Editor’s Note: In this episode of the Oliver Wyman Health Podcast, Sam Hanna, Professor of Healthcare Management, Policy, and Strategy at George Washington University, and former Senior Director at PwC and Chief HIPAA Security and Privacy Officer at the Dana Farber Cancer Institute, discusses his views on cybersecurity with Sam Glick, Oliver Wyman’s Health & Life Sciences Partner. Here’s more on Sam Hanna’s cybersecurity perspective, adapted from GW Health Policy Matters.
I once listened to a multidisciplinary group of clinicians, biologists, technology developers, and data scientists from government, industry, and academia at the National Cancer Institute on Precision Medicine, Wearable Technology and Big Data Informatics talk passionately about monitoring cancer patients with real-time data using wearable, implantable, and external sensor technologies. The data they collected and analyzed was helping clinicians decide which treatments and medications best suited different cancer patients’ needs, and was letting caregivers more easily monitor patients’ post-therapy fatigue levels.
But these wearable technology devices, although promising, pose potentially catastrophic emotional and physical cybersecurity risks for healthcare consumers.
Protecting Patient Information is Critical for Advancing Patient Care
Healthcare businesses are finally waking up to the harsh reality that their patient-consumer data is dangerously sensitive. Cybercriminals’ stealth is unprecedented. Beyond emotional effects for consumers are irreversible physical effects, like unintended death. For instance, hackers now have the frightening ability to control a patient’s medical device, turn off a pacemaker without warning, or suddenly change someone’s prescription instructions without either the patient’s or pharmacist’s knowledge.
The healthcare industry, the second largest sector of the United States economy, reportedly experiences twice the number of cyberattacks as other industries. This is perhaps because health data has an unparalleled density and richness compared to, say, online shopping data or banking data. Although data breaches and leaks happen across other industries, what makes a healthcare data breach different is its potentially disastrous consequence on consumers’ greater lives. For instance, whereas a hacked financial institution can advise its customers change their usernames and passwords, thereby rendering stolen banking information as useless, a hacked healthcare institution may end up learning its consumers’ stolen social security numbers, medical records, and home addresses have been sold on the black market for ransom.
Over the past decade, healthcare industry businesses invested billions in electronic medical records (EMR) software. But most of these investments failed when it comes to security and privacy, because they, along with other ancillary devices and systems, were set up to manage a cyberattack after, not before, a data emergency occurred.
Nonetheless, both technology utilization and implementation of supportive infrastructure that prevents cyberattacks have been sluggish across the healthcare industry, especially compared to other massive industries, such as retail, where large amounts of consumer data are cached. Many healthcare providers implement transformational variations slowly, because they prioritize other needs – such as patient care – before examining the possibility of a data breach. Healthcare professionals must absolutely make patient care a leading priority, without a doubt. But, providers must also concurrently recognize that protecting patient information is critical for advancing patient care.