The Budding Healthcare IT Spring

Rick Dakin, CEO, Co-founder and Chief Security Strategist

HIMSS12 is in full production in Las Vegas this week. Over 40,000 healthcare IT professionals and service providers have descended upon a conference that will set the direction for a new wave to technology innovations for the healthcare industry. Almost every booth has a sign that extolls the benefits of cloud-based services delivered through mobile devices. The promise to shake the industry to its core is a common theme.

Why this message and why now?  After talking with a few key CIO’s, the underlying drivers for the rapid change became apparent. Several cited recent HITECH regulatory changes while others stated a recurring observation that “consumerization” of the entire IT space is finally creeping into healthcare.  These obvious symptoms were easy to understand.  However, the real driver is much more subtle.

The basic healthcare delivery system is changing. Three pillars for profound and irreversible change within the industry were expressed by some of the industry leaders:

  • Cost Reduction – the cost of health services must be controlled.  The portion of the consumer’s healthcare bill reimbursed by both health insurance and government promise to be lower in the future.  The days of building expensive centralized hospitals with high day rates can no longer be the core of the healthcare delivery system.  Expect to see more decentralized services provided by specialists approved though your primary care physician.  This coordinated healthcare delivery ecosystem must be informed from initial services to specialty components.
  • Prevention versus Treatment – Health monitoring and real time diagnosis will become an increasing focus.  Patients must be enabled to communicate more thoroughly and effortlessly to their clinicians to better predict issues and drive intervention prior to serious problems occurring.  Expect home healthcare to expand to individual mobile healthcare delivered at any time during the day.
  • Transparency – The days of healthcare mystery are over.  Patients are becoming much more diagnostic data savvy and expect their entire clinical support ecosystem to know everything when they interact with them.  Data, all day, in all ways is quickly becoming the mantra.

These powerful forces are driving change that will cause the healthcare industry to move from technology troglodytes to technology leaders.  The pace of change is breath taking.  Having survived the “Dot Bomb” era, I hate to refer to revolutionary change but many of the participants who are implementing change definitely see themselves as revolutionaries.  They have thrown away the rules for bureaucratic system development and have adopted modern mobile applications that bypass many of the legacy barriers.  In some cases, the developers were proud of their ability to extract data from vendors who were unwilling participants in the development process.  The clinical users developed their own applications and put a wall around the vendors and data center managers who simply were moving too slow.

New Healthcare Technology Innovations
We saw a demonstration of integrated health records that allowed clinicians to access prescription history and lab charts through an iPhone.  This enterprise quality application was developed in 6 months by two 20 something programmers for less than $50,000.  Over a thousand users depend on this very productive tool today after a 30 day deployment, training and registration process.  This is lightning fast for any industry and beyond blazing for the healthcare industry that currently depends on Electronic Health Records (EHR) systems developed in the late 1980’s and still hosted on fragile infrastructure that causes multiple day delays in communicating analytical data to clinical professionals. 

The positive side of this story is that change is occurring quickly to drive much needed efficiencies and transparency into an industry that is demanding profound change.  The downside is that the industry is building a 1969 Corvette that can achieve speeds of 160 miles per hour but does not have the brakes to stop or air bags to protect the driver.  Security is a secondary thought in many of the solutions and services we reviewed at the conference.  For one application, the developer stated that they used an Apple platform to make sure all communications were protected.  I wonder if a group of hackers would accept the challenge to compromise an Apple system to show that no system is immune from today’s sophisticated attacks.  The industry has still not reconciled itself to the damage caused by recent healthcare data breaches and is not concerned by the potential for data integrity issues that may lead to incorrect diagnosis and treatment. 

We found a few leading service providers like Oracle, HP, Firehost, VMware and a few others that were actively integrating security into the core service and having those controls tested by an independent third party assessor. However, the bulk of solutions we reviewed were simply not offering validated applications and services as an integrated part of the solution.  The fact that many systems are developed and assembled outside the United States was not addressed through proactive testing and system validation to ensure backdoor access was prevented.

So… Buyer beware.  The industry is building what you request.  Much like the Arab Spring of 2011, the rapid pace of change will be a little chaotic but the movement has begun and there is no turning back.  A wave of new systems and services are heading to a facility near you.  If you do not ask for security and validation of the controls by an independent assessor, you will get the functionality, efficiency and the RISK at no extra cost.

Rick Dakin


Rick Dakin — CEO, Co-founder and Chief Security Strategist

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS