BOSTON, Mass. – Healthcare is at the cusp of transformative change, and in few areas is this more manifest than in data security, with the next several years seeing the accelerated proliferation of aggregated data, machine learning, telemedicine and heath-enabled mobile devices. There’s great opportunity here, but also more risk, as hackers and malicious actors will have new targets in the war for data.
Delivering a keynote address at the Healthcare Security Forum in Boston on Tuesday, Dr. John Halamka, the newly-named president of the digital health initiative Mayo Clinic Platform, said more data is being used for more purposes by more people — and healthcare will have its work cut out for it in order to be ready.
The problem of data aggregation in particular is that it begets the need for cloud storage, which potentially makes data more exposed. Currently, companies like Google and Microsoft — which can have upwards of 5,000 data security professionals on the task — are better at handling aggregated data than the typical health system, which by comparison may have a dozen or so people assigned to be stewards of digital patient information.
That means a significant migration of data to the cloud, but that presents problems of its own.
“How do you lock it at night? I worry about the loss of control,” said Halamka.
One of the headaches with which healthcare will grapple is that, as the cloud migration takes place, 80% of an organization’s security training isn’t as relevant because it will now be dealing with different dashboards and control mechanisms. Professionals will be operating in a completely new environment.
With hackers getting more sophisticated, this transitional data limbo could leave a window open for data thieves.
“If a hacker is going to go after large amounts of data sets, are they going after Fort Knox, or a cardboard box? They’re going after the cardboard box,” Halamka said. “This is one of our main concerns about the migration to the cloud.”
The advent of machine learning, he said, won’t mean that doctors get replaced. Rather, the technology will handle more prosaic tasks, and this will prove especially useful for providers trying to reduce medical expenses by harnessing the technology to augment human decision-making. The endgame is more personalized precision medicine, but that leaves the door open for more risk as well.
“If we’re now dependent on machine learning and AI, what happens when the AI is corrupted? What if an adversary wants to pollute my data set, and I end up with an algorithm that’s not set for purpose? These are things we have to start to consider,” Halamka said.
The spread of telemedicine and health-enabled mobile devices is signaling further change in healthcare, and while conveniences abound — allowing patients to avoid unnecessary emergency room trips, for example, and send high-resolution images to providers — that also introduces new security concerns, as many of these devices lack robust security protections. Among the concerns are malware and denial of service, especially if hackers gain access to APIs.
Perhaps one of the trickiest data security issues causing consternation among healthcare IT professionals is the increasing need for interoperability, especially as payment models transition from fee-for-service to a value-based framework.
“It used to be (that) you could have information silos, where data is an asset,” Halamka said. “In a value-based purchasing world, that’s not the case. An MRI used to be a moneymaker. Now it’s a cost. We want more and more data liquidity if we’re going to survive in a value-based world.”
Massachusetts may have a possible model for the future. It has enacted rules creating a credentialing program dictating what constitutes a good data steward. If a company has gone through a certification program and can prove to the state that it has strong security controls, training and all the rest, it will be allowed to play what Halamka called “the interoperability game.”
“It’s important for organizations because we are as weak as the weakest link we share,” he said.
While these are but some of the considerations facing healthcare professionals over the next several years, health systems and providers will have to assume some level of risk to survive.
“It’s really hard to fundamentally change your infrastructure while maintaining reliability and security,” said Halamka. “We won’t be fully equipped to do this over the next five years. … Regardless of your politics and your belief in Obamacare and the ACA, the move to value instead of fee-for-service is the trajectory of healthcare in this country. That is where we’re going to go.”
Email the writer: email@example.com