I’m not a security expert. I’m a strategy officer for a health plan. My job is to connect the dots on factors that could impact our strategic future. I have to say the dots related to privacy and security are threatening. Like many of you, I received emails from Marriott and American Express after the Epsilon breach years ago saying my credentials had been stolen. More recently, I’ve had similar messages from Sony, Target, Home Depot and others.
This year these dots directly impacted healthcare. My daughter, business colleagues and neighbors, along with 90 million other people, received Anthem and Premera letters giving them credit tracking and fraud insurance. CareFirst just had a 1.1 million member breach. And the OIG claims to have warned one of them that their information was at risk. This problem is not new. It has been on the MCEG/HCEG Top 10 issues 3 of the last 6 years, but keeps getting bumped by other priorities, such as ICD-10, the ACA and others. I’ve just finished the day at AHIP’s pre-conference forum on Cybersecurity, Technology and Infrastructure. It was excellent but disturbing as to where we are at in cybersecurity as an industry.
Why is healthcare security now more critical The financial world doesn’t have a security system they have a remuneration system. Money goes missing from my account and they put the dollars back no harm, no foul, I’m secure, right It is different in healthcare. Unconscious in an ER after an accident, if my blood type or medications comes up in an EMR because someone used my identity for a fraudulent procedure, it just might cost me my life. No one can put that back in the account. Finding out I’ve exceeded my dental plan deductible because someone already had a root canal and crown using my stolen Dental Plan ID makes me acutely aware that my personal information is not secure.
Attempting to connect these dots reminds me of Whack-a-Mole at the circus. We have a mallet in both hands and are pounding down the goffers (cybercriminals, in this case) just as fast as we can. The problem is that there are a lot more dedicated and financially rewarded cybercriminals (as banks just keep reimbursing their fraudulent transactions) than we have mallets. Risk management versus risk avoidance continues to feed the beast. RSA’s President, Amit Yoran, said recently the threat landscape has changed and we have to constantly challenge the existing thinking to get ahead of our adversaries. RSA should know as they had their own significant security breach a few years ago affecting dozens of governments around the world and almost every major defense contractor.
This is a serious trend in healthcare with serious implications. And, it is a battle we are obviously losing. I suggest that we need to do more than challenge our existing thinking we need a whole new way of thinking! Without a whole new approach and focus on security, the credibility and future of healthcare could be in serious jeopardy. The HealthCare Executive Group is accelerating the dialogue on critical issues like security with the launch of the HCEG Webinar Series. Join in the open discussion on June 17th by registering at ww.hceg.org/webinars. We will pick this discussion back up then.