Colorado Springs’ fledgling Center for Health Information Cybersecurity will start tackling some of the field’s biggest hurdles in 2017, with the aim of becoming the nation’s key center for health information security expertise.
“The city as a whole is making an effort towards becoming more knowledgeable about security risks and how to meld [security] into the workflow in a way that maintains patient safety and allows the health care workers to do their jobs,” said Lynne VanArsdale, innovation program manager for the Colorado Regional Health Information Organization.
“That effort is spearheaded by the establishment of the Center for Health Information Cybersecurity in partnership with the National Cybersecurity Center.”
Established a year ago, CHIC has a governing board of 11 members, including VanArsdale, NCC CEO Ed Rios and representatives from clinical practice, military and the software industry. It is chaired by James Dodd, CEO of Loop Communications.
Governance and operations are still in formation. CHIC was chartered by COShealth, a partnership of local health care and workforce organizations. VanArsdale said CHIC is seeking project-based funding on a town hall session in June, a Voice of the Customer requirements-gathering study this summer, and a tabletop event on Sept. 27. The NCC currently provides space and services; a location for CHIC will be decided later.
CHIC aims to tap into Colorado Springs’ “wealth of security experts” to create the center for health information cybersecurity, VanArsdale said.
“We are advisers; we provide information and education; we go out and get requirements from the health care arena,” she said. “We’re that conduit between the security world and the health care world.”
CHIC will help cybersecurity experts collaborate with the health care industry to build affordable, painless information security measures and create incentives for health care workers to know and follow security policies.
Cybersecurity is a relatively new consideration in medicine, and health care professionals “really see risk in modifying their workflow to use electronic information and [to make] sure that information stays secure and private,” VanArsdale said.
“It’s not that the health care workers don’t care — they really do care,” she said. “It’s just when push comes to shove on some medical device that’s hooked up to a patient, they’re going pay attention to that medical device rather than care about leaving a screen open.”
Dr. Marc Ringel, a family physician and author of books on medicine and information technology, said successful information security systems must avoid adding to physicians’ workloads.
“User-friendliness is absolutely the most important [element],” he said. “If it’s not usable, then it won’t be used.”
Needing “a slew of passwords” to access different parts of the data system or hospital records is a roadblock to security, he said. More user-friendly solutions could include a biometric single sign-on based on the retina or thumbprint.
“Whatever it takes, usability is the key,” Ringel said.
The need for more effective cybersecurity in health care is growing. The past six months have seen 169 breaches of unsecured protected health information affecting 500 or more individuals nationwide, according to the Department of Health and Human Services. In total, several million people were affected.
Those figures don’t include breaches that affected fewer than 500 individuals; only breaches affecting 500 or more individuals are reported to the public on the Office of Civil Rights web site.
The array of threats includes personal information being stolen for fraud or for sale on the dark web; unauthorized access; loss or accidental disclosure; the emerging threat of hacking and sabotage of medical systems and devices connected to the Internet of Things; and ransomware.
“Ransomware is on the rise… it is something that’s happening in health care, and it is a threat and something people need to become more aware of and guard against. That is life and death,” VanArsdale said.
The increasing role of information technology in health care has vastly increased the opportunity for large-scale breaches, Ringel said.
“[In 1990] I argued I wasn’t too worried about the security of electronic systems because if you walked into any office … there were paper charts strewn everywhere and anybody could pick them up; and that actually electronic systems with passwords were much more secure,” he recalled. “The trouble is you can steal a whole hell of a lot more in one fell swoop than you can with a pickup load of paper charts.
“The threat is huge. The risk may be less per individual, but in aggregate it’s enormous.”
Technology has also dramatically increased the burden health care providers, making security measures look like barriers to patient care.
“There are a couple of things I would say from the point of view of a physician,” Ringel said. “It’s the exception when I meet a physician over 50 who wouldn’t quit if he or she could — and a huge part of that has to do with this information revolution.
“Studies are showing that we’re now spending 40 percent of our time making clicks on a computer rather than with patients. Nobody went to medical school for that.”
Physicians and other health care professionals must be involved early in the planning of new systems, to make sure the workload is kept as light as possible.
“You find out how their workflow is, what their values are, how usable what you’re proposing is,” he said. “Then the best thing to do is to design a system that least taxes them.”
Ringel said the work being done by CHIC is “hugely important,” not only in terms of expert-to-expert collaboration, but in gathering information and requirements from professionals on the front lines of health care.
VanArsdale said there are several initiatives underway in Colorado Springs that relate to CHIC’s goals, with “a number of security experts brainstorming and putting together events for … designing systems that would be non-intrusive to the workflow.”
CHIC will unveil a web page in May. For more information, email firstname.lastname@example.org.