How health systems can better protect patient privacy
Photo: Morsa Images/Getty
Dr. Eric Liederman, director of medical informatics for The Permanente Medical Group, says good communications with patients about cybersecurity protection is essential – even as risks to protected health information are on the rise, from external bad actors and insider threats.
Growing patient discomfort in sharing health information
Beyond health system disruptions such as ransomware that can compromise patient data, cybercriminals are increasingly going after individual patients. Some know they have a "target" on their backs and remain tight-lipped with their healthcare providers, said Liederman.
Before what he referred to as the major ramp up in attacks against healthcare that began in 2015, there was "an appreciable minority of patients who were uncomfortable providing all their information to their doctors," he told attendees at the HIMSS Healthcare Cybersecurity Forum in Boston earlier this month.
According to one 2014 survey, 10% of patients distrusted health technology, Liederman said, but another recent survey found 87% of patients are unwilling to divulge all their medical information.
It's not only "a sense of psychic harm" they seek to control in holding back health information, a sense of distrust that their health system can protect them has them seeking care elsewhere.
"How do we impress upon our patients and our workforce that we're protecting them?"
Implementing mechanisms to ensure the safety of data – from the inside of organizations out – and communicating about cyber protection efforts has resulted in better outcomes, Liederman said.
Joint governance leads to better patient protection
Liederman credited joint governance for helping to facilitate a higher sense of trust among patients and the workforce.
With joint governance, there's increased dialogue that says, "We're all together on this – all the way to the top of the organization," he said.
At Kaiser Permanente, members from all parts of the organization play a role in data security, and there's joint decision-making that results in "reduced friction," he said.
"We have better outcomes because the controls that get implemented to mitigate risk are controls that are jointly agreed to or collaboratively agreed to," said Liederman. "And so they mitigate risk without impairing our operations, or especially patient care, and improve our crisis response because everybody understands what's at stake.
"We have faster implementation for controls because people don't push back," he added. "And there's reduced career risk, especially for the CISO, right?
"You're one bad day away from having to look for a new job. It shouldn't be that way."
Liederman stressed how critical it is to impress upon both patients and the workforce what health systems are doing to protect them and advised having the communications team as an HIT partner, he said.
"You're all here, you all are presumably either directly involved with protecting your organizations or supporting organizations in protecting their data. Do people know what you're doing?"
Protecting against insider threats
While cybersecurity is designed to protect against external threats, insider threats are a significant cause for concern, especially in healthcare.
"Is there sufficient attention paid there?" Liederman asked.
For the insider threats, "There's two kinds of insider threat actors," he said. While one is very similar to the external attacker, such as a disgruntled employee, "those folks are really a small minority."
Liederman noted that, while cyber professionals try to focus on finding and mitigating these insider risks and blocking their actions, there are also the "human beings who sometimes, occasionally get tempted to use their credentials to look up information they shouldn't look at" to consider.
It's somebody they know, somebody they know of or somebody prominent in the community who is hospitalized. "What's going on? I want to know, right?"
That insider threat – snooping – is substantially different from typical cybersecurity efforts, said Liederman.
Healthcare provider employees are tempted to occasionally look at the health records of people they know – friends, family and coworkers. But then there are the people they've heard of.
"I say famous and infamous. It isn't just famous people. It isn't just the mayor or celebrities. It might be a mass murderer who's been arrested and shot and is now in your emergency department," Liederman said.
"These are just human beings who get tempted. And so we want to help them deter themselves from ruining their careers and breaching the privacy of others."
Liederman noted that earlier in his career – pre-HIPAA – he worked at an academic medical facility where access to lab results and radiology reports was wide open.
"Within a few weeks of being there, I had a colleague approach me, telling me that a coworker had congratulated her on her pregnancy before she even knew of the pregnancy test result herself.
"And then the next week, somebody told me that they learned of their cancer diagnosis from a coworker giving them tools. That's how they learn they had cancer, right?
"This was a toxic culture," he said.
Despite being 100 miles from another health system, two-thirds of employees sought care elsewhere, he said.
Over the next few years, Liederman said that he shut off access to certain departmental systems, implemented an electronic health record with audit trails and began an audit-monitoring program for snooping.
Addressing insider snooping
Access restrictions are a disaster that puts patients at risk, Liederman said. At most risk are the patients who are very sickest and are considered high-risk-for-breach "VIPs."
To safely address insider snooping you have to record all the views and actions, which HIPAA requires anyway.
But, with "smart surveillance" – using the audit trail and focusing on where people are tempted to look – cybersecurity teams can suss out offenders, he said,
The point of implementing an auditing program and letting people know about it is not to fire half of the workforce – "these are skilled, talented, experienced people. You want them to keep working there, you want them to keep their licenses."
The goal is culture change, he said.
"It's a different mindset from protecting against the outside attackers," he said.
"The goal here is not to find everybody. The goal here is to have a program where you find enough people so that everybody knows there's a program and they deter themselves."
He outlined the basic steps for launching an auditing program:
- Tell everybody that you have an auditing program.
- Tell them you're auditing before you start the program, so that you tamp down on the temptation-based snooping before you even start looking.
- Overcommunicate about your auditing program.
"It works really well and works really fast," he said, noting that within weeks the number of snooping events drops by more than 90% – "and stays that way."
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.