The revelation that Community Health Systems (NYSE:CYH) servers were hacked, resulting in the loss of 4.5 million patient records, and that a server for the Affordable Care Act's healthcare.gov website was breached, puts the issue of healthcare privacy front and center even as industry watchers warn that health care security is far too lax..
According to Internet cloud security provider Skyhigh Networks, 90% of health care services clouds are either at medium risk or high risk of being hacked. That's worrisome news for health care organizations given that an HIMSS Analytics survey earlier this year found that 83% of health care companies use cloud services.
Carts before horses?
The Department of Health and Human Services pays bonus Medicare payments to hospitals and physician networks that use health care IT to share, track, and analyze patient information. It also cuts payments to those that fail to meet health care IT meaningful use targets.
That carrot-and-stick approach is incredibly motivating, but the cost of establishing health care IT systems remains daunting. As a result, many organizations are fulfilling their meaningful use targets by relying on third party cloud service providers that offer out-of-the-box solutions.
However, rushing to implement health care IT solutions, either through the cloud, internally, or in a hybrid combination, may be exposing providers and patients to a greater security risk. That's because recent hacker attacks suggest that health care organizations may not be investing enough money in -- and attention on -- protecting health care information.
For example, the hacker attack on Community Health Systems exploited a bug in the open source encryption software on a Juniper networking device to capture login data that was used to access patient information stored deeper within the company's network.
The bug, which is known as heartbleed because it targets a repeating signal designed to maintain an open connection between servers and computers, was discovered in April. Yet the attacks on Community Health appear to have occurred a week after heartbleed was discovered and again in June. The timing of those attacks raises important questions regarding how quickly organizations are responding to security threats and whether or not health care organizations and their cloud services companies are adequately staffed to respond to ever-evolving attacks.
Complicating the problem
Securing patient private data is arguably more challenging than protecting credit card data or access to customer checking accounts. That's because healthcare companies are trying to build a share-friendly ecosystem, rather than a closed-loop that is walled off from outsiders.
The goal of free-flowing healthcare information lends itself nicely to cloud providers, who can market services as a less costly way to exchange patient information between providers, payers, and patients.
By busting open metal file cabinets and sharing healthcare data seamlessly between primary care doctors, specialists, and surgeons, healthcare providers can build a far more robust system for monitoring patient health, analyzing treatment outcome, and avoiding medical mistakes.
Healthcare IT is also having a big impact on improving healthcare provider workflow. Cloud based solutions are integrating patient information with scheduling and billing, which allows providers to benefit from fewer missed appointments and faster payments.
Those advantages mean that despite the security risks, healthcare providers are likely to continue to embrace cloud-based healthcare IT. According to the HIMSS Analystics study, 43% of healthcare organizations have turned to the cloud to host clinical applications and data. That suggests that hackers have plenty of incentive to target cloud based systems.
Fool-worthy final thoughts
Securing electronic records either locally or in the cloud will remain challenging and important, but that doesn't mean that the healthcare sector should ditch the use of servers and return to their paper and pen days. The potential for increasingly real-time patient care is far too promising to abandon. As a result, providers will continue to adopt systems that allow for greater, rather than less, communication between people and medical equipment. That likely means that cost saving and convenient cloud-based services will remain both a go-to solution and a major target of hacker attacks. Whether security can keep up with that quickened pace of adoption of healthcare IT is unknown, but it's unlikely this is the last we've heard about hacking health care.