Issue link: https://beckershealthcare.uberflip.com/i/949902
60 Executive Briefing Sponsored by: P opulation health — an approach to healthcare that uses vast amounts of patient health data to inform care for specific groups of patients — has the potential to help providers improve patient outcomes and reduce utilization. However, collecting and storing the amount of patient data required to effectively manage populations puts hospitals at greater risk of security breaches. Data breaches are a dark part of CIOs' reality today. These events carry several costs for an organization, with hospitals feeling dents to their finances, operations and reputations. Perhaps most troubling is this: Insecure data is a serious patient safety concern and puts exposed individuals in harm's way. Will patients trust your organization for life or death decisions if you cannot keep their medical record safe? To mitigate the risk of a data breach and its effects on patient safety, hospital CIOs and chief information security officers must work with key leaders in the organization to establish a set of comprehensive data security practices. Securing population health data is challenging To paint a holistic picture of a patient group, population health applications often extract data from beyond an individual hospital's four walls. Valuable data include medical claims, prescription adherence, social determinants of health and patient-generated health data. As hospitals connect to more IT systems and acquire more information, traditional security approaches, such as "perimeter" security that focuses on guarding intrusions to a facility's network, are no longer sufficient. "Where is the perimeter these days?" says Ryan Witt, managing director of healthcare industry practice at cybersecurity company Proofpoint. "Is it the hospital, the primary care physician's office, the pharmacy, the patient's home or the patient? Population health is going to result in more datasets and data feeds to manage and secure, which adds stress to a hospital's already highly-targeted security ecosystem." Health IT leaders face additional security challenges amid growing interest in creating data lakes — centralized systems holding large amounts of raw data. Convenient access to these data repositories encourages clinical teams to draw upon and analyze information as needed, yet a lake also increases opportunities for cybercriminals to access large amounts of sensitive patient data. Hospitals often allow team members to access and add data to the lake over the internet, without overseeing the content of each individual dataset that is added. While this process accelerates a hospital's ability to create a comprehensive data lake, it increases its exposure to risk by leaving data unencrypted and without strict access control. "A key component to extracting value from the data is being able to securely share the data with relevant stakeholders," says Steve Cotham, healthcare practice manager at Hewlett Packard Enterprise. "The formation of data lakes and need to securely share this data must be factored into hospital security policy." As hospitals continue to aggregate more patient data, CIOs must be prepared to appropriately secure this valuable — and sensitive — information. Dangers of inadequate data security Healthcare breaches aren't a theoretical concern for hospitals aggregating databases of patient information — they are a punishing reality. There were 477 U.S. healthcare data breaches reported in 2017, up from 450 of these incidents reported in 2016, according to a recent Protenus report. "A hospital's EHR 'bundles' a patient's personal, financial and medical data in a single location, making this industry, and the protected health information stored within, an attractive target for hackers," Mr. Cotham explains. "Unlike a credit card that can be cancelled with a single phone call, a patient's medical record lives on." Of all industries, breaches in healthcare are particularly detrimental because they compromise patient safety alongside an organization's operations. In May 2017, a worldwide ransomware attack called WannaCry infected more than 200,000 computers in 150-plus countries. The U.K. National Health Service was one of the ransomware's most prominent victims, bringing down operations for at least 16 facilities. The ransomware locked NHS workers at out of IT systems, including patient files. The disruption led NHS to cancel routine operations and divert ambulances at some of its facilities. "A data breach puts patients at risk, period," Mr. Witt says, noting hospitals that lose access to clinical systems are often forced to divert patient care. "Most hospitals place patient safety at the core of their mission, so how do hospitals meet their objectives when data breaches continue to plague the industry?" Besides their operational and patient safety concerns, cyberattacks are also extremely costly. In fact, at $380 per capita, data breaches are most expensive in healthcare compared to other industries, according to a June 2017 Ponemon Institute report. By contrast, the overall mean of data breach cost per capita across industries was $141. "Financial risk for the hospital varies depending on scope of data loss. However total cost can be very high," Mr. Cotham says. "Taking CIOs: Don't Let a Data Breach Shake Confidence in Your Hospital your providers can securely access the data they need, when and where they need it. at's IT Orchestration by CDW. ™ CDW.com/hpe