By McKenna Middleton | Opinion Editor
Baylor Cyber Day continued Wednesday afternoon at the Paul L. Foster Campus for Business and Innovation with a panel discussion on cybersecurity of personal health data. Panelists discussed the challenges of cybersecurity as fast-changing health technologies and a move to electronic medical records raise new concerns for both industry leaders and average citizens.
The discussion was moderated by Jon Allen, Baylor interim chief information officer and chief information security officer, and featured leaders from the health data and cybersecurity industry including Jason Barnett from HCA Healthcare, Richard M. Seidner from Splunk Corp., A. Michael Smith from PwC and Shawn McGuill from Allergan Inc.
“As you can imagine, health is a hot topic as we look toward Illuminate, but so is cybersecurity,” Allen said. “And so as we look at how those two intermingle with each other, and the disciplines end up having a lot of commonalities and challenges and so this panel was brought together to really talk about what those challenges are in both cyber and health and the interplay between the two.”
Panelists explained that cybersecurity in healthcare is critical to protecting an individual’s identity and privacy. The more information hackers have about an individual, the more easily it is to compromise that identity, making health records particularly desirable targets in cyber attacks.
“If you think about health care data, it’s just the comprehensive nature of the data. So if you think about losing a social security number or a credit card number or whatever, quite often your healthcare records will have all of that and then more,” Smith said.
Barnett said children’s health data is not only susceptible to attack, but can even be highly sought after by hackers.
“Kids don’t have a credit history, so it’s a perfect target for somebody to establish their own credit on as well,” Barnett said.
In this way, the consequences of cyber attacks on health data can have even larger repercussions than security breaches in other sectors.
“The risk profile is a lot different. I mean, if you lose some money with your bank, your bank is going to compensate you, if your credit gets stolen,” McGuill said. “If your healthcare gets compromised or records get compromised, there’s no getting back from that.”
Part of these issues arise when fast-changing technology outpaces the cybersecurity measures of healthcare entities. One example of this is wearable devices like Fitbits and Apple Watches that gather and store user’s personal health data.
“The real challenge is that the entry points for health data are changing dramatically. So when you think back a decade or two ago, health data primarily resided either in the hospital or at the doctor’s office. Now, you all have access to your personal health records online. So that’s another entry point. All of these devices are another entry point,” Seidner said. “And we know that there’s a problem in terms of lax of protecting a lot of these entry points. So it’s becoming easier for the bad guys to look at various increasing ways of getting to that information. So the challenge is becoming more complex the more devices that we bring into the market.”
McGuill said these devices offer many benefits to users, but need to come up with a better consideration for cybersecurity. Because technology is so pervasive, users need to be more aware of what cybersecurity means.
“Everybody is on the frontline now. Everybody has to be really vigilant,” McGuill said.
Allen suggested cybersecurity of health data is a matter of balancing three vital components: confidentiality, integrity and availability. While many panelists agreed integrity should be the most important element of that puzzle, Smith said confidentiality and availability are inextricably linked.
“That’s really where the art comes into the science: You’re combining the security around confidentiality with the necessary availability to make it useful, and that’s really an art to do that the right way,” Smith said.
That balance is important because when it comes to health data, cybersecurity can often be a matter of life and death, according to Allen.
“You have to think of it as a zero tolerance for failure, whereas, if you’re thinking about a bank or an insurance company or something like that, there will be some calculated level of risk you’re willing to accept. But if you’re talking about some, let’s say, augmented reality surgical tool that is being used actively on people, you cannot have a fail,” Smith said.
Barnett said another important step in increasing cybersecurity measures is for companies to begin to see them as a business problem rather than just a technology problem, so they are more willing to invest in it as a priority.
Seidner said the importance of understanding cybersecurity goes beyond protecting health data. He commended Baylor for hosting Cyber Day as a way to educate the community on the issues of managing their online data and exposing students to the emerging field of cybersecurity.
“I think the really good news is that you can see that entities like higher education are beginning to respond to this need more effectively,” Seidner said. “Today, more and more institutions are offering cybersecurity specific masters programs —cybersecurity certificates. So the opportunity for you as students to really concentrate more effectively and build a stronger skill set around cybersecurity are increasing dramatically.”