This week’s priceless quote:
“A lot of the response was, ‘We live in a cornfield in the middle of Minnesota,’” he said. “’Who wants to hurt us? Who can even find us here?’”–Jim Nelms, Mayo Clinic’s first chief information security officer,
We know where you are and what you do! The precarious state of healthcare data security at facilities and with insurers, plus increased external threats from hacking has been getting noticed by Congress–when you see it in POLITICO, you know finally it’s made it into the Rotunda. It was over the horizon late last summer with the FBI alert and legislators in high dudgeon over the Community Health Systems China hack [TTA 22 Aug 14]. It’s a roof that leaks, that costs a lot to fix, doesn’t have immediate benefit (cost avoidance never does) but when it does leak it’s disastrous.
This article rounds up much of what these pages have pointed out for several years, including the Ponemon Institute/IBM study from earlier this week, the Chinese/Russian connections behind Big Hacks not only for selling data, but also IP [TTA 26 Aug 14] and how decidedly easy it is to hack devices and equipment [TTA 10 May 14]. Acknowledgement that healthcare data security is about 20 years behind finance and defense deserves a ‘hooray!’, but when you realize that on average only 3 percent of HIT spend is on security when it should be a minimum of 10 percent (HIMSS) or higher…yet the choice may be better security or uncompensated patient care particularly in rural areas, what will it be for many healthcare organizations?
The article also doesn’t go far enough in the devil’s dilemma–that the Federal Government with Medicare, HITECH, meaningful use, rural telehealth and programs like Medicare Shared Savings demand more and more data tracking, sharing and response mechanisms, stretching HIT 15 ways from sundown. At the cutely named Health Datapalooza presently going on in Washington DC, data sharing is It for Quality Care, or else. Yet the costs to smaller healthcare providers to prevent that ER readmission scenario through new care models such as PCMHs and ACOs is stunning. And the consequences may be more consolidated, less available healthcare. We are already seeing merger rumors in the insurer area and scaledowns/shutdowns/buyouts of community health organizations including smaller hospitals and clinics. Also iHealthBeat.
DARPA to the rescue? The folks who brought you the Internet may develop a solution, but it won’t be tomorrow or even the day after. The Brandeis Program is a several stage project over 4.5 years to determine how “to enable information systems that would allow individuals, enterprises and U.S. government agencies to keep personal and/or proprietary information private.” It discards the current methodology of filtering data (de-identification) or trusting third-parties to secure. Armed With Science FedBizOpps has the broad agency announcement in addition to vendor solicitation information.