The Healthcare Tech Evolution; and What Happened When Security Didn't Get Invited to the Party
Grapes and mac & cheese: two items that my son has a unique affection for.
In a recent short stay in a local hospital, everyone was aware of this love affair. So much so, a nurse in a neighboring facility made a joke about it in preparation for a future visit (she read it in his chart). “We’ll make sure we have his favorites ready to go!”
We had a chuckle, then I was slightly disturbed – occupational hazard.
Nearly every machine, hand-held device, operating room, patient room, door, facility, drawer, charts, down to the noodles in the cafeteria carry patient information.
Down. To. The Noodles.
All that data – from his love for mac & cheese to the rate of curvature in his spine – is under siege. It’s guerrilla warfare for information.
Every facet of healthcare depends on a massive amount of technology. That tech is also in various stages of “secure.” When was the last time an MRI machine was reviewed for vulnerabilities? What about your family member’s pacemaker? Or the digital locks on pharmacy cabinets? Access reviews for visiting medical staff personnel?
We can save the discussion on third party vendors with hospital facility access for another day. Only so many hills I can climb in one blog post.
We can all agree, technology has vastly improved the practice of medicine, delivery of care, and available options for treatment. Just comparing my pediatric visits to my children’s, the entire landscape has advanced tremendously.
With advanced robotic surgical procedures, tele-med mental health practices, and the ability to study and advance research, medicine itself has leapt ahead in every category. Digitizing healthcare has enabled broader delivery and removed many barriers to receiving quality care.
In making these advances, healthcare has become largely dependent on tech. Unfortunately, the investment in securing that tech hasn’t been given nearly as much care and feeding. Our growing dependence, with limited investment in protection, exposed vulnerabilities that are being exploited at every opportunity.
When a patient, parent, or family member is faced with a decision on critical care, the security of or access to their personal data is the furthest thing from their mind (as it should be). Everyone in the patient care ecosystem assumes that data privacy and security are being handled. The general assumption is that security is governed by “someone” behind the scenes. But what if those someones have no budget and in the operating room, your medical history is inaccessible due to a ransomware attack?
Earlier this month, we discussed the significant threats facing the overall Healthcare Industry. In 2021 alone, healthcare organizations reported a breach or exposure of over 45M patient records, a 30% increase from 2020. Many of these breaches involved unpatched software vulnerabilities, inadequate access controls, and other security gaps that facilitated access to sensitive patient data. All seemingly preventable with reasonable and basic security practices and tools.
COVID-19 accelerated the adoption of digital health technologies, with telehealth visits increasing 38X in 2020 with little initial thought to securing that mode of delivery.
Rapid technology deployment in any instance typically leads to increased risk. In the health industry, that risk is exponentially higher. As an example, the FDA has only cleared about 40 of over 300,000 health apps available in app stores, meaning the vast majority are not vetted for clinical effectiveness or safety, much less security or privacy features. This not only poses the risk of individuals receiving faulty health advice, but also misuse, abuse, or theft of their information.
Hallway signs to remind caregivers not to discuss patient information in public spaces are not a “win” for IT personnel. Neither are HIPAA refresher courses or relying solely on physical badging controls to secure and protect critical data.
The risk of misdiagnoses, physician burnout, an inability to access patient records or prior treatments/allergies, and privacy concerns over data collection are just the tip of the iceberg.
How can we steer this ship back on course? We can start by prioritizing the harmony of our investments.
To be crystal clear:
- Funding patient care does not deprioritize security initiatives.
- Funding security initiatives doesn’t deprioritize patient care.
These things are not mutually exclusive! They are both essential pillars of providing consistent and quality medical treatment and are imperative to ensuring positive patient results.
Technology innovation has massive potential to improve the quality of and access to care, but we must prioritize the implementation of security, privacy, and clinical governance controls to safely realize these benefits.
Ensuring that we rebalance the investments in security and privacy to meet provider delivery creates the symbiotic relationship necessary for success.
Partnerships between technology vendors and healthcare organizations can further help guide the responsible adoption of emerging digital health platforms with necessary security protocols. Provider ethics and the moral responsibility to increase patient outcomes is then more closely married to the technology supporting that mission.
Without technology, caregivers are not enabled to provide good patient care. Plain and simple.
Aligning our operational and clinical objectives with the necessary security and governance protocols to ensure providers have what they need, and patients are protected, equals positive patient outcomes. Isn’t that the overall objective? To improve the quality and longevity of life.
With that theory, the justification and support for reasonable funding should be a formality. As HealthTech and the practice and delivery of medicine advances, so should our ability to protect it.
Without that protection, we may as well go back to playing Hasbro’s Operation game in our parent’s basement.