine

The Pioneers in Precision Medicine

The GOAL

The Goal...

The ambitious project, outlined in a HIMSS17 education session, hopes by 2020 to provide researchers and clinicians with genomic data needed for targeted treatment plans – within one day.

The Upshot

Participation in the Collaborative Cancer Cloud is expanding, both among medical communities to enlarge patient data pools and with developers contributing code to the federated, secure cloud-based network.

The Big Picture

The Collaborative Cancer Cloud

articipation in the Collaborative Cancer Cloud is expanding, both among medical communities to enlarge patient data pools and with developers contributing code to the federated, secure cloud-based network.

Patient-generated data in the near future

What may be more telling is the number of healthcare leaders expressing support, perhaps even financial commitments, to use genomic data and patient-generated data to provide customized care options.

Indicates the use of genomic data will be among the top three sources of healthcare data within the next five years, even if the industry has a lot of ground to make up for such use to become a reality.

Keeping the focus on security

Industry leaders laid the groundwork for security discussions at HIMSS17 in advance of the conference. For example, Vanessa Carter, ePatient Advocate and HIMSS Social Media Ambassador, posed the following questions in a Twitter chat:

Apparently, healthcare organizations are no longer quaking in their boots... According to the HIMSS 2016 Cloud Survey

Who’s afraid of the cloud?

Do we have adequate resources to do this?

Director of Privacy and Security, HIMSS

Lee Kim

Cybersecurity: a pressing concern

What do we need?

The health sector has had to come to terms very quickly with these quintessential questions:

Who do we need?

How do we do this?

“EMRs, and even our own data warehouses, can’t compute the volume of genomic data and aren’t well-suited to the workflow. This is not an academic exercise: This is trying to better patient care.”

MD, of Intermountain Health said during a HIMSS Precision Medicine Symposium keynote

Mark Lewis

Challenges to precision medicine adoption

Among the barriers to precision medicine being widely adopted, according to HIMSS17 presenter Meredith Reichert, are

What the studies say...

Produced by

Embracing cybersecurity across the healthcare enterprise

All in: Embracing cybersecurity across the healthcare enterprise

IN FOCUS

Sponsored by

Are people the problem?

Providers ranked privacy, security and cybersecurity as the most pressing clinical IT issue for the year ahead, while vendors and consultants put the same issues at the top of their lists of priorities for their clients, according to findings from the 2017 HIMSS Leadership and Workforce Survey.

26%

Twenty-six percent of U.S. consumers have had their personal medical information stolen from healthcare information systems, according to results of a new study from Accenture released during HIMSS17. In addition, the survey of 2,000 U.S. consumers found that the breaches were most likely to occur in: Hospitals (36%) Urgent-care clinics (22%) Pharmacies (22%) Physicians’ offices (21%) Health insurers (21%)

81%

Eighty-one percentof U.S. healthcare organizations and 76% of global healthcare organizations will increase information security spending in 2017, according to the 2017 Thales Data Threat Report, Healthcare Edition from cybersecurity technology and services vendor Thales and analyst firm 451 Research.

Mitch Parker Executive Director, Information Security and Compliance, Indiana University Health

Lesson 1: Security needs to be part and parcel of an overall information technology strategy.

“Risk assessments are more than checked boxes. It should include evaluating dependencies within an organization and determining the role of each department. To accomplish this, organizations need to put together a communication plan that focuses on activities to share that strategy – like a designated person to talk to patients and explain how the efforts are executed.”

Successful security initiatives start with a "culture of awareness" in the boardroom. "Without support from the top, you’ll continually be going against the grain."

Timothy Torres Senior Deputy CISO, Sutter Health

Lesson 2: Leaders have to whole-heartedly embrace security issues.

Twenty-six percent of U.S. consumers

Consolidated CDA score card so organizations can rate their interoperability efforts against others’

Providers ranked privacy

Consider the following...

Interactive web tools to measure how well the industry is advancing in becoming interoperable

26%

Alliance-based Sync for Science

Alliance-based Sync for Science pilot program that, when built out, should allow someone to more easily donate data for research using an app tied to their electronic health data

Interactive webtools to measure how well thei ndustry is advancing in becoming interoperable

Consolidated CDA score card so organizations can rate their interoperability efforts against others’

Alliance-based Sync for Science pilot program that, when built out, should allow someone to more easily donate data for research using an app tied to their electronic health data

the original collaborators behind an open-source Platform-as-a-Service solution called the Collaborative Cancer Cloud.

Intel and the Knight Cancer Institute at Oregon Health & Science University (OHSU)

The Ontario Institute for Cancer Research and Dana-Farber Cancer Center

now also sharing molecular and imaging data as part of the program.

Each partner retains control of its patients’ data for patient privacy while sharing insightful cancer treatments so that clinicians, researchers and patients benefit.

The Intel-OSHU precision medicine analytics platform complements other multi-institutional big-data analytics initiatives. The grand vision is ongoing efforts to support lifesaving discoveries for numerous disease. For now, the focus is on improving cancer treatments.

Infrastructure

Cultural

Clinical evidence

Payers, providers and patients aren’t aligned on appropriate use, impacting reimbursement for precision medicine, particularly since healthcare at present remains primarily fee for service.

Oncologists may not have the backgrounds in genomics and physicians may hesitate to travel down a path of unproven benefits.

Misaligned incentives

It’s expensive to build a precision medicine platform that includes sequencing capabilities; bioinformatics and clinical decision support tools; and specialty pharmacy access.

Beware of gaps between knowledge and evidence for a new standard of care; also, the lack of a clear path to evidence can be a problem for both clinical implementation and payer reimbursement.

Cultural Oncologists may not have the backgrounds in genomics and physicians may hesitate to travel down a path of unproven benefits.

Infrastructure It’s expensive to build a precision medicine platform that includes sequencing capabilities; bioinformatics and clinical decision support tools; and specialty pharmacy access.

Clinical evidence Beware of gaps between knowledge and evidence for a new standard of care; also, the lack of a clear path to evidence can be a problem for both clinical implementation and payer reimbursement.

Misaligned incentives Payers, providers and patients aren’t aligned on appropriate use, impacting reimbursement for precision medicine, particularly since healthcare at present remains primarily fee for service.

Frank Abagnale is a former confidence trickster, check forger and impostor whose story was made into the film Catch Me If You Can, starring Leonardo DiCaprio.

Frank Abagnale Then

Abagnale is now a 40-year veteran of the FBI and one of the world’s most respected authorities on forgery, fraud, embezzlement and secure documents.

Frank Abagnale Now

72%

said lack of interoperability undermines better use of patient data.

5-10 years

16%

A report from Gartner, however, puts blockchain at the peak of inflated expectations – speculating it will be another five to 10 years before it reaches mainstream adoption.

A study from IBM shows that 16 percent of payer and provider executives expect to have a commercial blockchain application at scale in 2017.

84%

75%

are in the process of moving existing or new workloads to the cloud

of healthcare organizations currently use cloud services

found interoperability a prime barrier to better use of patient data.

We need the collective brain trust to ensure that our health sector is stronger and more resilient against cyberthreats and compromises in the future. By sharing know-how and resources with each other, our health sector can grow to be a model sector for cybersecurity.

HIMSS17 provided an excellent venue to discuss and learn about what is happening across the sector in terms of cybersecurity. Learning from and engaging in dialogue with others about cybersecurity – whether they are from the government, healthcare providers, vendors, non-profit associations or others – is exactly what the health sector needs to advance its cybersecurity capabilities as a whole.

Government

Healthcare Providers

Vendors

Non-Profit Associations

All of this is occurring at a critical time.

We all need to make the commitment to improve the security programs at our organizations.

10.1-10.2

“Lots of organizations are talking about threats. Many are talking about today’s vulnerability and many are talking about today’s current assets. But I think we have to add to the conversation by not just thinking about today’s threats. Those are going to change . . . What we need to do is come to a place where it is not about current things. It’s about taking a more strategic approach.”

CEO, Clearwater Compliance

Bob Chaput

Use of IT devices

The Plan

The U.S. Department of Veterans Affairs (VA), however, is taking proactive steps to protect this data. The organization is deploying a Medical Device Protection Program; provides security, guidance, training and outreach to the VA employees and contractors; continuously monitors evolving cybersecurity threats; implements configuration controls; and employs incident response to remediate security breaches.

Explosive growth and use of IT devices connected to the Internet are producing a larger attack surface at the U.S. Department of Veterans Affairs (VA). At the same time, the increasing sophistication of threats including exponential growth rate in ransomware and distributed denial of service attacks leveraging IoT vulnerabilities are adding to the mobile data protection challenge.

“When a major breach occurs, organizations need to refer to a ‘playbook’ that directs staff on how to coordinate and escalate the incident. The playbook should delineate various escalation levels that specifically guide staff with response time and communication expectations.”

Ron Mehring Vice President, Technology & Security, Texas Health Resources

Lesson 3: Be sure to have a plan in place for when major breaches occur.

- Performing penetration tests to discover which employees might be most likely to take the bait

- Developing social engineering resistance training programs

Kevin Mitnick Computer Security Consultant

“Hackers don't have to be technology savants. They can make use of social engineering – manipulation, deception, trust-building – to trick unsuspecting users." And it's much “easier than executing a technical exploit,” he said. As a result, healthcare organizations should protect themselves by:

- Building a “human firewall” by educating employees about the dangers of too much trust or too little vigilance.

Cloud Evangelists

Deanna Wise

CIO, Dignity Health

“I was definitely not an early adopter. Our strategy of moving elements of our technology to the cloud was probably similar to other CIOs who run large organizations – it was a bit of a wait-and-see approach. I wanted to observe what other industries were doing and I wanted to learn from their challenges and outcomes.”

“We did it very slowly and vetted it. It was successful over the course of months. Cloud is key to our future. My advice: Get in and persevere in the process.”

Director, Information Services, University of California at San Francisco Medical Center

Kristin Chu

QA on technology’s transformative role in precision medicine

3. Security challenges: not likely to subside

7. Security In the Cloud

8. Blockchain: the next big thing?

INDEX

6. Are people the problem?

|||

9. Keeping the focus on security

4. Addressing IoT security: STAT

2. The State of Healthcare IT Security

5. Cybersecurity Forum lessons

1. Introduction

Why is it important to globalize cybersecurity policy in health IT?

What sort of medical devices and data are at risk and how (e.g., wearables, drones, sensors, mobile apps, robotics, sensors, digital platforms, medical records)?

What measures could citizens or governments take to improve cybersecurity?

Who is behind health IT cyber-attacks and why?

What makes us vulnerable to cyberattacks, especially in developing countries (e.g., policy, corruption, shortage of health IT personnel; i.e., cybersecurity workforce)?

Director of Privacy and Security, HIMSS

Lee Kim

Indeed, as Lee Kim so astutely pointed out in her introduction, cybersecurity is no longer just a topic that is hashed out at education conferences but a “topic of discussion everywhere.”

Creation

Creation of Patient-Generated Health Data Interfaces

Evolving

Evolving Ransomware Threats

In a HIMSS17 preview piece, Matthew Fisher, Chair of the Health Law Group, Mirick O’Connell, pointed to the following three topics as worthy security issues:

Development

Development of Risk-Management Processes and Systems

Evolving Ransomware Threats

Creation of Patient-Generated Health Data Interfaces

Development of Risk-Management Processes and Systems

Of course, these security issues were discussed and debated in sessions, articles, social media posts and conversations at HIMSS17. The discussion is far from over, though, as security has become an ever-present concern for healthcare professionals and will remain a topic of conversation in the days, months and years ahead.

View the entire InFocus eBook Series

ABOUT HIMSS HIMSS is a global voice, advisor, convener, and thought leader of health transformation through the best use of IT with a unique breadth and depth of expertise and capabilities to improve the quality, safety, and cost-effectiveness of health and healthcare. Through its network of over 1 million professionals, including 64,000-plus members, HIMSS advises leaders, stakeholders and influencers globally on IT best practices to ensure decision-makers have the right information at the right time to make the right decisions. HIMSS North America, HIMSS Analytics, Personal Connected Health Alliance, HIMSS Media and HIMSS International (HIMSS Europe, HIMSS Asia and HIMSS Middle East) are the five business units of HIMSS. A not-for-profit headquartered in Chicago, Illinois, HIMSS has additional offices in North America, Europe, United Kingdom, and Asia. ABOUT HIMSS MEDIAHIMSS Media is the fastest growing B2B media group focused exclusively on healthcare and technology markets. Through its suite of market-leading brands, such as Healthcare IT News, Healthcare Finance and MobiHealthNews, HIMSS Media delivers news, analysis and must-have information to an audience of senior healthcare and technology influencers. HIMSS Media is also the leading producer of important live events, such as the Privacy & Security Forum, Pop Health Forum, Revenue Cycle Solutions Summit and Big Data and Healthcare Analytics Forum.

Thank You for reading!

7. Reimagining HIT

2. Precision medicine

10. Challenges to precision medicine adoption

6. Genomics on the Frontlines

3. #PrecisionHIT

9. Patient-generated data in the near future

4. Biomedical data

8. A Lewis & Clark exploration of precision medicine

5. Better Leveraging EHRs

Finally, we’ll need artificial intelligence and machine-learning capabilities to help researchers and doctors not only understand which mutations are important in a tumor, but also which groups of therapies would be most effectively combined in order to help a patient.

Bryce Olson

Global Marketing Director, Health and Life Sciences, Intel

What innovations should the health IT industry be prioritizing to help accelerate precision medicine?

A. First and foremost, we need data standards. Having data standards means that everyone is speaking the same language so all that data can actually be used to benefit patients.

We’ll need better visualization tools with simple dashboards so doctors can make sense of all the data. We’ll need new algorithms to help determine the predictive and prognostic biomarkers that best connect patients with the most appropriate combination therapies being explored today. And we’ll need data exchanges to help pharmaceutical companies with novel targeted therapies find patients who are molecular matches for their clinical trials.

David Houlding