For the past 20 years, Lenny Levy focused on information security for global organizations.
After 17 years as a consultant, Mr. Levy joined Spectrum Health in Grand Rapids, Mich., as the chief information security officer. He then went on to work as the interim CISO of Renton, Wash.-based Providence St. Joseph Health prior to becoming the interim CISO for a large children’s hospital.
A cybersecurity expert, Mr. Levy discusses the entrance of big tech companies into healthcare as well as issues with HIPAA.
Editor’s note: Responses have been lightly edited for clarity and length.
Question: What threats do Project Nightingale and other partnerships between big tech and health systems pose to patient data and other hospital operations?
Lenny Levy: I don't think the partnerships are really a threat. I look at them more as a source of innovation. If you look at the recently announced Microsoft and Providence St. Joseph Health as well as the Mayo Clinic and Google partnerships, both of them are focused on the digital transformation of healthcare by leveraging cloud computing, advanced analytics and artificial intelligence to drive better outcomes and improve the care experience.
The big tech companies are bringing scale, new technologies and innovative approaches that really compliment the clinical expertise of healthcare systems. That being said, the healthcare systems are ultimately responsible for protecting patient records from unauthorized use and disclosure. People need to feel confident that their information will be protected by the tech companies as well or better than what their healthcare systems do. So, the tech companies may need to step up their privacy and security controls specific to healthcare data.
Q: Why do hospitals fall victim to cybersecurity attacks? Is there a simple solution people are missing?
LL: As I look across the healthcare ecosystem after working with a lot of different healthcare systems, what I find is that hospitals are not immune to the same factors that lead to security incidents at other organizations. In some cases, healthcare organizations are more susceptible to security issues. This is partly because some organizations view cybersecurity as a technical versus a strategic issue. In addition, healthcare economics and low margins in healthcare can impact funds available for investment.
There is also a huge push toward digital transformation, but this does not necessarily include cybersecurity in the beginning phases of transformation. Additionally, some organizations still focus on compliance versus security. While the likelihood of cyberattack can be limited, there is no silver bullet to eliminate cybersecurity risk in healthcare. With cyber incidents as a question of when, not if, I think organizations need to look at how to build a resilient environment.
Q: Is HIPAA outdated?
LL: The core tenants of protecting the privacy and security of patients' information is important. However, if I look at HIPAA, I think it falls short of achieving all of its stated objectives.
First, compliance with HIPAA doesn't mean being secure. I look at initiatives, like the healthcare industry's cybersecurity practices that were released last year by HHS, as doing a much better job at giving practical advice to organizations on how to address cybersecurity threats.
In addition, if you look at recent legislation, such as the 21st Century CURES Act and the push to foster the exchange of data for clinical research, I don't think HIPAA has kept up with all of these developments.
Q: When you think of the most secure tech company or hospital, who/what comes to mind?
LL: For the past few years, I've been participating in HHS' 405(d) task group, which looks at how to improve cybersecurity across the entire healthcare ecosystem. One of the things I've seen is that a lot of healthcare systems, especially smaller providers, have a long way to go. Between the historical lack of investment in cybersecurity, higher complexity, legacy systems and insecure biomedical devices, I think most tech companies are already far ahead of the average healthcare organization. Security is also a core capability of a lot of the elite technology companies. So, these companies will probably continue to be more secure here in the near future.