The Cyber Insecurity Initiative of the Los Angeles Healthcare Security Systems Project

submission by COMMET

About Your Organization

Organization name(s):

The Center of Medical Multimedia Education and Technology (COMMET)

Organization website:

http://epicenterla.org/

Organization Twitter handle:

EPICenter_LA

Organization Facebook page:

https://www.facebook.com/pages/The-Epicenter/220315941470120

Describe your organization (check only one):

Nonprofit organization

For-profit organization

Government

Individual

Please describe yourself (check only one):

Solo actor (just us on this project!)

Proposed collaboration (we want to work with partners!)

Collaboration (partners are signed up and ready to hit the ground running!)

In one sentence, please describe what your organization does.

:

COMMET promotes the widespread use of new medical technology, bridging the gap between medicine and technology.

In one sentence, please describe your idea or project.

:

The Cyber Insecurity Initiative will evaluate risks and recommend solutions to a healthcare system dependent on electronic health records.

Does your project impact Los Angeles County? Check only one.

Yes (benefits all of LA County)

Yes (benefits a region of LA County)

Yes (benefits a population of LA County)

No

Please write a sample tweet to describe your submission.

:

The Cyber Insecurity Initiative will help protect hospitals and patient electronic health records as our health system modernizes

Which area(s) of LA does your project benefit? Check all that apply.

Central LA

East LA

South LA

San Gabriel Valley

San Fernando Valley

South Bay

Westside

Other:

What is your idea/project in more detail?

:

Nearly all LA County’ hospitals have moved to electronic health records (EHR) in compliance with Federal regulations. We have identified a mismatch regarding perceived versus actual vulnerabilities to these medical records. According to cybersecurity experts, electronic systems are much more vulnerable than we realize, which places LA County residents at great risk. The next “Cyber Pearl Harbor” may be just around the corner. Our initiative will conduct a thorough vulnerability assessment of digital healthcare information in LA’s hospitals. The differences between cyber threat perceptions and actual vulnerabilities will be collected and analyzed to improve the security of LA County’s EHRs, thus making our population healthier and safer.

What will you do to implement this idea/project?

:

The Cyber Insecurity Initiative has four main phases: planning, assessment, analysis, and recommendations. The planning phase will consist of securing appropriate permissions from LA County’s 122 licensed hospitals for participation, designing questionnaires and interview guides to conduct the vulnerability assessments, and coordinating the logistics to carry out the plan. There may be reluctance to have participants do an Internet survey, so we will do both a person-to-person as well as a text survey (using text to database technology we developed). All information will be confidential and not attributed to any one hospital. Only combined data will be shown in any report. The assessment phase involves scheduling and conducting interviews with five groups that have input. Special emphasis will be placed on achieving a balance of each hospital’s EHR buyers, users, emergency managers, administrators, and compliance officers. The questionnaires and interviews will provide the foundation of the vulnerability assessment, complemented by subject matter expert evaluations. The analysis phase requires thorough statistical analysis of all data. One key goal is to compare and evaluate vulnerability perceptions (as documented in the questionnaires and interviews) with actual vulnerabilities (as documented by cybersecurity professionals working with us as well as the literature). The recommendations phase begins with preparing reports and presentation materials, culminating with the presentation of findings with recommendations to improve cybersecurity to the entire hospital community. Specific collaborators for the initiative’s findings and recommendations are the Hospital Association of Southern California, the Hospital Corporation of America (pending), the UCLA Center for Public Health and Disasters, the LA County EMS Agency, Red-E Consulting, and the California Hospital Association.

How will your idea/project help make LA the healthiest place to live today? In 2050?

:

The residents and visitors of LA County deserve and expect a safe, reliable healthcare system that protects their personal health information and provides unimpeded information to the appropriate provider in a timely manner. We are still at the dawn of a rapidly evolving technological age in healthcare. As our use of healthcare technology and cyberspace expands, so do the cybersecurity threats. The Cyber Insecurity Initiative will proactively address these concerns now, guiding our use of new technology in a safe and responsible manner. By 2050, healthcare will be totally dependent on technology and cyberspace, and the decisions we make now will allow LA to take full advantage of benefits offered by reliable, digitized healthcare while proactively minimizing the risks to the private health information of every individual who uses LA County’s hospitals.

Furthermore, in a world that is shrinking due to technology, the Cyber Insecurity Initiative will keep Los Angeles at the forefront of healthcare in an increasingly globalized world. LA is a truly global city. As of 2013, there were 3.5 million foreign-born residents in LA County, and there are 135 different languages spoken here. An estimated 1 in 10 residents is undocumented, and we have millions of international visitors every year. LAX is the sixth busiest airport in the world. For the health of our residents and visitors, our economic prosperity requires a world class healthcare system that maximizes the safe and responsible use of EHRs

Additionally, disasters and public health emergencies (such as biological terrorism and pandemic diseases) must be considered. If used to its potential, our healthcare system can use EHRs to mitigate the effects of a disaster and speed the public health emergency response and recovery. In fact, the effective use of EHRs even has the potential to mitigate a pandemic disease in its tracks. This can only be achieved, however, if the system is safe and secure.

Finally, the routine and safe use of EHRs will drastically improve the daily lives of all LA County residents and visitors. Healthcare can be provided faster, more effectively, more efficiently, and cheaper thanks to the benefits of digitized healthcare. The Cyber Insecurity Initiative will ensure that we do so in a way that minimizes or negates the potential risks to digitized healthcare as we approach 2050. Residents will feel safer knowing that their medical privacy is secure and the system is working well.

Whom will your project benefit? Please be specific.

:

The Los Angeles County healthcare system is an essential public service available to all residents and visitors. Whether or not a specific individual is using that system at any given point in time, everyone in LA can benefit from that public good. While our thoughts go first to the ill or injured who currently require hospital care, everyone in LA knows that the emergency medical services, emergency rooms, and world class healthcare in general are available to them and their families, if needed. Whether directly or indirectly, all of us benefit from our healthcare system. A well functioning healthcare system is essential to a vibrant, resilient community that can continue to thrive. In the new century, a comprehensive, long-term approach to healthcare cybersecurity is essential to the reliability and public trust of the healthcare system.

The cyber security concerns include security breaches, data loss, data for ransom, data corruption Internet breakdown, electrical breakdown, and other hazards that will negatively impact our population’s health in an environment where we are rapidly becoming more and more dependent on digitized healthcare records. Whether caused by a terrorist, a hacker, an accident, or a disaster, the residents and visitors of LA can be assured that their healthcare information is safer thanks to the Cyber Insecurity Initiative.

The following examples illustrate the extent of modern security breaches. As healthcare becomes increasingly dependent on digital records, the impact of these breaches will rise. According to a report by a cyber security firm called Redspin, there was a 97% increase in health record breaches from 2010-2011. Ponemon found that these breaches cost the hacked organization approximately $240 per record. In 2011, TRICARE lost their EHR back-up tapes, affecting almost 5 million patients. In 2010, the North Bronx Healthcare Network had 1.7 million EHRs stolen by a hacker. In 2009, Blue Cross and Blue Shield of Tennessee had a hard drive with over one million EHRs stolen. These are among many examples of the mounting risks associated with the transition to EHRs. The costs associated with EHR security breaches are tremendous, and the potential impact on the public’s faith in healthcare providers is even greater.

Additionally, the methodology we use can be adapted to other infrastructure, such as public health, public safety (police and fire), emergency management, transportation, electrical grid, public works, etc.

Please identify any partners or collaborators who will work with you on this project.

:

Hospital Association of Southern California
Hospital Corporation of America (pending)
UCLA Center for Public Health and Disasters
LA County EMS Agency
California Hospital Association
Red-E (cyber consulting firm)

How will your project impact the LA2050 "LIVE" metrics?

Access to healthy food

Healthcare access

Exposure to air toxins

Number of households below the self-sufficiency standard

Percent of imported water

Obesity rates

Rates of homelessness

Walk/bike/transit score

Acres and miles of polluted waterways

Rates of mental illnesses

Prevalence of adverse childhood experience (Dream Metric)

Percentage of LA communities that are resilient (Dream Metric)

Percentage of residents receiving coordinated healthcare services (Dream Metric)

Percentage of tree canopy cover (Dream Metric)

Other:

If other, please specify.:

(1) Percentage of residents who trust the safety and reliability of the healthcare system. (2) Percentage of residents who trust the safety and reliability of electronic healthcare records.

Please elaborate on how your project will impact the above metrics.:

Our healthcare is undergoing a rapid transition. New laws are changing the way we provide care, healthcare costs are still out of control, providers are changing how they interact with patients, public health is underfunded, hospital profit margins are reduced, and all medical records are being digitized. This “perfect storm” helps put the importance of proper cyber safeguards in a broader context.

Healthcare is a critical “public good” that benefits all residents and visitors to LA directly or indirectly. The reality is that a safe and reliable healthcare system is assumed and expected. We take it as a “given”, without specificity or insight regarding how complex it really is. On occasion, the news media highlights various concerns for the public, such as when the Los Angeles Fire Department was faulted for its slower-than-reported EMS response times in 2013.

First and foremost, public knowledge of the benefits from the Cyber Insecurity Initiative should increase the percentage of residents who receive coordinated healthcare access in LA. They will be assured that the healthcare system is proactively and responsibly addressing cybersecurity as the use of digitized healthcare expands and evolves.

The reality, though, is that many residents and visitors will be less aware of how the metrics of the Cyber Insecurity Initiative are actually achieved. First, we seek to better align cyber threat perceptions of administrators, providers, etc. with the actual cyber risks. Second, we will make recommendations to close gaps and improve upon security. Because the data has not yet been collected or analyzed, these recommendations and the metrics derived from them cannot yet be concretely defined. This is why a grant from LA2050 is so essential.

In a general sense, the recommendations and metrics center on anticipated cybersecurity and reliability domains since breaches have already occurred, hospitals have been fined, and records have been corrupted. These domains include the frequency and extent of security breaches and/or data loss, the speed and reliability of data retrieval and transfer, the usage rates and reliability of EHRs, and so on. In many cases, the general public will not be aware of these metrics even though they are critical to the health and wellbeing of the population. They can be aggregated under the categories of “public trust in the safety and reliability of the healthcare system” and “public trust in the safety and reliability of EHRs."

Please select which other LA2050 Goals are relevant to your project or organization (check all that apply):

LA is the best place to CREATE

LA is the best place to PLAY

LA is the best place to CONNECT

LA is the best place to LEARN

Please explain how you will evaluate your project.

:

Metric 1 (process): Participation of healthcare technology buyers, users, managers, administrators, and compliance officers in the Cyber Insecurity Initiative. To be most effective, we will require the buy-in and support of these individuals to properly assess cybersecurity concerns. The support of both top-level administrators and hospital/healthcare associations will help with this endeavor, and we have already gained some support from them for the initiative. We will certainly be successful with even moderate participation from healthcare technology buyers, users, disaster managers, administrators, and compliance officers, but we seek to maximize their participation.

Metric 2 (outcome): Gap between perceived cyber threats to the healthcare system (by healthcare administrators, providers, etc.) and actual threats. This measure will be initially assessed through questionnaires and interviews with a wide range of healthcare technology buyers, users, disaster managers, administrators, and compliance officers. The Cyber Insecurity Initiative will then analyze the results and provide recommendations to address the gaps between perceived and actual threats.

Metric 3 (outcome): Public trust in the safety, accessibility, and reliability of the healthcare system is dependent on technology and cyberspace. This public trust is essential. Public concerns with the healthcare system, such as with the fire departments and emergency medical services response times, are fundamental to the trust in the healthcare system. The EMS system in LA County has already started using EHRs from the moment of first contact with patients (before they even get transported to the hospital). The Cyber Insecurity Initiative can provide recommendations to assess and improve the public’s trust in the emergency medical services system. This can also eventually be extended to other parts of the county’s infrastructure.

What two lessons have informed your solution or project?

:

Lesson 1: In our experience many healthcare technology buyers, users, disaster managers, administrators, and compliance officers are either unaware of or do not fully appreciate the cybersecurity risks to healthcare data. This lesson is based on consultation with cybersecurity professionals, the literature, and anecdotal information regarding the perceptions of healthcare professionals. This lesson, as well as the desire to have a resilient, robust system in place, is what prompted the need for the Cyber Insecurity Initiative. The extent and scope of the mismatch between cybersecurity and healthcare professionals will be determined and analyzed. Furthermore, many healthcare professionals are reluctant to participate in this type of research because it shines a light on a sensitive issue that they do not fully understand nor want to make public. In other words, they may not want to share their concerns. This is why buy-in and active support from top-level administrators and healthcare/hospital associations is critical.

Lesson 2: Black Swan (low probability, high impact) types of disasters are not part of our daily routine. Thus, many cyber concerns are handled outside the knowledge of the general public. The public’s trust in the healthcare system includes a basic assumption that cybersecurity issues are appropriately addressed. The public is not aware that many healthcare technology buyers, users, disaster managers, administrators, and compliance officers lack a full multidisciplinary appreciation of the cybersecurity risks to their personal health information. Were such knowledge to become widely publicized, then the public’s trust of the healthcare system would be diminished. That’s why it’s so important for the Cyber Insecurity Initiative to be funded. With funding we can proactively address these cybersecurity concerns now, before vulnerabilities can be exploited or new risks can develop. If a current or emerging vulnerability of cybersecurity was exploited without a program like the Cyber Insecurity Initiative to address it, the public trust in the healthcare system would be diminished or even violated.

Explain how implementing your project within the next twelve months is an achievable goal.

:

Within 12 months of receiving funding, the Cyber Insecurity Initiative will have completed most of the first two phases of its plan, and the third phase will be underway. The planning phase consists of securing appropriate permissions from hospitals and healthcare professionals for participation. We have already begun this process by approaching top-level administrators and healthcare/hospital associations for buy-in. The planning phase also includes designing questionnaires and interview guides; the formative work for this activity is already complete.

The assessment phase involves scheduling and conducting interviews with EHR technology buyers, users, disaster managers, administrators, and compliance officers. This is where the majority of the labor will be. The principal goal is data collection.

The analysis phase consists of thorough statistical analysis of the data for the purpose of developing recommendations. We anticipate beginning this phase within one year of receiving funding. The final phase, recommendations, will be completed in the second year of the Cyber Insecurity Initiative.

Please list at least two major barriers/challenges you anticipate. What is your strategy for ensuring a successful implementation?

:

Challenge 1: Some healthcare technology buyers, users, disaster managers, administrators, and compliance officers may be reluctant to participate. In many cases, these individuals are generally aware of such cybersecurity concerns (or perceptions), but do not want the issue examined in detail by an outsider to the hospital or hospital organization. They may not want attention placed on their institution’s weaknesses.

Strategy 1: Gain buy-in and active support from top-level administrators and healthcare/hospital associations. Help them understand how it is in their organizations’ best interests to proactively study and address these problems. Have them require or encourage their subordinates to participate. Assure them that all information is confidential and no data will be attributed to any individual, hospital or hospital group. We will give them the opportunity to do either a person-to-person survey or a text-based survey on their cell phones.

Challenge 2: Scheduling and logistics. The Cyber Insecurity Initiative will require a substantial number of interviews with healthcare technology buyers, users, disaster managers, administrators, and compliance officers. These are busy professionals with limited time for participating in an endeavor like this. Our organization has excellent project managers, but they will be engaged full time with coordinating the schedules of both the healthcare professionals and the interviewers to accomplish our objective. This phase will take six to eight months to complete.

Strategy 2: This challenge will be mitigated in a few different ways. First, the Cyber Insecurity Initiative will ensure that top-level administrators and healthcare/hospital associations require appropriate employees to participate. Second, we will establish the population of potential interviews before starting, and then ensure that our completed interviews are representative of that population. Third, we will develop a text message based questionnaire to ensure that we can collect some data from healthcare professionals who are unable to provide interviews. Since an Internet survey may be troubling to some, we will make available a texting technology we developed that can record and catalog responses in the event that a face-to-face interview is not possible or desirable. This technology has been tested in Vietnam for disease surveillance as well as with the LA County Department of Health Services for assessing waiting room time.

What resources does your project need? (check all that apply)

Money (financial capital)

Volunteers/staff (human capital)

Publicity/awareness (social capital)

Infrastructure (building/space/vehicles, etc.)

Education/training

Technical infrastructure (computers, etc.)

Community outreach

Network/relationship support

Quality improvement research

Discussion
0 Pink talk bubble tail c96b4a07ef1417e25d0bcf5c4cba4766b8bbf0382f07677990a9d5577885d4d7


Pink ribbon award box icon 45b87e779c93f5099a48378c2aadc0fcd51184974daecf76e3f5c50034ea21fb
Award topvotedidea 5a5ae14e3d56a10363ea2a398cece46cf4df891213cbe68677c19d8903a1932a
$100,000
Circle 1 inactive e7784182a1bd5eace578987db27fc19ec6337f418c48c6c8732605b9043d50d0 Step1 title submission inactive cde083e53089b973e7c9dc80a44a038c1ce4cf3b2650aeb5549157d1ed58a2d9

Submission Began
Tuesday, July 01, 2014

Submission Ended
Thursday, July 31, 2014
at 07:00 PM UTC

Circle 2 inactive 74a43088831beb43fdbd7591ef5d50a5a7a26ff92c9e8ed489782459fa31a8d9 Step2 title voting inactive 96be722f53c417edddb5742ba9a6dc2fd403f7e4f6c19dbe883d50d20d93689d

Voting Began
Tuesday, September 02, 2014

Voting Ended
Tuesday, September 16, 2014
at 07:00 PM UTC

Circle 3 83da7a9432aeea960e1a9e9ee93e7ea1221af6c8f42b27964f2e9999d94b2b8d Step3 title 3d9e2a65d6ea1ad301f8fc607f5f828bd96362932c71d81c0da5b1fd964422b0

Winner Announced
Tuesday, September 30, 2014