I just returned from the College of Healthcare Information Management Executives (CHIME) Lead Forum held in Atlanta Georgia. This cyber security summit engaged leading healthcare chief investment officers in discussions related to cyber security. The form was followed by a two day conference sponsored by Institute for health technology transformation (IHT2).
During the CHIME cyber security Forum, I was able to discuss challenges common to the entire healthcare industry as well as evolving approaches to identifying cyber espionage and healthcare data mining attack fingerprints and security approaches. In summary, the traditional approach of perimeter protection was uniformly discussed as being ineffective for the more sophisticated cyber threats. Over one half of network encroachments have their etiology in internal human related security breaches. These could involve phishing emails where a staff is enticed to click on a infected email or content providing a initial pathway into a network. In other cases spear fishing targets specific executives and may utilize spoofing emails to trick internal users into giving up credentials for inadvertently providing access to secure network.
What is most interesting approaches was utilizing LinkedIn listing of company personnel. A hacker might then approach a junior level of the company using a spoofing email that appears to come from a superior in the same organization containing attached content containing executable application. When the unexpected junior staff click on the picture or Excel file containing executable code, hacker has a entrance into the enterprise. A typical course of events in a staged cyber attack were reviewed and with similar to the information presented by the Federal Bureau of investigation agents during a recent cyber security forum held in Dallas in November. One presenter commented that there are two categories of healthcare entities: 1. those that have discovered an ePHI breech and compromise of the enterprise; and 2. all the rest that have not yet discovered that they have already been breached.
Our organizations are actively engaged in HITRUST certification and I have been attending security conferences and I am pursuing Chief Information Security Officer training to enhance my understanding. It is sobering to hear how healthcare infrastructure is so vulnerable that we are considered very soft targets by cyber criminals.
During the next two days, I sat with healthcare innovators discussing future for US healthcare. These were an amazing group of payors, providers and vendors. Among the hottest topics were population health and how analytic tools could be used to mine important data form large population data sets. Most seemed to agree that one challenge was that EHR data acquisition models frequently did prompt for asking the questions that would gather the data requisite for answering important questions. We discussed how SMART applications leveraging the new HL7 FHIR (Fast Healthcare Interoperability Resources) could be leveraged to ask additional context specific questions that are not supported by the one-size-fits-all approach of most EHR/EMR data entry modules. Their was excitement of attendees for the future of healthcare and promises of more innovative interoperability methods. Most felt that more business alignment was required between EHR vendors and the business interests of medical providers.
Tomorrow I am headed to Orlando for the Institute for Healthcare Improvement Conference (IHI). I hope to learn more from healthcare innovators and I will update the Meaningful Collaboration BLOG from Orlando.