It’s time for a security intervention in healthcare
By Leslie Sistla, Chief Information Security Officer, Worldwide Health, Microsoft on February 24, 2016
Filed under Health
As far back as April 2014, the FBI warned healthcare providers that their cybersecurity systems were weak compared with those of other industries, meaning they were vulnerable to attacks by hackers. If the FBI’s warning isn’t compelling enough to move healthcare organizations to action, the example of high-profile data hacks against companies such as Anthem should be. Accenture estimates that between 2015 and 2019, healthcare providers could lose $305 billion in cumulative lifetime revenue from patients impacted by medical identity theft. Since a large number of data intrusions are detected as much as eight months after the init
Pial hack — meaning organizations may not realize that intruders are already working in their environment — it’s high time for healthcare organizations to improve their security systems and processes.
Of course, that’s easier said than done. The natural tension between safeguarding data and giving clinicians quick access to patient records, often in life-or-death situations, means the practices that serve other industries can’t just be mimicked in a healthcare setting.
“Privacy is mostly a concern for people who are healthy,” said Dr. Arthur Kaindl, head of Digital Health Services, Siemens Healthcare, during a recent presentation in Brussels on healthcare security. “If you’re being helicoptered to a hospital in an emergency, you want all your personal health data to be accessible for life-saving treatment. Personal health data must be protected in such a way, though, that it is readily accessible when needed.” Privacy may seem less urgent in the surgical suite or the waiting room, but in everyday life patients and healthcare professionals alike are equally concerned about protecting sensitive patient data from unauthorized or malicious use.
Protecting data isn’t just about responding to hackers or complying with regulatory standards. Organizations that have focused on reactive measures must expand their efforts to include proactive approaches as well. This includes routine exercises designed to test their own systems’ vulnerabilities. It includes taking measures to reduce the loss or theft of laptops and other devices containing data, which account for 65 percent of the data-breach incidents reported to the U.S. Department of Health and Human Services. And it means recognizing that the best way to ensure the highest levels of data protection is to work with a partner that provides leading-edge expertise and resources.
At Microsoft we recognize that it isn’t easy to balance the security and integrity of healthcare data with the need for clinicians, administrators, patients and payers to quickly get the information they need to deliver prompt, lifesaving care. That’s why we’re starting a new series of regular blog posts about security in health. We’ll be discussing the current challenges in healthcare IT, such as interoperability between systems and coordination of care, as well as the issues we expect to become increasingly important, such as the Internet of Things. On top of that, we’ll be offering strategies and guidance on how organizations can improve and maintain their own security.
Security is a crucial focus for Microsoft: We invest more than $1 billion in security research and development each year. In November we announced new initiatives and investments in security that will help us better protect and secure our customers. We’ve created a dedicated group of worldwide security experts, the Microsoft Enterprise Cyber Security Group, to deliver solutions, expertise and services for Microsoft customers. We’ve also opened a Cyber Defense Operations Center that works 24×7 to protect against, detect and respond to threats in real time. We bring together data points from billions of sources to give us unique insights into the threat landscape, and we apply those insights in our mission to safeguard our customers’ privacy and their personal data.
In our next post, we’ll take a deeper look at a day in the life of healthcare data, exploring how the evolving healthcare data ecosystem is offering new solutions but also presenting new challenges. We’ll assess the limits of privacy protection — including some surprising gaps in the kinds of data protected under HIPAA — and explore strategies to bolster protection while supporting interoperability. In future posts, we’ll look at how to mobilize entire organizations, from the C-suite to the clinic, to support a shared culture of cybersecurity.
The healthcare industry may be uniquely vulnerable now, but at Microsoft we’re convinced that there’s never been a better opportunity to set a new standard for security and privacy. We are with you on this journey. We believe we are uniquely positioned as the only large tech company thinking end-to-end about security from the operating system to the device and on up to the cloud. Please join us as we explore the issues and challenges that are shaping the industry now and into the future.
Exchange Online Advanced Threat Protection