Ed  Moyle

Those that watched the recent US Presidential Debate know that cybersecurity has now increased in importance in our national discourse: it was addressed directly by both candidates, it comprised a large portion of the discussion, and it has significant geopolitical ramifications.

We don’t often stop to consider it, but the topic is no less significant when it comes to healthcare. Specifically, appropriate and diligent stewardship of patient health information is not only required under the law, but it also speaks directly to patient experience in a clinical setting. This is true with respect to privacy of patient health records (an important consideration), but can also have patient health and safety considerations when viewed through the lens of clinical biomedical devices and supporting systems.

As examples of this latter point, consider the security of implantable biomedical devices – e.g., pacemakers, defibrillators, insulin pumps, and the like. Successful wireless attacks against these devices have been demonstrated, and some may remember that Vice President Cheney famously had the wireless capability of his pacemaker disabled to thwart potential security exposure. Even excepting implantable biomed, many don’t often realize that clinical systems themselves – diagnostic imaging equipment, pharmaceutical and lab systems, patient monitors, etc. – are networked. Just like a patient’s home PC or laptop has an “attack surface” of potential exposure, so too do clinical systems.

Patient Participation

Those who subscribe to the concept of participatory medicine know that working collaboratively with their care providers is a key component of ensuring the best outcomes. Specifically, becoming and staying informed, jointly building out their care plan in tandem with their providers, and ensuring accurate two-way communication.

Of course, this was not always the case. Some may recall the days before clinicians were accustomed to seeing (or, in fact, encouraged to welcome) patient involvement. This is very much the situation currently when it comes to the privacy and security aspects of the patient experience. Any health care provider – from the largest multi-facility health system to the smallest clinic – is required to have plans and “countermeasures” (i.e. security safeguards) in place to protect patient information and to ensure the safety of the environment of care. However, how much do patients typically know about it? Other than the mandatory privacy disclosure forms they’re accustomed to signing, are they encouraged to ask about specifics? What would the reaction be if they were to do so?

Much like other aspects of patient care and experience, security and privacy considerations can often be bolstered by patient involvement and active participation. Not only that, but steps taken by clinicians to protect patient information can be evaluated by patients in much the same way that patients evaluate other aspects of care in determining a care provider. Obviously, I’m not saying here that these other considerations should trump clinical outcomes. For example, in a situation where quality of care is high (while security and privacy might be lower), it is probably still advantageous to favor the care outcomes. However, why does it have to be a choice?

The Participatory Provider

From a provider point of view, it’s important to realize that viewing their security measures in this way can likewise have a benefit. Patients do have their choice of providers; leveraging the investments that providers have made in patient security and privacy to differentiate themselves from other providers can mean getting more and better mileage out of dollars already spent. Not only that, but being communicative about these aspects of their operation can provide a higher level of comfort to the patient. For example, something like a “security pledge” that outlines actions the provider takes relative to patient information can go a long way to easing fears and demonstrating that the provider takes these aspects of the patient experience seriously.

For those providers who may struggle in the security and privacy arena, a participatory approach can help those providers get provide traction and initiate forward progress. Specifically, by committing to patients more detailed information on how security is approached, they can help get buy in, help loosen budget-related purse strings, forward regulatory considerations, and achieve numerous other benefits (including the competitive situation I alluded to earlier.)

It’s a fact that not every provider is ready right now to approach cybersecurity from a participatory point of view. Much as the practice of medicine itself required a perception shift to get there, so also does this. However, by discussing these issues candidly and directly between providers and patients, the opportunities for benefits are there.

“Ed Moyle is currently Director of Thought Leadership and Research for ISACA (Information Systems Audit and Control Association). Prior to joining ISACA, Ed was Senior Security Strategist with Savvis and a founding partner of the analyst firm Security Curve. In his 15+ years in information security, Ed has held numerous positions including: Senior Manager with CTG’s global security practice, Vice President and Information Security Officer for Merrill Lynch Investment Managers, and Senior Security Analyst with Trintech. Ed is co-author of “Cryptographic Libraries for Developers” and a frequent contributor to the Information Security industry as author, public speaker, and analyst.”