Conversa Health’s Scott Anderson provides a brief take on the state of data security in healthcare.
The wave that is big-data doesn’t appear to be cresting in healthcare anytime soon, and unfortunately, neither are the threats waged against it. Hijacking and hacking into personal health information (PHI) has become a growing trend that’s here to stay. So, the question remains: what should be done about it?
The last couple of years have unveiled a fair share of data breaches in healthcare: in 2017, more than 45 percent of ransomware attacks were on healthcare organizations, according to a study conducted by Beazley, a global cybersecurity company.
Last year, we saw many various health organizations, including Allscripts, CMS, and Blue Cross fall victim to phishing scams, breaches, and ransomware attacks. As a result, cybersecurity spending is expected to exceed $65B over the next five years—and the tactics of thieves are only getting more sophisticated: ever heard of crypto miming? You will.
As PHI continues to multiply and mobilize in the form of telemedicine devices, wearables, and cloud-based clinical and AI-driven platforms, are there enough solutions out there to protect the groundswell of virtual vulnerability? Yes, according to Conversa Health’s Scott Anderson.
Anderson, the CTO of the San Rafael, Calif-based provider of automating digital health conversations between patients and providers, shared his thoughts on the state of cybersecurity in healthcare, along with the worst-case hacker scenarios and best tactical approaches to keeping the threats at bay.
Given the fast pace of technology in healthcare right now, do you think tech companies are offering robust solutions that are keeping patients safe in terms of data privacy?
I do. While I can certainly see the acceleration in the rate of adoption of new technology, it’s still an ecosystem that runs on quarterly releases. Relative to the rest of the technology industry, that’s still a glacial rate of change, and much of that is driven by fear; primarily, the fear of making that one change that brings about a disastrous regression. If we accept that mitigating regression risk is a critical factor in security, let’s minimize the risk by reducing the amount of change introduced to the system, by shipping software with more frequency. It’s not quite that simple, but it’s the truth.
Let’s talk hypothetically: What are some of the worst-case scenarios that can occur when it comes to breaches that affect patient data?
Employment is the one that could wind up as the most relevant. While it’s illegal under the ADA to ask about disabilities or medical conditions during the interview process, nothing is stopping a company from using data it has obtained for that purpose. Of course, profiling based on data is already currently in use as a means of projecting future health care needs based on medical records and changes to prescriptions. A health data breach has the potential to be far more insidious than a PII breach—we can monitor credit records and look for abuses, but the fear that your medical past might be used against you when you are under no legal obligation to disclose personal information, nobody wants that.
At Conversa, your solution interfaces with a lot of different sources of data and PHI, like EHRs. How did your company approach the issue of data security when creating the conversation platform, and what did you learn about providing a secure platform along the way?
Our primary approach is to consider security events a matter of “when” and not “if.” Attempts will be made, and therefore any potential flaw in our security is the company’s number one priority. We continuously monitor our software and cloud configurations for anything that might constitute a risk, from the accessibility of cloud infrastructure to code that introduces potential script attack vectors. Issues found using this process supersede any other work in priority. Therefore, it is paramount that we reduce the occurrence of these issues, so that the team can focus on innovation and moving our company forward. Shifting the perspective in that way changed the culture.
There have been serious data breaches in healthcare over the last several years, and hackers keep finding new ways to compromise data. How does the healthcare industry as a whole protect itself, especially as it rapidly adopts new technologies: What can provider organizations do? What should companies that provide interfacing technologies do? Furthermore, what can patients do to play a part in protecting their data?
First off, in my experience, provider organizations are already doing a good job of wrapping their heads around the idea that new technology and innovation coming from small teams like Conversa requires some acceptance. Specifically, smaller, newer companies can move fast because they are typically unburdened with the cumbersome processes and bureaucracy that naturally develop as large businesses become enterprise companies. If I asked anything of provider organizations moving forward, it would be to form an approved, internal plan for how to map their nimble technology partners into their heavyweight systems.
For technology partners, accept that enterprise systems view your technology with extreme skepticism, and therefore you have an opportunity and a responsibility to lead with security. Ensure that you are building within your team culture a sense of ownership around security—relegating security to a single team or owner will guarantee that gaps exist between the silos.
Finally, patients can protect themselves with similar approaches that companies use internally: Have high expectations of the health systems that serve you, but don’t give them all the responsibility; Use strong passwords and use a password manager; Keep virus and malware scanners active and up to date: Be wary of emails requesting information, which no company that cares about your information would send you.
Given the challenges in the industry, where do you see the issue of security in healthcare over the next five years? What do you think needs to be put in place to ensure that data security is less susceptible to breaches or ransomware attacks? Does it need to go beyond creating HIPAA compliant solutions?
With the current models for compliance verification and certification, it costs prohibitive for smaller companies to engage with auditors. Working with small companies as well as auditing companies and large systems, let’s find a way to create an incremental certification that scales with companies, and sets milestones along the growth curve.
How data is stored and subsequently used in both de-identified and aggregate forms needs scrutiny. The rise of data-driven, algorithm-based software platforms that make decisions for us (and about us!) requires deep thinking about the impact of those platforms beyond innovation for its own sake.
What’s the essential message here for our readers when it comes to the subject of data security in healthcare?
Small companies and startups have the potential to move healthcare forward faster than ever before, and they can do so in a manner that has the potential to be more secure than their larger counterparts. Continuous deployment and monitoring minimize change while requiring engineering and operations to work hand in hand, eliminating the silos that create risk, not to mention eliminating the cultural barriers between development and ops that can create “us vs. them” mentalities in the workplace.
Scott Anderson is the CTO of Conversa Health, an intelligent Patient Relationship Management (PRM) platform that allows doctors to deliver continuous, personalized care. Prior to this role, he was the director of engineering at WalmartLabs.