Medical Cybersecurity: Creating A Trusted Digital Health Environment
In an era when information about you is moving around computer systems and file cabinets as much as water moving around the earth, how do you keep data about you and your health safe and secure? There are several ways patient data - data about your wellness, tests you've had, doctors' diagnoses about you, drugs you have prescribed to you - can be kept safe. With all that data out there, you might think that there's a good chance it's swimming around in the sea of the Internet. There are certainly some issues with securing health data, but more and more attention is being focused on this area by both the government and companies in the private sector. Here, I briefly summarize the current situation.
The need for increased health data security
Health data security is far from perfect. Earlier this year, the Office of the Inspector General (OIG) of the Department of Health and Human Services (HHS) issued two reports on the issue highlighting some problems. Quoting the Center for Democracy and Technology's summary of the reports,
The reports draw attention to security problems in the health care industry that have persisted for years and shine a bright spotlight on the urgent need for regulators to more aggressively and effectively address these issues. While the OIG reports are not the first to point out the lack of consistent, strong security protections for health data,hopefully the reports will make data security a more urgent priority for HHS. [There is a] lack of a coordinated and well-executed data security strategy among HHS agencies.
The OIG found that some of the threats to health data security were fairly basic - unlocked rooms of backup patient records,poor computer security on systems holding electronic information. Other, more complex, issues are still fairly obvious - encrypting the transmission of data, for example. Furthermore, there were specific issues concerning the security of electronic health records. The reports essentially concluded that more reviews of compliance were required to make sure that health providers are properly protecting patient data.
In their blog, the Center for Democracy and Technology thought that the reports were "positive" but that they didn't go far enough. They wrote,
Data security is a critical element of a trusted digital health environment. It’s positive that the OIG reports bring additional attention to the extensive security problems in the health care system. However, to effectively resolve systemic data security issues, HHS’ course of action will have to be more comprehensive than the more spotty solutions the OIG reports recommend. More unprompted compliance audits from OCR and more guidance and general standards from both OCR and ONC are a good start, but a more aggressive approach would be for HHS’ agencies to collectively evaluate each of the policy tools at their disposal and identify and implement specific measures that hold providers accountable for implementing strong security policy and technical safeguards. Ensuring end-to-end data security among diverse health care organizations raises numerous practical barriers, of course - but inadequate coordination among federal agencies or their failure to maximize use of existing policy authorities shouldn’t be among them.
When you "hold providers accountable for implementing strong security policy and technical safeguards," as the CDT wrote, what that really boils down to is hospitals and similar institutions working with software companies to create better security controls over various kinds of data on various kinds of hardware. Microsoft is heavily involved in this area, as it turns out.
The road towards a trusted digital health environment
Microsoft's health group, part of its Public Sector division, thinks a lot about the software road towards a trusted digital health environment. What does that mean in practice? A number of things.
One thing Microsoft has is smart filters in Outlook that make sure personally-identifiable information (PII) doesn’t accidentally get sent out in an email. (It even means giving you the power with Rights Management Services (RMS) to press a button in order to make sure the data you put in an email can only be viewed by those you send it to and cannot accidentally be forwarded on, copied or printed.) Another way it manifests itself is in the ability for doctors and patients to have secure, private online conversations using HealthVault. It also means that Microsoft supports the government with its massive stores of patient data with our partners like HiSoftware and HP to ensure data is encrypted and protected.
It turns out that there are other applications to this kind of health data security research too. For example, Microsoft is making more secure consumer gaming systems. The next time you’re playing on your Xbox, you can rest assured that your user profile data is as protected as your patient data would be in the ways described above. The Xbox platform and Kinect Sensorget the same great treatment as hospital patient safety.
Fixing the flaws in health data security will require a good deal of coordinated action between different parts of the government, and between the government and the private sector. It is a complex, multidimensional problem. That said, however, my colleagues and I at Microsoft are constantly thinking about how to build software features that close these identified gaps, work with relevant agencies to translate standards into products, and then interact with health providers to get the software into the hands of users who give care to people just like you every day.
Art credit: Binny V A