We are proud to announce the release of the Health IT Cybersecurity white paper (below), in collaboration with the Governor’s Office of Business and Economic Development (GO-BiZ) !
Cybersecurity in Healthcare: How California Business can Lead
Goal of Health IT Advisory Board White Paper
To evolve the concepts and practices that foster a business-friendly environment in California so that best-in-breed cybersecurity practices and solutions are available and adopted by digital health companies for their products and services.
A primary objective of the Governor’s Office of Business and Economic Development (GO-Biz) is to support the growth and innovation of major industries in California, including healthcare. As the healthcare industry seeks to innovate through the use of connected information technologies (IT), which has the potential to improve global health access and outcomes, cybersecurity education and implementation of practices are central to providing leading products that are safe and can be trusted. To that end, GO-Biz has partnered with the University of Southern California Center for Body Computing to establish a Health IT Advisory Board comprised of public and private experts to encourage greater understanding and utilization of cybersecurity tools and products. In this white paper, the Health IT Advisory Board outlines key issues and suggested public and private initiatives to encourage and foster leading healthcare cybersecurity practices within the state.
This white paper was created by the Health IT Advisory Board, a multidisciplinary group of experts appointed by the California Governor’s Office of Business and Economic Development (GO-Biz). We represent California based technology, cybersecurity and healthcare IT educators and providers, legal experts, public and private companies and California state technology policy makers.
Health IT and Digital Healthcare
The vitality of cybersecurity issues in Health IT has been highlighted by the increased attacks on health IT systems in recent years, so much so that in 2018 major national conferences of computer scientists and hackers (Defcon, Blackhat) have dedicated specialized talks and panels on the issue. Additionally, legislation (California Consumer Privacy Act of 2018 (AB 375)) has recently passed in California, aiming to stem some of the emerging Health IT issues. As this white paper will outline, there are many possible places for the state to guide development, but we recommend that it focus on the responsible refinement of the major regulation framework. The Health IT Advisory Board can provide thought leadership on the pathway forward.
Health information technology is information technology applied to health and health care. It supports information management across computerized systems and the secure exchange of health information between consumers, providers, payers, and quality monitors. Technology has greatly improved healthcare and healthcare outcomes, such as improving medication adherence in heart failure (Talmor 2018), improving glycemic control and reducing complications for patients with diabetes (Prahalad 2018), as well as increasing access to healthcare (Saxon 2016, Kvedar 2014). Continued innovation in healthcare requires commercial investment in health information technology and a deeper understanding as to how to create a robust system of security around the mass of data that these solutions are expected to generate. Security will include not only technical components but workforce training and policies for upgrading software and handling data breaches, as well (Kruse 2017, Murphy 2015).
Digital healthcare is supported by health IT and is a new model of healthcare delivery and management. This model of healthcare has the promise of more fully engaging the patient and collecting and providing continuous and more personalized healthcare information, education, disease prevention, security, and care (Shinbane & Saxon 2017). Digital healthcare is also unique in that it can provide healthcare without having to have the patient and care provider in the same place at the same time. This allows for unprecedented access to healthcare and requires the creation of new models of care, regulation, privacy and reimbursement. Digital healthcare has the potential to extend the reach of healthcare companies, systems and their experts by using IT technology and can reduce costs associated with bricks and mortar healthcare. Another benefit that digital healthcare and healthcare IT solutions provide is the ability to re-invent healthcare as a service. In the same way that Uber changed transportation by providing on-demand access to transportation that focused on the needs of the transportation consumer, healthcare software and services can transform individual patient access and use of information.
Creating a favorable environment in California for healthcare IT and digital healthcare innovation to occur requires incentives for individuals and organizations to take the risks to create, test and validate their solutions. Creating a hub of innovation in healthcare IT in California has the potential to establish California as the hub for solving the most complex challenges in healthcare. This activity can drive improvements in the health and economy of California and opens the door to providing worldwide access to these solutions.
From a cybersecurity standpoint, protecting health IT and digital healthcare information and systems is complex. There are existing laws that provide data privacy and security provisions for safeguarding medical information, such as the Health Insurance Portability and Accountability Act (HIPAA). However, HIPAA may apply to information collected with digital health tools in some but not all situations. There are a myriad of other cybersecurity considerations that do not fall under HIPAA regulations but are critically important to ensuring the availability of health IT technology and its ongoing safe and effective use (Cooley 2018 pt.1, Cooley 2018 pt.2). Cyber protections need to extend beyond confidentiality and include safeguards for data integrity and availability. This will protect against potential exploits such as manipulating and falsifying medical data, as well as protecting against denial of services (DDoS) attacks that can prevent access to medical data systems (WannaCry, Petya).
Currently, cybersecurity legislation for digital healthcare is not yet well established. However, there are a number of pending state and federal bills.
Our board recognizes that cybersecurity awareness and practices have to be implemented on an individual and institutional basis. Like environmentalism, these practices are continuous and require education, research, multidisciplinary engagement, policy and robust public-private partnerships. In order to create and foster an environment for companies in California to produce leading edge digital health solutions with robust cybersecurity protections, we identify and recommend activity in the following areas:
● Workforce development: Developing and maintaining secure medical technology and IT systems will require a workforce that is properly trained in the areas of security, as well as in the unique intersection of technology and healthcare. According to the cybersecurity job site Cybersee.org, as of August 2018 there are approximately 35,000 open cybersecurity jobs in California alone. Manufacturers will require these resources to ensure that products are developed in a secure manner and healthcare providers will require these resources support the secure implementation and ongoing operations of healthcare technology in the clinical environment. California is uniquely positioned to address this challenge as it is home to some of the world’s premier medical technology, healthcare delivery and academic institutions. We recommend that these organizations come together to build programs and curriculum to educate the next generation workforce at the K-12, community college, and university levels as well as current healthcare workers through continuing education opportunities. A recent example of work in this area is the California Cyber Innovation Challenge hosted by California Polytechnic State University.
● Patient/Care Provider Education: The increasing utilization of technology in the healthcare delivery chain by both healthcare professionals and patients requires these users to have a deeper understanding of the impact that security of that technology has on its safety and effectiveness. Similar to how personal hygiene of both healthcare providers and patients (e.g. hand-washing, wound care) is critical to safe and effective treatment of disease, digital hygiene is becoming increasingly critical to the safe and effective delivery of healthcare. A medical device connected to a patient’s smartphone provides both healthcare providers and patients new opportunities to better manage their disease and health anywhere and anytime, but also requires that patients maintain the health of their smartphone to ensure its effective operation within the medical device ecosystem. We recommend the formation of a consortium of health IT companies, providers and government agencies to address the cyber literacy of patients. Create a public/private initiative to drive a cultural awareness campaign that highlights best cybersecurity practices and the understanding that cybersecurity is a shared responsibility.
Ethical Use of Data
● Patient/Care Provider Education: There is increasing attention to the ethical collection and use of personal data collected by online service providers. Digital health data provides a significant opportunity to improve patient outcomes through improved disease management, patient engagement and clinical performance improvements in medical devices and products. In order to achieve these objectives through the use of patient health data there must be trust between service providers and patients that health data will only be used for its intended purpose and not beyond what the patient has authorized. This is a complex issue that has national and even global attention, especially with the EU’s Global Data Protection Regulation (https://www.eugdpr.org/) (read summary here) going into effect earlier this year (May 2018). The NIH has also outlined intent to provide guidances on the topic (https://www.nih.gov/about-nih/who-we-are/nih-director/testimony-21st-century-cures-implementation-updates-fda-nih). It is beyond the scope of this committee to address this issue to the level it requires given the time available. We recommend that the medical technology, patient and healthcare provider communities collaborate to develop standards for the ethical use of medical information and mechanisms to provide transparency to patients. As example of this is the recently published privacy best practices published by the consumer genetic services companies, which covers issues such as informed consent, privacy, and accuracy (https://fpf.org/2018/07/31/privacy-best-practices-for-consumer-genetic-testing-services/)
Public – Private Partnerships
● Information Sharing & Collaboration: Cyber threats can emerge and spread rapidly impacting critical healthcare services. Open and trusted sharing of cyber threat information has been an effective mechanism for combating cyber threats in many industries. The Financial Services Information Sharing and Analysis Center or FS-ISAC has been the model for effective information sharing to minimize the impact of cyberthreats (https://www.fsisac.com/). The National Healthcare Information Sharing and Analysis Center (https://nhisac.org/) is similarly focused on the sharing of cyberthreat intelligence among a trusted community of critical infrastructure owners and operators in the Health Care and Public Health sector and the International Pharmaceutical & Medical Device Consortium (https://www.ipmpc.org/about) facilitates sharing best practices around data privacy. California has also formed an organization, California Cybersecurity Integration Center (Cal-CSIC) (https://calcsic.org/), focused on identifying and responding to cyberthreats. Another good example of a public-private partnership with a life science focus is the Critical Path Institute (C-Path; https://c-path.org/). We recommend that California develop incentives for healthcare organizations to participate in these information sharing organizations at both the federal and state levels. Additionally, we recommend that appropriate stakeholders from within the healthcare ecosystem are engaged at the state-level. FDA has led the way with incentivizing open information sharing in their Postmarket Management of Cybersecurity in Medical Devices guidance (https://www.fda.gov/downloads/medicaldevices/deviceregulationandguidance/guidancedocuments/ucm482022.pdf).
● Cybersecurity Incentives: According to the U.S. Department of Commerce the medical device industry is responsible for almost 2 million jobs in the United States. However, 80% of the medical device companies have less than 50 employees and many are start-ups with little to no revenue (https://www.selectusa.gov/medical-technology-industry-united-states). Developing innovative medical technology that addresses complex clinical problems, while also ensuring appropriate cybersecurity protections can be challenging for many medical technology companies given their limited resources and the availability of cybersecurity experts as discussed above. We recommend that resources be made available to smaller medical device companies through information and sharing collaboration organizations as previously discussed. This could take the form of the development of minimum cybersecurity standards, cybersecurity resource centers, as well as in-person and virtual forums to facilitate collaboration. Additionally we recommend that public policy and purchasing organizations incentivize the development of secure products in a manner similar to incentives for innovation and time to market.
● Public-Private Advisory Groups: For expert recommendations on information sharing and cybersecurity incentives, public-private partnerships should be forged, such as the Cybersecurity Task Force (http://www.caloes.ca.gov/Cal-OES-Divisions/Cybersecurity-Task-Force) from the California Governor’s Office of Emergency Services and the California Department of Technology, and the Precision Medicine Advisory Committee from the California Initiative to Advance Precision Medicine (http://www.ciapm.org/).
Research and Development
The healthcare ecosystem is a complex network of varying stakeholders with different incentives and levels of technical sophistication. Introducing the complexity of cybersecurity into this ecosystem increases the risk that the opportunities provided by health technology will not be effectively realized. Significant research is needed to understand how to strike the right balance between effectively addressing cybersecurity in healthcare while also encouraging innovation and adoption of health technologies by care providers and patients. Results of such research can then be incorporated into development guidance documents, such as the FDA’s Guidance on Premarket Submissions for the management of cybersecurity in medical devices (https://www.fda.gov/downloads/medicaldevices/deviceregulationandguidance/guidancedocuments/ucm356190.pdf). This includes research into ways of better protecting digital health solutions, as well as methods used by organizations to respond to cybersecurity vulnerabilities when they occur, including models for coordinated disclosure and risk notification and response. Research should also be done to better understand the interactions between cybersecurity and the use of health technology and implications on clinical outcomes. This research will be even more important as patients have more opportunities to be directly involved in their care through the use of technology, and as a result, also responsible for the security of that technology. We recommend that incentives be developed to encourage research into the critical area of healthcare cybersecurity.
There are numerous legislative and regulatory efforts related to cybersecurity and privacy that are occurring at both the state, national, and international levels. In addition to existing regulations like HIPAA, various global privacy regulations (e.g. General Data Protection Regulation, “GDPR”, https://www.eugdpr.org/), and FDA guidance on cybersecurity, numerous other proposals are being considered around privacy and cybersecurity of Internet of Things (IOT) devices, which many times include medical technology. Given the size of many medical technology companies (discussed above), addressing the myriad of complex cybersecurity and privacy regulations can be cost prohibitive, if not impossible. Additionally, many of these regulations are focused on punitive actions after a cybersecurity incident or breach has occurred. We recommend that policymakers look to developing legislation and regulatory frameworks that encourage and support many of the proposals discussed in this paper including:
● Workforce Development & Provider/Patient Education – Ensuring a capable workforce is available to develop security medical technology and that care providers and patients are equipped to effectively manage the cybersecurity of this technology.
● Security Standards – Establishing flexible and responsive organizations and processes for the development of minimum security standards. Cyberthreats change quickly and standards organization need to be developed to respond accordingly.
● Information Sharing – Encouraging open and trusted communication between healthcare organizations is critical to being able to respond to security threats and minimize impact to critical healthcare services; can build on current activities and organizations, such as the FDA’s activities including FDA post-market management of cybersecurity in medical devices, the Department of Homeland Security, the Energy and Commerce Committee, the CISO council and Health Information Trust Alliance, and the Health and Human Services Cybersecurity Task Force Report.
● Cybersecurity Research – Incentives to encourage research to better understand how to effectively address cybersecurity risks in healthcare while encouraging innovation and adoption of technology solutions, which can lead to improved clinical outcomes and lower costs.
Policy efforts should focus on accelerating market access for organizations that develop and maintain secure medical technology in accordance with accepted cybersecurity standards.
There is massive potential for California companies and organizations to ethically lead and create digital health solutions that can improve the health of the globe. Already, California leads the world in technology innovation. We recognize that the protection of digital health data and use of this data is paramount to realizing the promise of digital health. We also acknowledge that providing protections for the consumer is a continuous process and will be a shared responsibility. The market for digital health is rapidly changing and, in the future, the emphasis will be on the consumer. The effect of the evolving market on the individual, as well as the broader California economy, should be addressed now. This white paper provides a template for defining, growing and encouraging activities that should occur in tandem to motivate California healthcare company growth and digital innovation.
Advisory Board Members:
● Darin Andersen, MBA, Co-Chair Economic Development Subcommittee, Cybersecurity Task Force, California Governor’s Office of Emergency Services
● Bill Britton, Vice President of Information Technology and Chief Information Officer, California Polytechnic State University
● Wainwright Fishburn, JD, Partner and Global Head, Digital Health Practice, Cooley LLP
● John Mattison, MD, Chief Medical Information Officer and Assistant Medical Director, Kaiser Permanente
● Leslie Saxon, MD, Executive Director, USC Center for Body Computing
● Jesse Torres, Deputy Director/CA Small Business Advocate, GO-Biz
● Chris Tyberg, Division Vice President Information Security, Abbott Medical Devices
● Sid Voorakkara, Deputy Director, External Affairs, GO-Biz
● Andrew Thompson, Chief Executive Officer, Proteus Digital Health