It takes more than hope to protect PHI

By | July 24, 2021

Safeguarding patient health information can be extremely difficult, as it necessitates taking inventory of data, finding any vulnerabilities and assessing risk across the board.   

Often, experts say, the complexity of mitigating risk is beyond human scale. In an upcoming HIMSS21 panel, Aaron Miri, chief information officer for Dell Medical School and UT Health Austin, and Tausight Founder and CEO David Ting will discuss the importance of operationalizing and automating guidelines around PHI vulnerabilities – and describe real-time methods for protecting that data.  

“Healthcare is a large-scale transactional industry with massive amounts of highly sensitive data and strict regulatory requirements,” explained Miri and Ting in a joint interview with Healthcare IT News.   

“CISOs and CIOs need to secure clinical workflows when clinicians access and use PHI,” they continued. But the volume of PHI data that needs to be protected can be staggering.

“In manufacturing, creating a widget requires you to standardize and streamline,” they explained. “That same concept applies to securing PHI in healthcare.”  

Miri and Ting point out that healthcare organizations’ IT vulnerabilities have increased as the industry becomes more decentralized.   

A few common vulnerabilities include:   

  • An expanded attack surface from the proliferation of new digital and mobile technologies – not to mention a remote workforce, more telehealth and more virtual care.
  • Hardware with long depreciation schedules or elongated replacement time frames that is running antiquated vulnerable operating systems,
  • Embedded vulnerabilities in critical lifesaving care, such as pacemakers and bedside pumps.
  • Human error.

By using holistic frameworks, the panelists say cybersecurity officials can address today’s dynamic healthcare landscape. Traditional tools that focus on the perimeter only, they say, are “like trying to keep mice out of your house by locking all of the windows and doors, which will never be effective.”  

“If you have mice coming into your house, you need to figure out what it is they’re going after, which is the pantry – then focus on how you keep the mice from getting interested in attacking the food pantry,” they said.

Healthcare has a similar model, they say: start with the PHI, and focus on securing the workflow.   

“Securing the clinical workflow really comes down to figuring out: where your healthcare system’s data is, where that ecosystem is, and what the clinicians do in their workflow – then figuring out how to facilitate and secure it,” they explained.  

Ting said he hopes attendees will leave their session having learned just how increasingly decentralized healthcare delivery is.

“IT managers have to consider how this new workflow affects their strategies for protecting their system,” he said.

Miri, meanwhile, said he wants healthcare leaders to “embrace automation, telemetry visibility – and stop the practice of ‘hoping’ that they will not be impacted by inevitable risk.”  

Miri and Ting will explain more during their HIMSS21 session, “PHI Timebombs: A CIO’s Approach to Reducing PHI Risk.” It’s scheduled for Thursday, August 12, 11:30 a.m.-12 p.m., in Caesars Forum 123. 

Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Email: kjercich@himss.org
Healthcare IT News is a HIMSS Media publication.

News from healthcareitnews.com