The healthcare sector of the economy has traditionally lagged behind other sectors in terms of technology use and the infrastructure it requires. Unwanted publicity over cyber-attacks and data breaches are causing healthcare businesses to finally wake up to the reality that their data are extraordinarily sensitive. Data breaches and leaks can happen in many industries, but healthcare data breaches and associated abuse can have catastrophic consequences on people’s lives.
Many of my contacts in the sector have begun restructuring their operations and investing heavily in robust technology with the goal of protecting the security of their information and addressing privacy concerns. However, healthcare providers, including hospitals, clinics and physical practices, have been slower in making these transformational changes due to their primary focus on patient care.
Studies document that healthcare industry businesses have invested billions of dollars in the past ten years on electronic medical records software (EMR), which squares with my own experiences with various healthcare systems around the country. Investing in one of these systems can be transformational for a healthcare business, but unfortunately only a small fraction of the investments made to date address security and privacy issues.
While security should be front and center in an electronic records management system, in reality it is often thought of “after the fact” in such implementations. I appreciate and agree with the argument by healthcare professionals that their focus needs to be on patient care first. The time has come for providers to recognize that safeguarding patient information is a key component of caring for patients.
When financial data is stolen, that information quickly becomes obsolete as users and financial institutions change account numbers and passwords. Health data can have a longer shelf life because it contains very sensitive information of a more permanent nature, including social security numbers, home addresses, health conditions and other extremely sensitive and private information about patients and their well-being. Hackers can sell such information on the black market and demand ransoms for the safe release and return of such information. It is even possible for hackers to manipulate drug dosages or medical device interactions, breaches that could allow patient care to be manipulated or altered and could even result in deaths.
I am encouraged that many organizations have been waking up to the realization that they may be targeted and that they need to safeguard the important information they maintain about their constituents. I am confident that progress is being made to address security holes in current EMR systems. But it is obviously more difficult to address such weaknesses after a records management system has been implemented. An additional concern relates to the reality that the information technology and security departments in many hospitals are still lacking in the necessary infrastructure to address new and emerging threats.
What make these issues all the more challenging to address are the interface and interoperability problems that continue to plague many EMR systems, which leave them more susceptible to breaches. Clinicians continue to have frustration with EMR interfaces due to access controls and privacy reasons. Adding new layers of security and additional training can increase their dissatisfaction.
Programs like the George Washington University’s HealthInformatics@GW online Master of Science in Management of Health Informatics and Analytics program are producing well-trained Health Informatics professionals with the crucial skills needed to help those in the healthcare industry to address these thorny problems to protect patients’ data as vigilantly as their providers safeguard those patients’ health.
Sam Hanna, MBA, CISA, CBCP, CRISC is the program director for the Masters of Science in Management of Health Informatics & Analytics (HealthInformatics@GW) program at The George Washington University. Prior to this role, he held leadership positions at global professional services firms where he was responsible for creating and leading large multidisciplinary health industries practices, as well as an investment portfolio in new technologies, solutions and startups. He is a frequent speaker and writer on topics related to entrepreneurship and innovation, health IT, analytics, and the intersection of translational sciences and the business of health. He can be reached at firstname.lastname@example.org