When a major regulation is passed, unintended consequences are pretty much a given. The Information Blocking Rule was no exception — and the effects are quite significant, according to our panelists in a recent webinar discussion. With data now flowing freely outside of the four walls of the hospital, information security and privacy officers lack visibility into which devices are being used (and how), and that makes it much more difficult to protect patient information.
“We’ve never had a more challenging environment,” said Jacki Monson, Interim CIO, Chief Technology Risk Officer, CISO, and Chief Privacy Officer at Sutter Health. In order to comply with information-sharing regulations, leaders have to retrofit technology and rethink clinical workflows. They also have to contend with the fact that by granting patients more access, they’re asking them to shoulder more responsibility in safeguarding it.
For CISOs, it can be a difficult pill to swallow, according to Anahi Santiago, CISO at ChristianaCare. “Every time we onboard technology, we go through a risk assessment,” which includes penetration and vulnerability testing. Patients cannot — and should not — be expected to do the same. “We have an ethical duty to protect patients – who are not IS and privacy professionals – from themselves. And that’s very hard to do in this case.”
And it’s not going to get any easier. As digital transformation continues to be a driving force across healthcare, creating a safer environment is going to require better visibility, increased patient education, and shared accountability, the panelists agreed.
The first piece is in improving visibility, noted David Ting (CTO and founder, Tausight) who believes the new obstacles CISOs face is “a reflection of the digitization of the industry.” On one hand, data fluidity can “generate efficiency and better care” by putting information into the hands of those who need it. On the other hand, “without knowing where it’s going, knowing the context around how it’s being used, and knowing the environment in which it operates, it’s very hard to secure data, much less ensure compliance.”
Once devices leave the hospital, CISOs and other leaders can’t guarantee that confidentiality, integrity and availability will be maintained, Ting added. “You can’t secure what you can’t detect, and you can’t secure what you don’t know.”
Monson concurred, adding that the asset management technologies that have successfully been used to capture device inventory at Sutter run into roadblocks when they’re sent home with patients. “We need to understand not only what type of device is being used, but what version it’s utilizing, and any third parties that might be running on it,” she noted. “We’re doing a whole level of asset management beyond what our tools are capable of.”
This is one area where Tausight seeks to make an impact with its Situational ePHI Awareness platform, according to Ting, who founded the company in 2018. As more devices are being connected into the EHR — and a new surface attack area is created — it has become increasingly important to enable IS and privacy teams to see “what’s happening at the edge,” he said. The goal is to provide visibility into the device, including patches, apps, and any PHI data that are housed within it, and offer “a holistic view inside and outside of the hospital.” That situational awareness, Ting added, “is going to be needed as we move into more distributed care delivery models.”
Another critical piece is education geared toward patients and family members, many of whom aren’t aware of the impact — and likelihood — of a cyberattack. “They’re not thinking about that. They’re just thinking about the device, whereas we’re thinking about the risks and what can happen,” said Monson. “How do we protect patients? How do we protect data? How do we protect the organization? It’s a constant challenge.”
It starts with education, said Santiago, who cautioned that patients often believe the apps they purchase come equipped with cyber-protection (or at least the same level of protection offered by her team), which isn’t the case. “With our ability to deliver virtual care and our hospital-at-home initiatives, we’re essentially sending patients home with a slew of medical devices that can either be connected to a network that we deliver for them, or can be connected to their network,” she said. Without the proper measures in place, those devices can become easy targets. “That’s certainly an area of concern.”
It’s also an opportunity for organizations to inform — and, consequently, empower — users, noted Monson. “We have to focus on the safety part, because at the end of the day, if we’re not protecting patients and they’re doing things that expose their data, that’s a safety issue.”
In fact, emphasizing the patient safety aspect of cybersecurity can also build buy-in among clinicians, noted Santiago. “If the technology isn’t available, we may not be able to care for patients.” For ChristianaCare, which offers the only Level 1 trauma center between the heavily trafficked route from Philadelphia to Baltimore, having to turn away patients because of a breach would be catastrophic. “It goes against the core of everything we do every day,” she said. “Our clinicians understand patient safety because it’s a space they live in all the time. And so, being able to connect cybersecurity to patient safety makes it very real for them.”
At Sutter, ensuring patients feel as safe and secure at home as they do when inside the four walls is a key priority. “It’s part of our promise to patients,” said Monson. “If we’re not keeping their information safe, we’re not taking good care of our patients.” And it doesn’t fall solely on the shoulders of privacy and security teams, she noted. “There’s not enough of me or my team to take accountability for every regulatory compliance across the system. Regardless of how good the policies, procedures, and assessments are, if you don’t have everybody thinking in that mindset, you’ll never actually protect a patient.”
Finally, Santiago urged listeners not to go it alone — whether that means speaking with peers or taking advantage of the free resources offered by organizations such as 405(d) and H-ISAC. “We’re all dealing with these challenges, and they’re only going to become more complicated.”
To view the archive of this webinar — Ensuring Your Security Program Can Support the Industry’s Increasing PHI Sharing Demands — please click here.