Health industry lacks 'security advocacy'

The healthcare industry needs more "security advocacy" for privacy to improve, according to Suzanne Widup, a senior analyst and co-author of Verizon's latest data breach investigations report, published this month.

Widup, in a recent interview with MedCity News, said that at present, security visibility in healthcare remains low. "We have been trying to work with professional associations, but we have not had much success there," Widup told MedCity News. "I have not really seen much in the way of leadership in healthcare for advocacy in this area."

Widup's sentiments seem to echo those of U.S. Department of Health & Human Services Chief Information Security Officer Kevin Charest, who recently said that healthcare organizations need to improve their "basic blocking and tackling" in terms of health IT security.

"Organizations are realizing their internal playbooks are not as complete as they need to be," said Charest, who served as an exercise captain for a recent cyber attack simulation conducted by HHS and the Health Information Trust Alliance. The simulation revealed that healthcare organizations need to better engage stakeholders in their IT security preparedness plans.

Human error and privilege abuse, according to Widup and the Verizon report, also are areas of concern when it comes to security. For the latter, in particular, in 2013 alone, close to 12,000 incidences took place in which privileged access was used to view and transmit private information (not limited to healthcare organizations).

Privacy and security will be constant themes for efforts put forth by the Office of the National Coordinator for Health IT, National Coordinator Karen DeSalvo recently pointed out. "We consider privacy and security an important part of the work that we do," DeSalvo told HealthcareInfoSecurity in a recent interview. "It's increasingly complex as we think through care models, mobile health, e-health, telehealth and the broader issues of big data and how we make certain that people's health information is first and foremost there to improve their care wherever they are."

Privacy, according to Joel Reidenberg, a visiting professor of computer science at Princeton and a professor at Fordham University's School of Law, could crash big data in healthcare if not handled correctly.

Meanwhile, a report published in February by The SANS Institute called the status of healthcare security "alarming," pointing out that cybersecurity strategies have fallen behind.

To learn more:
- here's the Verizon report (.pdf)
- read the MedCity News interview