Be prepared for a new acronym, ISAOs, to join the myriad others in the world of healthcare technology, thanks to President Barack Obama's new cybersecurity executive order.
The order, signed last week, advises creation of what will be called ISAOs, information sharing and analysis organizations—private-public partnerships, to share information and, in the process, guard against cyberattacks.
Walgreen Co. and Kaiser Permanente already have committed to working within this new framework, according to published reports.
But while ISAOs may be the cybersecurity tactic de jour, healthcare providers need a combination of other measures to decrease the likelihood that hackers break into their database.
Data encryption is only one weapon in that anti-hacker arsenal. Others include firewalls, increased security spending and better IT employee training so they can spot efforts to trick them into revealing sensitive database access information.
“Encryption should be on the list, but there is no one single thing they can do,” said Rich Mogull, founder and CEO of Securosis, a cybersecurity research firm. “That's just the nature of security these days.”
The president repeatedly mentioned the need for healthcare data security in addressing a national summit on cybersecurity last week. The summit, held in Silicon Valley, is one of multiple White House efforts in the past month to rally both the public and the private sector to address data security issues.
Obama, in his latest State of the Union speech, called on Congress to pass comprehensive cybersecurity legislation.
A whopping 1,172 major healthcare breaches have occurred since September 2009, according to the Office for Civil Rights at HHS, which keeps a list of healthcare data breaches affecting 500 or more individuals. Of those, 52% were attributed to theft; 10% to “other” or “unknown” causes; 8% to loss, such as a lost laptop computer or thumb drive; and 4% to improper disposal, all exposing unencrypted data.
Two massive healthcare data hacks—at insurance giant Anthem announced earlier this month, and at Community Health Systems revealed last August—exposed personal information on tens of millions of individuals, more than the populations of California, Texas, Nevada and New York combined. Both cyberattacks were attributed to hackers from China.
In the past, adoption of encryption software—which was typically bolted onto older healthcare computer systems—was impeded because its complex algorithms “slowed everything down,” said Kenneth Dort, a lawyer with Drinker Biddle & Reath in Chicago, who specializes in information technology and data security. “But over the last several years, the power of computing systems has increased,” Dort said. That's “made it much easier to encrypt in real time, which is why more and more entities have used it,” he said.
The attention-grabbing Anthem and Community breaches, as well as those in other industries should give healthcare chief technology officers more leverage to acquire the tools and personnel they need, Dort said.
That will “accelerate an existing trend toward use of encryption,” Dort said. In advising his clients, “I would certainly have encryption out there on the table,” Dort said.
Another security measure—intrusion protection systems, such as firewalls—are used by 98% of healthcare organizations surveyed, according to a Healthcare Information and Management Systems Society survey.
“They also have to make security a priority in their buying decisions” not just with security systems, but with all computerized products, such as medical devices, Mogull said.
Follow Joseph Conn on Twitter: @MHJConn