#HIMSS17 Perspective: The State of Health Data Security

Matthew Fisher reveals his perspective on healthcare data security.

By Matthew Fisher, Esq., Chair of Health Law Group, Mirick O’Connell, Worcester, MA

Hashtags: #HITsecurity + #HIMSS17

The healthcare industry, whether considering health IT, providers or others, continues to struggle with fully protecting and securing sensitive medical information entrusted to it by patients. It is important to remember that that statement is not the full scope of the issue, either – as individuals in their daily lives are creating and storing their own health information now, too. This explosion of data places significant strains on the healthcare system’s ability to manage, exchange, interact with, manipulate and utilize the data.

The multitude of challenges can make it difficult to focus on particular issues, but it is important to consider some of the arguably higher priority items. Narrowing down the issues can be assisted by reviewing recurring headlines, complaints and government announcements. From this perspective, the following three issues are likely to constitute some of the higher priority privacy and security items for 2017:

1. Evolving ransomware threats

2. Creation of patient generated health data interfaces

3. Development of risk management processes and systems


Ransomware is not an emerging issue for healthcare given the extensive number of attacks the occurred in 2016. No system seems to be immune from attack and all must assume that a successful attack will occur sooner or later. It is well established that protective measures can include active monitoring of systems, frequent and usable system backups and education. However, there are still new nuances to ransomware that are emerging. One example is Spora, which can work offline, is pretty intelligent in terms of what files it encrypts, and provides numerous payment options. Spora is akin to a commercialized version of ransomware that could be used by many users. Reports of ransomware as a service (RaaS) are also popping up, which further emphasis the ease with which bad actors of any kind can acquire and carry out a ransomware attack.  RaaS feels like a malicious extension of software as a service or any other outsourcing of development. Why do something original, when a ready-to-go product can be had for a small fee? Reports are also increasing of a new ransomware variant that both encrypts and extracts data. If data is extracted, then healthcare information is exposed to a higher degree of risk. Lastly, the value of medical records on the black market is decreasing, making ransomware more attractive because the ransom focuses on forcing an organization to pay for the records. The only certainty is that bad actors will have more tools than are available for protection and defense. As such, it is essential to be proactive in monitoring systems and being prepared when the inevitable attack occurs.

Patient-Generated Health Data

Privacy and security will also be challenged by increasing demands and expectations for patient generated health data (PGHD) to be directly integrated into the systems of providers. Calls for such integration are ever increasing and seem only natural to meet value based care demands. Value based care is fueled by data, which is why gathering and analyzing many data points is important. However, it is not so simple as saying that a patent’s wearable device can hook into a physician’s electronic medical record. Such an approach creates a variety of concerns, including flooding unstructured data into a provider’s system and creating exposure points to the system where attacks could occur. If PGHD will become a reality, then the privacy and security challenges should be addressed prior to implementation. It is much better to prepare system ahead of time and test out permutations, than responding on the fly. As such, 2017 will hopefully be the time when systems are created and put into place, which in turn will enable PGHD use to flourish and expand starting in 2018. Being prepared in essential if connections will satisfy applicable regulatory requirements concerning security and met patient/consumer expectations. No one wants their data exposed, which establishes trust as essential. Concern already exists with regard to the healthcare industry’s ability to protect PGHD and other information. Withholding information harms everyone because appropriate care and treatment cannot be pursued. Now is the time to earn the trust and protect information.

Risk Management

In light of the privacy and security concerns identified above, HIPAA and the regulatory compliance concerns and instilling a better culture, organizations need to get beyond a check the box approach to privacy and security. With healthcare in the crosshairs for so many bad actors, comprehensive privacy and security is essential. Risk management can be a path to more holistic implementation of privacy and security within an organization. Risk management goes beyond basic compliance and seeks to build a culture and broader awareness within an organization. The goal is to think about all areas where privacy and security can be a concern and create processes that will evolve and adapt. Combining intelligence sharing with risk management can extend the benefits from one organization to another. Threats are not static, so why should defense be static?

Call to Action

Ensuring privacy and security within healthcare is incumbent upon everyone connected to the industry. Essentially, this means everybody. The rise of interconnected people, devices and information (somewhat exemplified by the PGHD desire), means that nothing exists in isolation. If healthcare faces a threat, it can be expected that the financial or retail or any other industry is facing the same or similar threat. From this perspective, collaboration should rule the day. Such collaboration will extend across providers, facilities, systems, the government and other industries. Right now, it is not clear whether that global awareness has fully sunk in. There are hints from the government that cross-industry collaboration is needed (suggested in conversations with people at the government) and private calls that healthcare can learn from other industries. These efforts must be greatly expanded in order to capitalize on the collective knowledge that is clearly out there. To assist, just start a dialogue. The spreading and sharing of knowledge needs to start somewhere.

Thankfully, from one perspective at least, awareness of privacy and security risks is kept front and center every day. There are constant reminders that issues and concerns occur all of the time. The topics are part of daily discourse on some level as well. This growing general awareness is necessary and will hopefully result in the changes and developments that are sorely needed.

Advancing the Conversation at HIMSS17

The issues and concerns identified above will be thoroughly discussed at various sessions during HIMSS17. Examples of those sessions include:


in health and IT meet.