How health systems can better protect patient privacy
Dr. Eric Liederman, director of medical informatics at The Permanente Medical Group, says good communication with patients about cybersecurity is essential – even as risks to protected health information increase from external bad actors and insider threats.
Increasing discomfort for patients in sharing health information
In addition to disruptions to the healthcare system, such as ransomware that can compromise patient data, cybercriminals are increasingly going after individual patients. Some know they have a “target” on their back and remain tight-lipped about their health care providers, Liederman said.
Before what he called the major increase in attacks on health care that began in 2015, there was “a significant minority of patients who felt uncomfortable giving all their information to their doctors,” he told attendees at the HIMSS Healthcare Cybersecurity Forum in Boston. earlier this month.
According to a 2014 survey, 10% of patients distrusted health technology, Liederman said, but another recent survey found that 87% of patients are unwilling to reveal all their medical information.
It is not just “a sense of psychological harm” that they are trying to manage by withholding health information; a sense of distrust that their health care system can protect them leads them to seek care elsewhere.
“How can we convince our patients and our staff that we are protecting them?”
Implementing mechanisms to ensure data security – from within organizations – and communicating cyber protection efforts has led to better results, Liederman said.
Joint governance leads to better patient protection
Liederman credited joint governance with helping to foster a greater sense of trust among patients and the workforce.
With co-governance, there is a greater dialogue that says, “We are all in this together – all the way to the top of the organization,” he said.
At Kaiser Permanente, members from all parts of the organization play a role in data security, and there is joint decision-making that results in “less friction,” he said.
“We have better results because the controls that are implemented to mitigate risk are controls that are jointly agreed upon or jointly agreed upon,” Liederman said. “And so they reduce risk without harming our operations, or especially patient care, and improve our crisis response because everyone understands what is at stake.
“We have faster implementation of controls because people are not pushing back,” he added. “And there’s less career risk, especially for the CISO, right?
“You’re one bad day away from looking for a new job. That shouldn’t be the case.’
Liederman emphasized how crucial it is to convince both patients and the workforce of what health care systems are doing to protect them and recommended having the communications team as a HIT partner, he said.
“You’re all here, you’re all probably directly involved in protecting your organizations or supporting organizations in protecting their data. Do people know what you’re doing?”
Protection against insider threats
While cybersecurity is designed to protect against external threats, insider threats are a major cause for concern, especially in healthcare.
“Is sufficient attention paid to this?” Liederman asked.
As for insider threats, “There are two types of insider threat actors,” he said. Even if someone looks very similar to the external attacker, such as a disgruntled employee, “those people are actually a small minority.”
Liederman noted that while cyber professionals try to focus on finding and mitigating these insider risks and blocking their actions, there are also “people who sometimes, every now and then, are tempted to use their credentials to look up information they shouldn’t be looking at.”
It’s someone they know, someone they know or someone prominent in the community who is in the hospital. ‘What is going on? I want to know, right?’
That insider threat – snooping – is significantly different from typical cybersecurity efforts, Liederman said.
Healthcare workers are tempted to occasionally review the medical records of people they know: friends, family and colleagues. But then there are the people they’ve heard of.
“I say famous and infamous. It’s not just famous people. It’s not just the mayor or celebrities. It could be a mass murderer who has been arrested and shot and is now in your emergency department,” Liederman said.
“These are just people who are tempted. And that’s why we want to help them avoid ruining their careers and invading the privacy of others.”
Liederman noted that earlier in his career – before HIPAA – he worked at an academic medical institution where access to laboratory results and radiology reports was wide open.
“Within a few weeks of being there, a colleague approached me and told me that a colleague had congratulated her on her pregnancy before she even knew the pregnancy test results.
“And the next week someone told me that they learned about their cancer diagnosis from a colleague who gave them resources. That’s how they find out they have cancer, right?
“This was a toxic culture,” he said.
Despite being 100 miles from another health care system, two-thirds of employees sought care elsewhere, he said.
In subsequent years, Liederman said he cut off access to certain department systems, implemented an electronic medical record with audit trails and began a snooping audit monitoring program.
Tackling insider espionage
Access restrictions are a disaster that puts patients at risk, Liederman said. Most at risk are patients who are the most ill and are considered “VIPs” at high risk of breach.
To safely tackle insider spying, you need to record all views and actions, which HIPAA requires anyway.
But with “smart surveillance” – which uses the audit trail and focuses on where people are tempted to look – cyber security teams can catch offenders, he said:
The point of implementing an audit program and informing it is not to fire half the workforce – “these are skilled, talented and experienced people. You want them to keep working there, you want them to keep their licenses.”
The goal is culture change, he said.
“It’s a different way of thinking than protecting against outside attackers,” he said.
“The goal here is not to find everyone. The goal here is to have a program where you find enough people so that everyone knows there is a program and they deter themselves.”
He outlined the basic steps for launching an audit program:
- Tell everyone you have an audit program.
- Tell them you’re auditioning before you start the program so you can quell the temptation-based snooping before you even start watching.
- Over-communicate your audit program.
“It works very well and very quickly,” he said, noting that within weeks the number of spy events drops by more than 90% – “and continues to do so.”
Andrea Fox is editor-in-chief of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.