Article • Fear defeats progress
To maximise IT benefits team insecurities must be overcome
The development of a healthcare IT infrastructure in European hospitals faces two major hurdles, Ben Giese reports: ‘contradictory return on investment (ROI) reports and the unquantifiable risk of security breaches’.
Known and quantifiable – Industry will pitch to clinicians and administrators the ever-increasing benefits of IT implementation within multifunctional institutions or individual private practices. Indeed, the accurate, easily accessible flow of all healthcare delivery data can provide benefits. For example, lead poisoning of the public water source in Flint stands out. Paediatrician Dr Mona Hanna-Attisha utilised the searchable electronic records database of Epic Systems to discover parameters indicating population poisoning – impossible to demonstrate otherwise. However, such solutions carry impressive price tags. The wide-ranging deal between the Mayo Clinic and Epic broke the billion-dollar threshold.
Even smaller medical systems face impressive bills from electronic medical record (EMR) vendors, plus poor results and internal strife. England’s Cambridge University Hospital engaged with two prominent vendors to overhaul its IT systems – cost £200 million. The implementation is not going well. The BBC reported that multiple high-level departures began within a year into the 1O-year deal.
The institution received poor quality control (QC) ratings, e.g. EMR operability is insufficient, partially due to the new system’s rollout. In New England, the South-Coast Health Group cited its new EMR implementation costs forced the lay off nearly 100 staff members in March.
These, say industry providers, are isolated examples appearing as ‘front and centre’ exceptions to a generally successful but rarely headline-grabbing service. However, many of Europe’s segmented, smaller, conservative hospital systems use that negativity as evidence that full scale digitisation is not worth the cost, especially if economies of scale cannot be realised at individual institutions. Both are somewhat correct. If an institution is tied to short term ROI and that success is measured in immediate procedural efficiencies alone, the investment will not be worthwhile. If success is measured more holistically and contains much harder to quantify parameters, including overall population health, reduction of errors, and a database of medical records accessible by a range of users for research and predictive analytics, the investment is entirely justified.
The unknown and unknowable
Hospitals are increasingly influenced by and driven towards IT reliance – whether internally sanctioned or mandated by regulatory bodies. Hospitals have had plug-and-play operating systems for years and use of networked devices is exponential. Hospital employees access multiple interfaces concurrently, creating massive challenges in authentication and open portals to large swaths of data.
Highlighting this danger, an NHS report found that 72% of logins had no time limit, 87% of staff could log into multiple units and 44% had no unique login whatsoever. In patient data security alone there is an open invitation to nefarious intentions.
In reality, individuals and organisations view healthcare systems as a prime target for cyber-attacks, for they fulfil a checklist of characteristics that make them vulnerable and attractive. Security is not part of a mentality born of open scientific research. To be effective, communication systems and patient records need real-time access and manipulation by many staff members.
Legacy devices, from multiple vendors, employ myriad operating platforms and, paradoxically, the maker is responsible for their security. Yet, these systems control life and death and hospitals are targets considered worth the time of hackers.
Progress
Directors need to help produce a comprehensive risk assessment and mitigation plan – alongside hospital IT specialists and all higher administrator levels, enabling everyone to discover and admit on-going deficiencies, engage with outside consultants, and most importantly, become aware of and report on possible vulnerabilities in their existing responsibilities. This goes well beyond the medical staff – the costliest data breach in history, credit card data theft at US ‘Target Stores’, originated with a hack in a networked HVAC unit.
Initially survey hardware, software and data
IT departments should be able to identify data sources from networked devices and data entry, the types of data transferred and stored, and the channels and locations through which the information is transferred and stored. This is the foundation of protection. Any mitigation is based on an accurate catalogue of assets – both physical and digital.
Intermediate term – risk evaluation
Many European hospitals have no dedicated IT security employee, but the evaluation should be developed in conjunction with knowing risks to the individual systems. Thus an outside expert should evaluate the initial IT infrastructure survey and provide an accurate risk assessment. This will involve an outcomes assessment following a malicious attack and the likelihood of a breach. For example, at one extreme, if a networked ventilator is easily hacked, it is top priority. Or, what can wait is a staff member perhaps accessing the EMR of a past romance, although against protocol this happens more than any administrator wants to admit.
Action
An evaluation and recommendation report must be generated and shared with stakeholders, to ensure awareness of potential threats and agree to an action plan. This crucial step ensures clear understanding of a threat, actions taken, everyone’s responsibilities and any risk remaining. The proactive stance this process achieves allows institutions to maximise existing systems efficiency, now free of the paranoia of not knowing an actual risk level. As an added benefit, purchasing decisions are simplified with vendors by concisely communicating the security expectations in new device and software acquisition, implementation and use.
The on-going discussion of data management efficacy within institutions remains dynamic. An evaluation of existing and future systems, plus costs and benefits, cannot be accurately achieved unless the parallel issue of security is managed in a holistic and honest discourse, with agreed action plans. Over a longer period this will add overall cost though a patchwork of reactive security measures. Innovation will also suffer as hospitals develop a bunker mentality towards a threat, which, although real and permanent, is manageable.
09.08.2016