The healthcare community uses security as a crutch to deny the sharing of patient data. That has to stop, according to Athenahealth CISO Taylor Lehmann.
Healthcare cybersecurity is needed to protect patient data, but it shouldn't impede interoperability.
That's according to Taylor Lehmann, vice president and chief information security officer for EHR vendor Athenahealth, Inc. He argued that healthcare cybersecurity needs to be retooled, since it can often be a hurdle for providers to share health data.
The current security model for a healthcare organization often includes confidentiality, integrity and availability, with an emphasis on confidentiality. Going forward, Lehmann said the security focus should shift away from solely considering confidentiality, which can limit access to health data, and toward integrity and availability, which means ensuring the data is trustworthy and access to that data is reliable. To get there, EHR vendors and providers alike will have to embrace a more open data platform and find ways to see security as a valuable tool for data sharing.
"We're raising our hand saying, 'We can't do that securely, therefore we won't do it,'" he said at the 2019 Redox Healthcare Interoperability Summit in Boston. "We've got to get over those hurdles."
Healthcare cybersecurity's impact
EHR vendors and healthcare organizations need to have good healthcare cybersecurity practices, but they often use it as a crutch to deny the sharing of health data, keeping patients within a specific set of providers and systems, Lehmann said. He added that there is a lack of incentive in the healthcare market for EHRs to be more open.
We're raising our hand saying, 'We can't do that securely, therefore we won't do it.' We've got to get over those hurdles.
Taylor LehmannVice president and CISO, Athenahealth Inc.
"EHRs are designed to stay closed," Lehmann said. "We say, 'Oh, that's a security issue, that's why we do that.' But it really is, economically, EHRs and therefore the providers that buy them are incentivized to stay that way."
But creating data-sharing roadblocks can affect care delivery and create operational and safety issues, Lehmann said. Instead, the healthcare community needs to break down the data silos and focus on how to securely make the data trustworthy, accurate and available.
Lehmann said it's important to build software from the perspective of patients without assuming they don't know how to safely handle their own data. That's a concern the healthcare community has raised with the Office of the National Coordinator for Health IT as it works to enact rules that make health data access easier.
Taylor Lehmann
Lehmann said figuring out a way to incentivize EHR vendors and providers to be more open could make interoperability easier and security simpler.
Building a secure healthcare environment
For healthcare vendors, Lehmann said the first step is picking a basic cybersecurity standard to follow.
Lehmann recommended the National Institute of Standards and Technology (NIST) Cybersecurity Framework as a way to demonstrate healthcare cybersecurity preparedness. The framework outlines a set of best cybersecurity practices, and he suggested vendors should implement the framework's recommended security controls, such as data access control policies, and then have a plan to mature those controls.
Second, vendors should pick a software security development and secure testing methodology, such as the Building Security In Maturity Model (BSIMM), or the Software Assurance Maturity Model (SAMM). SAMM is an open framework that can help vendors create and implement a software security strategy.
Lehmann said there are also opportunities to achieve security certifications, such as the Health Information Trust Alliance (HITRUST) Common Security Framework certification, which he said can go a long way in verifying the vendor products' security.
For healthcare organizations, Lehmann said protecting patient data means investing in and managing three security controls: patching, multi-factor authentication and email. Doing so can stop 90% of cyberattacks for healthcare organizations, he said.
Lehmann pointed to a recent Verizon Data Breach Investigations Report, which studied 41,686 reported security incidents and 2,013 data breaches, to back up his point. The report mapped most of the security incidents and breaches back to a failure of one of those three controls, Lehmann said.
"If you have strong hygiene on those three controls, then you're going to nail most of the bad things that come at you," he said.
Taylor Lehmann
