By Axel Wirth
There is an inherent conflict between a person’s healthcare needs and a right to privacy. In order to deliver quality care, it would be best if all patient health information were be instantaneously available to everybody. At the same time individuals have certain expectations about the privacy of their personal and sensitive data. Regulations such as HIPAA or GDPR have attempted to define a viable path forward that provides for both—reasonable assurance of information protection without compromising (too much) care provider’s access and rights.
Admittedly we haven’t achieved perfect balance as we see almost daily reports of health data breaches. Yet, in spite of all the IT systems and their integration, we all have had our experiences with missing information between different stages of care. And now, COVID-19 has tipped this balance as we had to extend health system capacity through temporary facilities and testing sites, and healthcare delivery through telehealth. This has tested the healthcare system’s ability to manage a complex flow of information through an underprepared infrastructure.
However, providers in many areas didn’t have a choice. The need to treat COVID-19 patients quickly superseded certain privacy and security concerns, so HIPAA enforcement were relaxed to prepare for an unpredictable set of circumstances. Loosened HIPAA regulations allowed providers to deploy large-scale telehealth services that allowed staff to work from home, though that raises cybersecurity concerns.
At the same time, cyber adversaries were not idle and used this state of crisis as an opportunity to make money through a surge of COVID-related ransomware attacks and theft of pandemic-related intellectual property.
Unfortunately, we learned that we were not ready for the challenge. We had to go to war with the cybersecurity we had, and we did as well as we could under the circumstances. But as we emerge from this crisis, we need to assure that we prepare better for the future and build a better healthcare system with better cybersecurity that is capable of protecting patient privacy and valuable intellectual property.
Privacy vs. Security
The relationship between privacy and cybersecurity is a bit like the good old “hen and egg” question. To simplify, privacy establishes high level objectives and specific requirements that need to be met, and security is one of the tools that can be used to meet them. In other words, security becomes an enabler for privacy, but security without context is largely meaningless and will be misguided. Additionally, security is also an enabler for non-privacy priorities, ranging from protecting patient safety and assuring reliable care delivery, to managing business and operational objectives, such as keeping the lights on and the doors open, protecting a business’s reputation, and avoiding lawsuits and fines.
The relationship between privacy and security is nicely explained by comparing the HIPAA Privacy and Security Rules. The Privacy Rule regulates how information can be shared, who has access, the patient’s rights to their information, and many other aspects. It applies equally to digital data, paper files, and even the spoken word. The HIPAA Security Rule, on the other hand, is very specific to electronic (digital) data and how a covered entity should assess and manage risks to their digital infrastructure, protect access, and in general assure data confidentiality, integrity, and privacy (the C-I-A Triad). So, the Privacy Rule defines the general requirements whereas the Security Rule defines the specifics that need to be met for electronic data.
I have at times, admittedly, been a critic of HIPAA as I have my doubts whether it really has made us a more secure healthcare ecosystem. The intentions may have been good, but the practical implementations (combined with weak enforcement) have led to a compliance-focused approach to security, which unfortunately was never sufficient. It may have been kept adversaries at bay back in 2003, but unfortunately our infrastructure complexity has significantly increased (and has become more distributed) and cyber adversaries have become more sophisticated and have significantly grown in numbers. As the security executive Ted Harrington put it a few years ago: Compliance only works if your enemy is the compliance auditor.” Unfortunately, in 2020 that is no longer true as the lines between individual hackers, cybercriminals, nation states, and cyber activists have become blurred at best.
To recap, HIPAA has provided a disservice as it allocates compliance dollars away from security dollars. These two have little overlap in reality but are perceived to be perfectly aligned. In my personal opinion we should look at more recent and timely privacy regulations like GDPR or CCPA and more current security frameworks like NIST Cyber Security Framework to guide us into the future.
Privacy and Cybersecurity During and After the Crisis
In recognition of the unprecedented health crisis and the need to keep patients out of healthcare providers’ offices, urgent care clinics, and emergency rooms, the US Department of Health and Human Services’ Office of Civil Rights (OCR) has provided temporary relaxation of HIPAA enforcement for telehealth services. However, it must be assumed that there is no going back to normal. Although for practical considerations some of these services will return to face-to-face visits, the financial and convenience aspects will make telehealth something that is here to stay.
But the regulatory compromise is not here to stay. In other words, healthcare organizations need to start shifting to a remote care model that does not compromise privacy. Over the past few months, there have been several examples of privacy violations, e.g., misrouted faxes and emails, that were, under the circumstances, unavoidable. Patients had to get swabbed in a temporary facility somewhere in a parking lot, results were sent to a lab facility that was recently stood up in a former office building, and the results had to get back to the patient somehow. Although integration standards for lab workflows exist, this was not the time to implement and test them and the system fell back on known but insecure information exchange methods, such as email and fax.
The takeaways from this crisis is twofold: one, hospitals need to transition this new infrastructure (remote and telehealth) to a more secure backbone and provide for the same level of care and privacy as with traditional office visits. Especially in light of the expected structural and financial challenges for many rural and critical access health systems, telehealth becomes a key part of solving for the challenges of the near future.
Secondly, more brain power should be spent on how to enable future health system surges so hospitals can scale without compromise. Standards and practices for secure data interchange exist but have never been tested for rapid deployment and scalability—models that need to be developed in the near future.
To support this transformation and to assure regulatory (and patient) privacy expectations are met, cybersecurity measures need to be considered. A new approach will be required to protect this rapidly changing and highly distributed infrastructure comprising of devices and gateways placed in the patients’ homes as well as cloud services providing data aggregation and analysis, ultimately routing information and results to the healthcare provider.
Hospitals can no longer rely on traditional network- and perimeter-based defenses to offset security shortcomings of devices or skilled personnel to securely configure and maintain them. Devices need to be proactively secured as well as easy to deploy and maintain. Data needs to be encrypted at the source as it cannot be assumed that the data path over home and public network and cloud infrastructure will be secure. Healthcare organizations will also need to deal with new security and privacy risks. For example, device data routed via a smartphone could be supplemented with new information that could be clinically beneficial but may raise privacy concerns around the use of location data.
Another lesson learned from the pandemic relates to the challenges of not having sufficient emergency supplies of equipment, from personal protective equipment (PPE) to ventilators and patient monitors. It has to be assumed (or hoped) that going forward the healthcare industry will be better prepared and that healthcare providers, as well as state and federal governments, will have a better stockpile of emergency equipment. Such warehoused equipment needs to be managed as some of it, such as PPE and battery-powered devices, will have limited shelf life. But software-based, i.e., security-sensitive, devices that may be stored for years will also need to be managed. It is neither practical to maintain their security posture by traditional means nor is it possible to install years’ worth of software updates at some point in the future when the device is being deployed in an emergency.
These are two very different examples on how the pandemic crisis will affect the health system and also how cybersecurity will be crucial for this new infrastructure, be it telehealth or emergency supplies. But in either case it is obvious that security will need to be proactive and will need to be designed into solutions from the ground up, rather than it being reactive and applied in hindsight.
It will take time to see the full impact of COVID-19 on the healthcare system and what the expected implications on privacy and security will be.
Although the expected changes will be significant and will be enabled by as well as drive technology change, healthcare cannot succeed without understanding the implications on privacy and cybersecurity. This will require that we adopt expectations, regulations and laws, and security capability. After all, we owe it to our patients.
Axel Wirth (firstname.lastname@example.org) is chief security strategist at MedCrypt.Leave a comment