Ransomware attacks on health plans and hospital systems appear to have become commonplace in the last couple of years. One report from Comparitech indicated that more than 600 healthcare enterprises experienced ransomware attacks in 2020, resulting in lawsuits, ransom payments, lost revenue, and fees to rebuild lost data, impacting 18 million health consumers. According to the Brookings Institute, the US averages 10 to 15 networked medical devices per hospital bed, reflecting the magnitude of static protected health information (PHI) and real-time clinical data impacting life and death.
This trend is a driver for health consumers to adopt a more decentralized data governance model in which they decide how their data is managed.
Regulatory controls and enterprise capabilities are woefully inadequate to protect PHI
Regulatory bodies struggle to get ahead of bad actors and mitigate or defeat risks. HIPAA and HITECH, while robust, are not by any means sufficient for helping enterprises combat cyber threats, primarily because they are not dynamic enough to cater to evolving threat vectors. Instead, they drive enterprises’ compliance behaviors, designed to check the “security” box instead of driving to data safety (see Exhibit 1).
Exhibit 1: Centralized data centralizes data compromise
Source: HFS Research, 2021
Consequently, most healthcare enterprises have invested in strengthening their cybersecurity capabilities. Programs include attracting talented CISOs and building IT security organizations, driving enterprise awareness and education to all employees as a force multiplier to thwart bad actor activities, and implementing the latest in technology solutions, such as leveraging emerging technologies like artificial intelligence (AI) and machine learning (ML) to support security orchestration, automation, and response (SOAR).
Despite these efforts, the frequency and strength of cyberattacks on healthcare continue to gain momentum. In fact, at HIMSS 2021, the discussion shifted to whether enterprises should pay ransoms to return to operations—an argument in defeatism to bow to the whims of cyber crooks instead of doubling down on practical solutions that will make it hard to impossible for bad actors to win.
Accountability and governance of health data must be the consumers
It must be acknowledged that regulations and enterprise efforts have not been sufficient, though the argument that it could be worse without the contemporary efforts remains valid. Still, the threat remains larger than ever, and we must explore alternate paradigms.
In 2020, CMS released rules allowing consumers to download their electronic health records and other health care data onto their smartphones. The rules do not make sense given “my” healthcare records are and will always be “mine,” as implied in “my health records.” There are multiple solutions in the market, such as Apple’s Health app, Health Vault, and Capzule PHR, allowing consumers to securely capture, store, maintain, and share their health records.
Allowing consumers to manage their health records will distribute data, shifting control away from aggregated data residing with health plans and hospital systems. Distributing data will reduce the risk profile, translating into a higher barrier for bad actors to access, aggregate, and misuse health data. Individual datasets will not be as large and rich when consumers hold the keys to their health data, mitigating attack motivations (see Exhibit 2). In the same vein, the consumer data set will be a 360-degree view supporting a person’s whole health instead of just their healthcare.
Exhibit 2: Distributed data governance model transfers accountability for sharing and securing data to consumers
Source: HFS Research, 2021
The disintermediation of health data will personalize security breaches, and consumers will be accountable for them. Ultimately, healthcare enterprises will not be responsible for day-to-day governance and management, and the load on regulators will lighten. Consumers will need to handle security breaches and communicate these events to the relevant regulatory bodies just like they would when their financial information security is breached.
Plans and providers can harness emerging technologies to secure on-demand data access
While distributed data will reduce the risk of cyberattacks, health plans and providers will still need access to PHI and other real-time clinical information to facilitate interventions. The choice of emerging technologies will facilitate such transfers securely.
For instance, a decentralized network for data transfer, enabled by blockchain, increases resilience in a data breach. Given the nature of the distributed network, there will be no single point of failure. If attackers exploited an individual’s credentials via phone spear-phishing, they would not be able to access the internal systems of healthcare enterprises and gain sensitive information from other individuals—the breach will be contained by design.
Another approach is providing healthcare enterprises with just-in-time data access; consumers could grant healthcare entities access to their health data, via mobile devices, for predetermined periods or on an as-needed basis. Consumers could base the level of access they grant on how much they trust each entity when it’s time to share.
The Bottom Line: Health consumers must step up and own their health data so that plans and providers can distribute data, dilute their risk profile, and build an effective defensive security posture.
Health plans’ and providers’ delivery value chains are analog and ill-suited for the 21st century when consumers live in a three-dimensional digital world. This fundamental disconnect, combined with the sophistication of bad actors, has brought us to the point where consumers need to own their healthcare data. But it is important to recognize that accountability has a price. Consumers will have to spend time managing their health data and, more importantly, governing how enterprises access and use it. The paradigm shift will also require consumers to become more tech-savvy and embrace what emerging technologies can offer.
The paradigm shift is an opportunity for healthcare enterprises to reconsider their organizational construct and strengthen their value proposition. At the same time, service providers have an opportunity to facilitate the distribution of healthcare data and help consumers set up, manage, and maintain it. Will all these entities step up? Or is the inertia of the status quo powerful enough that we let bad guys continue to steal with glee?