Enterprise Services Blog Living in a Time of Data-Insecurity

Living in a Time of Data-Insecurity

  • March 21, 2017

By George Mathew, M.D.

When we think of data security, we normally think of digital privacy measures to prevent unauthorized access, to our computers or databases, or corruption of that data.

While most of the focus of digital health innovation is on interoperability, or the ability to pull data from multiple sources (electronic health records, Internet of Things, unstructured data, etc.), data security ends up being tacked on to a solution after the fact.  Interoperability, inherently creates more opportunity for potential security breaches.

In fact, health data insecurity is evolving at an unprecedented rate: at the recent HIMSS 2017 Conference, it was mentioned that artificial intelligence is creeping into attacks on hospitals and healthcare systems. The business model for health data insecurity is developing as well; whereas hospitals and doctors’ offices had been the sole victims of ransomware attacks, hackers are now copying the same medical records used in the ransom for resale on the black market for identity fraud.

Given the increasing financial and reputational penalties involved with the loss of control of health data, it has become more of a priority for health systems to invest in IT and data security. A recent presentation by Technology Business Research (TBR) estimates the Health Information Technology Security market will approach $10 billion by 2020.1

Ideally, when a health IT system is designed, data security should be designed into it, to prevent unauthorized access. Yet because of the fragmented approach many health systems have had in the past – in procuring IT solutions as well as working with other health systems – many are paradoxically both poorly connected and unsecure.

And though many point and interoperability solutions are now coming to the market to address this paradox, few if any are applicable to a given case.

So what are healthcare organization executives to do?

First, executives must understand what the vulnerabilities are in their digital platforms. Using cybersecurity maturity frameworks, they can assess baseline security levels and identify current and potential gaps. The maturity frameworks can be repeated as new data, sensors, devices and paths are added on to existing systems.

When evaluating security strategy, healthcare organizations should ask some basic questions:

  • Where are you landing on the maturity framework?
  • Do you understand where you need to be?
  • What are your business objectives? What is your priority?
    • Modularity?
    • Value based program design?
    • Cost savings?

Organizations should also assess the effectiveness of current security systems, management and business operations, as well as new partnerships with outside customers (which may endanger or improve your cybersecurity posture).

  • If a breach occurred, how would your organization handle it?
  • Are you willing to move (and make the investment) from a reactive model to a proactive security model?

The healthcare sector has traditionally underestimated the need for data security. Our systems were designed to provide information to physicians, hospitals, and payers – they were not designed for security. Now healthcare is moving into a networked world, where every connection opens both an opportunity for innovation … and a potential window for data insecurity.

In this new world, healthcare organizations must do assessments, they must identify gaps, and be ready to respond. They cannot wait until after a breach happens. Now is the time to create a detailed and comprehensive data security strategy.

About the Author


George Mathew, M.D., Chief Medicaid Officer, Americas Health & Life Sciences. Dr. Mathew serves as the HPE clinical expert and healthcare thought leader to our clients in the transforming healthcare marketplace.
Dr. Mathew graduated from Boston University School of Medicine and completed his residency in Internal Medicine at Greenwich Hospital/Yale University in Connecticut. He also holds a Master of Business Administration from Duke University’s Fuqua School of Business. He is Board Certified in Internal Medicine, Clinical Informatics and Medical Quality. Dr. Mathew also currently serves as a member of CMS’ Office of the National Coordinator – Health Information Technology Joint Consumer Task Force.
He is based in New York City and continues to practice medicine as a hospitalist at Westchester Medical Center in Valhalla, NY.


1 Healthcare IT and Security:  What We’ve Learned So Far’, J Caucis, Sep. 21, 2016