Identifying Partners in Progress
Throughout the second day at HIMSS, I had the opportunity to partake in discussions with current and prospective partners, advisors, and analysts on arguably the most pressing topic facing healthcare IT today – security and privacy. Below, I review some of the more interesting takeaways arising out of these conversations.
Following Security with Trust
One repeating topic during these discussions was end-user perceptions of security and trust, and how these two are intimately related. Due largely to the very public rise of healthcare IT breaches over the past year, coupled with demand for greater protection of patient and member data, healthcare compliance continues to focus primarily on data security, as opposed to data privacy. This is perhaps one reason we are starting to see an increase in government intervention around allowed use of individual data, including medical information). The best-known examples are the EU’s 2016 General Data Protection Regulations (GDPR) and the 2018 Consumer Privacy Act (CCPA) of California.
While governments create legislation to better define and control the release of compromising information, a parallel trend is developing at the healthcare consumer level. In a typical day, a consumer will access his or her personal devices over 50 times and use an average of 20 different applications. For the most part, use of these devices and applications – and by extension the operating systems and codebases the devices and application use – comes with the assumption that the creators of such devices have designed them with security and privacy “built-in.” When making purchases on an online retail site, or upon opening a customer service portal, users typically do not stop to second guess whether they are completely protected. Many have experienced first-hand where breaches, caught by vendor organizations, are rapidly mitigated. Often detection and mitigation is executed and communicated prior to the end-user ever knowing of the infraction. Going forward, such “retail-like experiences” will be expected as a matter of course, regardless of what industry the information comes from. These expectations will evolve into major market pressures forcing vendors and developers alike to incorporate more stringent privacy protections as a component of their associated products and services … over and above regulatory standards.
Establishing Healthcare IT Standards
Another common theme that emerged was around the need to establish an industry-led entity tasked with creating standard frameworks for healthcare IT data security and privacy. This would be comparable to organizations like the Clinical Data Interchange Standards Consortium (CDISC) – a non-profit formed in 1997 to create data formatting standards for clinical trial submissions – and the Pharmaceutical Users Software Exchange (PhUSE) – a consortia of data managers, biostatisticians, statistical programmers and eClinical IT professionals.
One thing I learned from Grady Clouse, Director of Strategy and Business Development at Harvard Medical School, is that major healthcare institutions are unwilling to wait. In the Boston area, for example, 17 major healthcare institutions are coming together to identify common security and privacy needs required to execute on fully interoperable data exchanges.
A Medical information Moonshot
Healthcare practitioners and payers alike are looking to create digital initiatives that provide longer-term patient engagement and retention. Innovation, through rationed technology adoption, is the primary means to do this. However, the ability to execute in minimal time and with minimal risk and cost, depends largely upon the associative security (and privacy) contexts within which this is done. Security, it turns out, becomes not just the fabric upon which these applications and services are built, but a true “lingua franca” between independent healthcare departments, services, and operations.
If one steps back and reflects upon recent efforts by Unisys’ Chairman and CEO Peter Altabef and Chief Trust Officer Tom Patterson to create a “cybersecurity moonshot” for the United States, it is easy to conceive of a similar type of “sub-moon shot” in the area of healthcare. Perhaps this could be the first element of a cross industry “hub and spoke” model, within which security (and privacy) standards are not just developed for the needs of patients, but that ultimately would facilitate and accelerate the healthcare industry digital journey.
Unisys’ commercial structure – built to encourage cross-industry development and facilitation – presents a true advantage when it comes to the healthcare industry. Our participation and leadership in public and federal digital evolution, our strong advocacy and support of organizations like CHIME and HIMSS, our highly respected corporate partners such as Dell, Microsoft, and AWS, and our intimacy with emerging shift of market power from vendor to patient and provider, sets the stage for our company to play a starring role in the evolution of civilization’s most intimately important industry.
“You can have security without privacy, but you cannot have privacy without security.”
– Patrick Joyce, CISO, Medtronic