A lack of standards when it comes to cybersecurity in healthcare is a barrier to stopping threats, improving interoperability and retaining patient trust, according to a group of hospital executives speaking Tuesday at a National Health IT Week event in the District of Columbia.
During the panel discussion, sponsored by the College of Healthcare Information Management Executives, the executives said that healthcare organizations need to work with both private and public sector partners to create a security framework.
"When we talk about the interconnection of information systems ... the biggest concern I have is there's a lack of consistency," said Matthew Snyder (pictured right), chief information security officer at Penn State Milton S. Hershey Medical Center. "Everybody is doing something different and that's just a recipe for disaster."
While the panelists noted there are standards out there, NIST and HITRUST included, they agreed that there needs to be a single agency to take control and look at the issue in a finite matter, Aaron Miri, chief information officer at Dallas-based Walnut Hill Medical Center, said.
"Right now you have multiple sheriffs on the road, all saying they have different speed limits. So, which is right, which one is wrong?" Miri asked. "NIST is a fantastic framework, HITRUST is a fantastic framework, but which one is it? Which one am I going to be held accountable to?"
Tim Zoph, senior vice president of Northwestern Medicine, also said challenges arise when healthcare providers consolidate. As bigger entities acquire smaller ones, there will be added complexity of how to integrate systems while ensuring they are secure.
"Complexity is the enemy of good security," Zoph (pictured left) said. "Now you've got to deal with a plethora of systems, and ... individual physician practices or maybe even small organizations just don't have the level of sophistication to be able to manage the security framework."
It's also important for a chief information officer to reach out beyond the hospital's four walls to learn from others about how to keep systems secure, Miri said. There needs to be avenues for healthcare entities to reach out easily and concisely to other industries to learn about the best ways to handle increasing security risks.
Zoph agreed, adding that despite the differences in the types of information being secured in various industries, they all share common threats.
"We need to be engaged with those other critical sectors ... looking at their response, how they're managing it, the standards they're using, the level of sophistication, we can educate our own organizations about how to do more," Zoph said.
The panelists also all agreed on one thing: Attacks on the healthcare industry will only continue to grow and the conversation on security must continue well after National Health IT Week ends.