Nashville Health Care Council Panel Calls for Leadership, Accountability in Addressing Cyber Threats

Via Businesswire »

NASHVILLE, Tenn.–(BUSINESS WIRE)–With cyber security breaches becoming an ever-growing issue for health care companies, the Nashville Health Care Council welcomed a panel of experts to discuss strategies for preventing such attacks. Though data invasions can be disastrous for health care organizations, the industry has so far struggled to put processes into place that will effectively reduce the negative consequences of cyber crime.

The discussion was moderated by Kerry McDermott, vice president, public policy and communications, Center for Medical Interoperability; and featured panelists Samar Ali, attorney, Bass, Berry & Sims and former White House Fellow; Paul Connelly, vice president and chief information security officer, HCA, and former chief information officer, the White House; Noah Kroloff, principal and co-founder, GSIS, and former chief of staff, U.S. Department of Homeland Security; and Mark Sullivan, principal and co-founder, GSIS, and former director, U.S. Secret Service.

The conversation explored the current and emerging threat landscape, identifying the “bad actors,” which include international terrorists and nations infiltrating American entities, hackers who feel they are exposing data to protect public interests, and criminals who are looking for financial gain. The panelists agreed that the government has a role in data security to some extent, but that, in large part, effective security rests with the private sector.

“It’s not lost on the government that this is a huge challenge, one of the biggest threats we have. The government does realize they need to support you and be in a partnership with you, but that’s not going to be the silver bullet,” Sullivan said. “We all have to individually protect ourselves. It’s a technology challenge, but it’s also a people challenge and a leadership challenge.”

“Cyber is both a security issue and a philosophical issue. It’s both about how we are protecting our institutions, and how we are doing business. This is not going to be static; this is going to change every single day, every single week, every single month, every single year. We as a nation are going to need to evolve at the same speed as the evolution of the threat,” Kroloff said.

Speaking to the room full of top health care executives, the experts stressed the need for organizations to have a detailed action plan around security breaches, and the importance of addressing threats from a comprehensive team perspective, not just from the IT department. They emphasized that dramatic changes will need to occur within organizations to effectively protect themselves.

“No matter what your job is, cyber security is your job too. As leaders, you set the tone. If your staff thinks this is important to you, it will become important to them,” Connelly said. “If we can make our employees savvy on how they use technology, not only will they protect themselves but they’ll carry it forward with them in their job as well.”

When it comes to cyber security, much is at stake for the health care industry and the country as a whole.

“Cyber terror is what keeps me up at night. A primary goal of terrorism is to cause chaos, but I think it’s also to create fear of the unknown. People who are trying to cause terror know that America’s optimism and unity are what set us apart as a country,” Ali said. “The answer for cyber security is actually in this room, and among all those living in America. It’s a cultural shift and we have to take the responsibility of how we are sharing our information.”

“The Council presents content that will help our members understand the most pressing issues that our industry faces, so that they can make informed business decisions,” said Hayley Hovious, president of the Nashville Health Care Council. “We are pleased to offer this discussion today, and hope that each of our members walked away with a better understanding of the challenges and solutions that our business faces in cyber security.”

Today’s program was presented by BlueCross BlueShield of Tennessee. Supporting sponsors were Bass, Berry & SimsCressey & CompanyKPMG, and LifePoint Health.

About the Nashville Health Care Council

The Nashville Health Care Council is a premier association of health care industry leaders working together to further establish Nashville’s position as the nation’s health care industry capital. Supported by nearly 300 corporate members, including local and national health care companies, the Council serves as a trusted source for information on trends that influence the health care industry. The organization provides members with one-of-a-kind networking opportunities and access to Nashville’s elite health care business community.

Worldwide, Nashville’s health care industry generates more than 500,000 jobs and $78 billion in annual revenue. The industry is Nashville’s largest and fastest-growing employer. For more information on the Council, please visit

Keys to Interoperability May be in Consumers’ Hands

Via HealthLeaders Media »

Making patients the stewards of their own health data could result in better access, despite a business environment where health systems do not make sharing a patient’s data with each other a top priority.

The barest outlines of the Trump Administration’s healthcare policy were not yet clear on the morning after Donald Trump’s upset presidential victory, but the CIO of a New York City health system was already looking forward to resolving issues unresolved by the election.

“If we were all on a common shared data platform and could easily access one another’s patient data, I think we would do a much better job of keeping people healthy,” said Daniel Barchi, senior vice president and chief information officer of New York Presbyterian Hospital in New York.

Speaking at the inaugural Techonomy Health conference last week in Half Moon Bay, CA, Barchi expressed hopes that the industry can agree to make patients the stewards of their own data moving forward.

In this way, he believes, patients can be at the center of sharing data in a business environment where health systems still do not make sharing a patient’s data with each other a top priority.

“The standard [in the 2009 American Recovery and Reinvestment Act] was so low,” he said.

“I can send a couple of packets of data. You can send me a couple of packets of data and check the box. That’s it. It’s not really interoperable in any way. And the EMR vendor was really not incented in any way. They were just helping everybody get live on all these new systems.”

No Incentive to Share Data

As a result, healthcare CIOs find themselves having built “really great complex systems within our own health systems, but aren’t incented to share data in any way, and so we’re doing it through a lot of back-door work,” Barchi said.

He equated continuity of care (CCD) documents to “electronic faxes, a couple-of-page PDF version of somebody’s care. Sure you can shoot it back and forth electronically, but you’re not going to interact with it.”

Barchi said he forward to accelerating innovation on the care coordination front.

“There’s an expectation in the technology industry that we have absolute huge airplane hangars full of people at desks making phone calls and checking up on people at home,” he said.

“Even in a $7 billion health system, I might be able to introduce you to our 17 care coordinators individually by name, so we’re not at the level where large health systems have these workforces that are incented to keep people healthy.”

Rooting Out Inefficiencies

Speaking at the same event, another speaker said technology is showing promise to squeeze inefficiencies out of back-office work.

“The provider is the main deliverer of healthcare,” said Jim Dougherty, who serves as CEO and co-founder at Madaket Health, a cloud-based service startup, which automates provider enrollment in payer plans.

“We’ve said we’re going to focus on making their lives better,” said Dougherty, a former member of the board of directors of Beth Israel Deaconess Medical Center in Boston.

Such enrollment still relies too often on laborious fax-based workflows. Via Madaket, a process that used to take a provider and payer 45 days “now takes two days, which benefits everybody,” he said.

Such cloud-based technology platforms can also be extended to accelerate other workflows.

“We at New York Presbyterian have this issue,” Barchi said, commenting on Madaket’s technology. “Mass General has this issue. Mayo has this issue. We all have this credentialing and payer issue with vendors. This is the kind of solution that will get in and solve a problem that occupies anywhere from 10 to 30 full-time employees on this kind of issue.”

One concern is whether to implement such point solutions in a piecemeal fashion, or to looking “to change the way that we’re running the healthcare system.”

Barchi said part of the answer will come from the next generation of electronic medical records.

“There are always upgrades that are happening to get better and better at sharing data,” Barchi said.

Evolving technologies pose challenge for medical device security

Via Vanderbilt University News »

It is the ultimate invasion of privacy: An unscrupulous hacker gains access to a network of interconnected medical devices and then, with a few quick keystrokes, remotely delivers a fatal electric shock to some unsuspecting victim’s pacemaker. This may sound like the plot of a spy novel, but such a scenario, at least from a technological standpoint, is not out of the realm of possibility.

As today’s health care industry relies increasingly on devices and systems that collect and share data between one another, cybersecurity breaches have become a troubling new reality. In fact, just last month, two device manufacturers—St. Jude Medical and Johnson & Johnson—issued separate warnings that their respective cardiac implants and insulin pumps were vulnerable to hackers.

While other industries, like the financial sector, have made cybersecurity a priority for 20 years or more, health care has been relatively late to the game and is now behind the curve in addressing such threats, according to M. Eric Johnson, dean of Vanderbilt Owen Graduate School of Management and Bruce D. Henderson Professor of Management.

“Health care is behind for several reasons,” he said. “It’s a very fragmented industry—you have countless clinical operations, and many of them are quite small and don’t invest in information security. And then at the other end of the spectrum, there are these hospitals that are, in effect, high-tech islands. They have these amazing surgical robots and other technology, but only in the last five years has there been a push to build a more integrated IT backbone with security.”

Johnson, who studies information technology’s impact on the extended enterprise, has co-written a new article examining the chronology of medical device security. Published in the October 2016 issue of Communications of the ACM“A Brief Chronology of Medical Device Security” is the result of an interdisciplinary project, known as Trustworthy Health and Wellness(THaW), which is funded by the National Science Foundation. A.J. Burns, assistant professor of computer science at the University of Texas–Tyler, and Peter Honeyman, research professor of computer science and engineering at the University of Michigan–Ann Arbor, collaborated on the article.

In the article Johnson and his co-authors identify four major inflection points that span the evolution of medical devices and their security: (1) “Complex Systems and Accidental Failures” (1980s–present), (2) “Implantable Medical Devices” (2000–present), (3) “Unauthorized Parties and Medical Devices” (2006–present), and (4) “Cybersecurity of Medical Devices” (2012–present). The authors also lay out a timeline of important legislation aimed at regulating and/or enhancing security and privacy in the health sector. In the end, they arrive at several conclusions:

  • The future of medical device security will be defined by the steps that the health sector takes today.
  • Security trade-offs characterize the design and deployment of medical devices.
  • Discussions of cybersecurity and medical devices often are distorted by misinformation and frightening language.

With regard to the latter, the authors wrote, “We must resist the temptation to sensationalize the issues related to cybersecurity in the health sector, and instead apply sober, rational, systematic approaches to understanding and mitigating security risks.”

What then should be the appropriate course of action for health care professionals and their patients? Is there one risk they should be concerned about above all others? Johnson and his co-authors offer a clear answer in that regard.

“It is safe to say that patients’ reluctance to accept medically indicated devices due to concerns about security poses a greater threat to their health than any threat stemming from medical device security,” they wrote.

In other words, the biggest danger to patients’ health is not the security threats themselves but rather the irrational decisions that might result from these perceived threats. While users of medical devices may be vulnerable to hackers in theory, there is not enough of a risk, according to the authors, to discourage use of the devices altogether. A hijacked pacemaker makes for an interesting plot twist in a novel, but it is not very likely to happen in real life.

“Unless you’re the president of some country,” Johnson said, “or someone with a lot of enemies, I wouldn’t worry about being personally targeted.”