Health IT’s most pressing issues may be so prevalent that they can’t be contained to a single post, as is obvious here, the third installment in the series detailing some of the biggest IT issues. There are differing opinions as to what the most important issues are, but there are many clear and overwhelming problems for the sector. Data, security, interoperability and compliance are some of the more obvious, according to the following experts, but those are not all, as you likely know and we’ll continue to see.
Here, we continue to offer the perspective of some of healthcare’s insiders who offer their opinions on health IT’s greatest problems and where we should be spending a good deal, if not most, of our focus. If you’d like to read the first installment in the series, go here: Health IT’s Most Pressing Issues and Health IT’s Most Pressing Issues (Part 2). Also, feel free to let us know if you agree with the following, or add what you think are some of the sector’s biggest boondoggles.
Reuven Harrison, CTO and co-founder, Tufin
The healthcare industry has undoubtedly become a bigger target for security threats and data breaches in recent years and in my opinion that can be attributed in large part to the industry’s movement to virtualization and the cloud. By adopting these agile, effective and cost-effective modern technological trends, it also widens the network’s attack surface area, and in turn, raises the potential risk for security threats.
We actually conducted some research recently that addresses evolving security challenges, including those impacting the healthcare industry, with the introduction of cloud infrastructures. The issue is highlighted by the fact that the growing popularity of cloud adoption has been identified as one of the key reasons IT and security professionals (57 percent) find securing their networks more difficult today than two years ago.
Paul Brient, CEO, PatientKeeper, Inc.
No industry on Earth has computerized its operations with a goal to reduce productivity and efficiency. That would be absurd. Yet we see countless articles and complaints by physicians about the fact that computerization of their workflows has made them less productive, less efficient and potentially less effective. An EHR is supposed to “automate and streamline the clinician’s workflow.” But does it really? Unfortunately, no. At least not yet. Impediments to using hospital EHRs demand attention because physicians are by far the most expensive and limited resource in the healthcare system. Hopefully, the next few years will bring about the innovation and new approaches necessary to make EHRs truly work for physicians. Otherwise, the $36 billion and the countless hours hospitals across the country have spent implementing electronic systems will have been squandered.
Mounil Patel, strategic technology consultant, Mimecast
Email security is one of healthcare’s top IT issues, thanks, in part, to budget constraints. Many healthcare organizations have already allocated the majority of IT dollars to improving systems that manage electronic patient records in order to meet HIPAA compliance. As such, data security may fall to the wayside, leaving sensitive customer information vulnerable to sophisticated cyber-attacks that combine social engineering and spear-phishing to penetrate organizations’ networks and steal critical data. Most of the major data breaches that have occurred over the past year have been initiated by this type of email-based threat. The only defense against this level of attack is a layered approach to security, which has evolved beyond traditional email security solutions that may have been adequate a few years ago, but are no longer a match for highly-targeted spear-phishing attacks.
Dr. Rae Hayward, HCISPP, director of education and training at (ISC)²Dr. Rae Hayward
According to the 2015 (ISC)² Global Information Security Workforce Study, global healthcare industry professionals identified the following top security threats as the most concerning: malware (77 percent), application vulnerabilities (74 percent), configuration mistakes/oversights (70 percent), mobile devices (69 percent) and faulty network/system configuration (65 percent). Also, customer privacy violations, damage to the organization’s reputation and breach of laws and regulations were ranked equally as top priorities for healthcare IT security professionals.
So what do these professionals believe will help to resolve these issues? Healthcare respondents believe that network monitoring and intelligence (76 percent), along with improved intrusion detection and prevention technologies (73 percent) are security technologies that will provide significant improvements to the security posture of their organizations. Other research shows that having a business continuity management plan involved in remediation efforts will help to reduce the costs associated with a breach. Having a formal incident response plan in place prior to any incident decreases the average cost of the data breach. A strong security posture decreases not only incidents, but also the loss of data when a breach occurs.
Terry Edwards, CEO, PerfectServeTerry Edwards
One of the major challenges the healthcare industry is navigating is how to enable more effective communication and collaboration across care teams, while also being HIPAA compliant. Physicians, nurses and all care team members need to be able to send and receive information on a patient’s condition in real-time, without compromising protected health information.
Providers often try to address secure communication with point solutions (secure texting), yet these tools are incomplete and the kind of collaboration that needs to occur doesn’t happen. In many cases, it’s just too hard for one clinician to connect with other care team members because the initiator needs to know the workflow of the person they need to reach.
For example, a physician who admits a patient into a hospitalist service may be listed in the EHR as the attending doctor. However, the patient is likely to be reassigned to a different hospitalist, say one of seven in the group, within a few hours. In the EHR, the name of the admitting doctor does not change. So, the question becomes, “Who is the hospitalist covering the patient right now?” An effective communication solution will address this variable as part of the communications process. Building on this, rotating schedules and multiple communication modalities creates uncertainty for how to reach a clinician at any given point. All of this contributes to delays in patient care.
As an industry, we’re making strides to facilitate more efficient and secure communication and collaboration, but the challenge needs to be addressed at the root – which is about process and workflow.
Dwain Wright, senior security consultant, ControlScan
From an IT security standpoint, poorly managed third-party relationships continue to create multiple points of vulnerability for healthcare organizations. These relationships include application management, installation of services and the management of security infrastructure (firewalls, malware systems, etc.).
There are three primary reasons today’s third-party relationships are unnecessarily risky:
Lack of due diligence in up-front discussions — When purchasing a piece of software or a service, many HIT professionals are walking away from the table without a clear understanding of what’s required to maintain the security posture of the product once it’s installed in their environment. Similarly, while the third-party may be providing a service, you still have to be knowledgeable on how that service will be performed such that it won’t impact the security posture or practices of your organization. It’s also essential to properly vet the service provider based upon their own security posture and credentials.
Lack of oversight during implementation — All software is “customizable” to some extent. At best, the third-party provider will establish initial settings that conform to their understanding of your IT organization. Unfortunately, we see many instances where settings have been incorrectly configured or left at their defaults. It is the HIT professional’s responsibility to ensure that all software, apps and services are implemented in accordance with data security and privacy best practices and standards.
Lack of formal, defined processes for maintenance and updates – As mentioned in #1 above, many HIT professionals are behind from the very beginning because they don’t ask important security-related questions early in the relationship. Consequently, we see many instances where patches and updates aren’t applied in a timely manner, or even at all. This is especially prevalent when internal and external roles and responsibilities aren’t pre-defined.
Recently I was on-site with an organization that manages a network of hospitals and clinics. We were discussing the settings of a specific application and determined that it was necessary to contact the third-party vendor for clarification. While we were talking with the vendor, they remotely accessed the application before our very eyes-without any granting of access on the client side! The client was completely unaware that the vendor had this capability.
Third-party relationships are not bad in and of themselves; in fact, they are essential to organizational growth. The key is to build those relationships on strong communication and knowledge sharing so that your organization and the information it works with remain secure.
Dr. Donald Donahue, Lieutenant Colonel, U.S. Army (Ret.)Dr. Donald Donahue JR.
The single greatest issue facing health IT is interoperability. When health systems cannot share data — or worse, when functions within a healthcare facility cannot share information — the promise of improved outcomes and lower costs evaporates.