The security of health care data and systems is rapidly emerging as a critical component of hospital infrastructure, and attacks on hospital information systems have had substantial consequences, with closed practices, canceled surgical procedures, diverted ambulances, disrupted operations, and damaged reputations. Attacks against hospitals have been increasing, with substantial financial cost as well. In a recent well-publicized example, a large hospital network was taken offline by a virus for almost 2 weeks, resulting in service disruption, patient confusion, and delays in radiation therapy, among other repercussions. Health care delivery has become increasingly dependent on integrated, complex information systems that are susceptible to disruption. Securing our health information systems is critical to safe and effective care delivery and is now of public health concern.⁷

Phishing is the practice of deceiving individuals into disclosing sensitive personal information or clicking on links that introduce malicious software through deceptive electronic communication.⁸ Usually done via email, phishing is a common attack strategy against health care system employees and can be a remarkably accessible, low-cost, and effective way of obtaining real credentials to health care information systems or inducing employees to click on malicious software.⁹ Phishing emails can be realistic, and the sender’s identity is frequently spoofed, or deliberately faked, so as to appear to be sent by a trusted individual or organization. Once an attacker has access to a system, they can steal personally identifiable information and sell it for profit, disrupt system availability, encrypt a database and demand a ransom payment to unlock it (“ransomware”), manipulate and falsify clinical data, or perform other malicious activities.A recent report indicated that 55% of physicians have experienced a phishing attack.

Employee awareness and training represent an important component of protection against phishing attacks. One method of generating awareness and providing training is to send simulated phishing emails to a group of employees and subsequently target educational material to those who inappropriately click or enter their credentials. For reference, 2 examples of phishing emails are listed in eTable 1 in the Supplement. The first email is a phishing simulation, and the second is an actual phishing email received at 1 of the participating institutions. As shown, the emails can be realistic and often appear to be sent by a trusted individual or member of the employee’s organization. Phishing simulation is common in many industries and is also being used in health care, typically as a training and improvement initiative. The simulated emails are designed to be as close as possible to real phishing emails; if the simulated email is clicked, it is used as a real-time opportunity to provide short phishing education to the employee. Several vendors exist that offer phishing simulation as a service (eg, composing and sending the simulation emails, collecting employee responses, providing phishing training, and reporting on click rates to hospital leadership). In this context, we examined the practice of phishing simulation and the extent to which health care employees are vulnerable to phishing simulations and identified potential determinants of vulnerability to email phishing simulation.

Please join us to hear how privacy policies and regulations have changed in the face of the COVID-19 pandemic. Julie Barnes, of Maverick Health Policy, will speak with eHI Vice President Alice Leiter about the many ways federal health agencies are navigating patient data privacy in light of the coronavirus crisis, including adjustments related to data sharing for public health purposes and the relaxation of telehealth enforcement. 

Presenters: 

Julie Barnes, JD 
Founder & Principal

Julie Barnes is a health care policy expert and attorney with years of experience helping the private sector navigate federal government activities that impact health. Ms. Barnes is a strategic adviser to organizations that need guidance about federal health policies and how to develop relationships with policymakers and influential advocacy organizations. As a former policy analyst, health care litigator, and Capitol Hill staffer, Ms. Barnes informs business strategy and investments in a myriad of health care areas, including health information technology, data privacy and interoperability, value-based care, transparency, health insurance and new payment models, and federal health programs. 

Alice Leiter, JD
Vice President & Senior Counsel

Alice is a health regulatory lawyer with a specialty in health information privacy law and policy. She previously worked as a Senior Associate at the law firm Hogan Lovells, where she worked with clients on Medicare and Medicaid pricing and reimbursement. Alice spent several years as policy counsel at two different non-profit organizations, the National Partnership for Women & Families and the Center for Democracy & Technology. She currently sits on the DC HIE Policy Board, as well as the boards of Beauvoir School, Educare DC, and DC Greens, the latter of which she chairs. She received her B.A. in human biology from Stanford University and her J.D. from the Georgetown University Law Center. Alice and her husband, Michael, live in Washington, D.C. with their four children.

The California Consumer Privacy Act (CCPA) is set to begin implementation in 2020. It is the strictest privacy legislation in the country, granting California residents significantly more control over their personal information. Are you prepared to comply?
 

The California Consumer Privacy Act (CCPA or Act) is upon us and no matter how far along your organization is in its readiness efforts, action and persistence are required to stay on top of this comprehensive and dynamic new law. Use the building blocks to discover where your readiness efforts should focus.
 

In recent years the healthcare industry has undergone a digital revolution. The replacement of paper files with electronic medical records is just one aspect. Many medical procedures and devices now rely on digital technology. While this digital evolution has resulted in significant improvements in the efficiency and effectiveness of treatment, there continues to be pressure to actively manage costs as provider profit margins are forecast to fall by as much as 2% in 2019. As such, hospital executives are increasingly considering partnerships with medical technology companies to curtail costs and drive efficiency. On the other side of the coin, the use of websites and mobile applications has also made healthcare providers increasingly vulnerable to hackers. Data breaches, data manipulation and systems control are three of the biggest cyberthreats the healthcare industry is facing today.
 

Time for NIH to lead on data sharing

The U.S. National Institutes of Health (NIH), the largest global funder of biomedical research, is in the midst of digesting public comments toward finalizing a data sharing policy. Although the draft policy is generally supportive of data sharing (1), it needs strengthening if we are to collectively achieve a long-standing vision of open science built on the principles of findable, accessible, interoperable, and reusable (FAIR) (2) data sharing. Relying on investigators to voluntarily share data has not, thus far, led to widespread open science practices (3); thus, we suggest steps that NIH could take to lead on scientific data sharing, with an initial focus on clinical trial data sharing.

The full Science Magazine article can be downloaded below.  

Evolving public views on the value of one’s DNA and expectations for genomic database governance: Results from a national survey

We report results from a large survey of public attitudes regarding genomic database governance. Prior surveys focused on the context of academic-sponsored biobanks, framing data provision as altruistic donation; our survey is designed to reflect four growing trends: genomic databases are found across many sectors; they are used for more than academic biomedical research; their value is reflected in corporate transactions; and additional related privacy risks are coming to light. To examine how attitudes may evolve in response to these trends, we provided survey respondents with information from mainstream media coverage of them. We then found only 11.7% of respondents willing to altruistically donate their data, versus 50.6% willing to provide data if financially compensated, and 37.8% unwilling to provide data regardless of compensation. Because providing one’s genomic data is sometimes bundled with receipt of a personalized genomic report, we also asked respondents what price they would be willing to pay for a personalized report. Subtracting that response value from one’s expected compensation for providing data (if any) yields a net expected payment. For the altruistic donors, median net expected payment was -$75 (i.e. they expected to pay $75 for the bundle). For respondents wanting compensation for their data, however, median net expected payment was +$95 (i.e. they expected to receive $95). When asked about different genomic database governance policies, most respondents preferred options that allowed them more control over their data. In particular, they favored policies restricting data sharing or reuse unless permission is specifically granted by the individual. Policy preferences were also relatively consistent regardless of the sector in which the genomic database was located. Together these findings offer a forward-looking window on individual preferences that can be useful for institutions of all types as they develop governance approaches in this area of large-scale data sharing.

The full article can be downloaded below.  

Trump rules let patients download health records to their phones

The Trump administration on Monday unveiled its plan to make it easier for patients to download their own health and insurance records to their smartphones — an effort that's triggered privacy concerns from some of the biggest health care trade groups and intense lobbying from the tech industry.

The rules force insurers and hospitals to make patients' information easily shareable using common data standards. Trump health officials on Monday framed the rules as a way to give patients — instead of health care providers, health records companies and insurers — control over health data.

The full Politico article can be viewed at this link.  

'Fixing health care' is a disservice to society

We all know — and the presidential candidates keep reminding us at every debate and in the run-up to Super Tuesday — that our health care system is struggling to provide Americans with affordable care. While we broadly agree that health care needs to be fixed, the conversation on “how” is headed down the wrong path. Instead of looking for solutions to patch up the current system, we should think anew for higher efficiencies, lower costs and, most importantly, better outcomes.  

We should start by asking how we use existing and emerging technologies to invent a preventive, proactive, predictive, and personalized self-care system that delivers tenfold cost-effectiveness enhancements. How do we seize the new economics of a tech-enabled national health care system? Many of the tools needed to affect this transformation are now available; others are rapidly evolving. Health care policymakers need to focus on cultivating and rapidly incorporating a new tech-enabled paradigm of health management while phasing out the old.  

The full opinion piece from The Hill can be viewed at this link.