A former U.S. Defense Department intelligence officer, CynergisTek CEO Mac McMillan is now a leader in securing material of a different form: health care IT data.
From monitoring access to weapons of mass destruction to
safeguarding medical data, Mac McMillan has done it all as far as security is
A former director of security at two Defense Department agencies in charge
of overseeing inspection of WMDs, McMillan was also an intelligence officer who
oversaw the implementation of international arms control agreements between the
and other countries. In addition, he led programs to provide humanitarian aid
to suffering nations of the former Soviet Union, including
Azerbaijan and Turkmenistan.
McMillan is currently CEO of CynergisTek,
a health care security firm founded in 2003, and chairman of the Privacy and
Steering Committee for HIMSS
Care Information and Management Systems Society), where he educates companies
on data breaches and provides recommendations to the government on how to deal
Recently eWEEK spoke with McMillan to get his take on what causes data
and how health care companies can better secure their data.
What trends are you seeing as far as medical identity
Probably the main trend in medical identity theft is still
fraud as it relates to people getting access to someone else's medical information
to put in a false claim and defraud the system. That is still probably the
largest or biggest type of event that you see in medical identity theft. When
you look at that, unfortunately the bulk of it is done by insiders.
Fraud is the No. 1 reason, and insiders are the No. 1 cause. People who have
legitimate access to information who then do something wrong with that
knowledge. Probably the No. 2 cause after insider abuse is physical theft or
physical loss-stealing computers, stealing tapes, loss of tapes, loss of a
laptop, etc. As long as information has value, as long as somebody thinks
there's a way to make money by misusing information, there's going to be a risk
Patient safety is probably the biggest risk associated with medical identity
theft. And there are cases of medical identity theft where someone has used
someone else's information for the purpose of getting treatment. It's still
minor compared to the fraud side of it, but it's a serious issue. Whether it is
just the fraud aspect of it or more importantly the patient safety aspect.
How might a data breach such as that of Health
have been prevented? How can health care companies avoid data breaches
in the future?
We have a tremendous amount of health information that is
in unstructured files, Excel spreadsheets, Access databases, PowerPoint
presentations, Word files, you name it, that live outside of those application
databases that are resident on laptops, thumb drives and desktops.
So the first thing we need to do is manage our data better. We need to
determine where that data needs to be and how it needs to be presented so that
we can limit the amount of exposure we have and clean up some of this data that
is spread all over the place that maybe shouldn't be in a lot of the places it
Second, we need to become more information aware. What I mean is
understanding what is going on in our environment. Most of our hospitals today
are still not auditing or monitoring in a real-time fashion. It's still very
Thirdly, we need to do a better job of monitoring our controls. When you
look at the Health Net case and you look at a lot of other cases that have
occurred, in many cases they occurred because of a lack of control or a lax
control. We need to do real-time monitoring of controls. HIPAA requires that
you have automated time-outs set on all of your systems. So that when a system
is inactive for some period of time or a user has not been in a file for some
period of time, the system is supposed to automatically log them out. In many
organizations, we're not actively monitoring that control to make sure that
nobody has disabled it.
No. 4 is we really need to step up education of our users and our patients.
Organizations cannot afford to be responsible for everything. They need to
educate their employees, their staff, their volunteers that are organizing
their patient information and make sure they really understand what they're
supposed to be doing, what their responsibilities are and that they're paying
attention to what's going on around them as well. Then educate our patients,
because really patients are going to be your No. 1 method of identifying when
something's not right-in terms of identity theft, reviewing their credit
report, reviewing their medical bill, reviewing their insurance claims, making
sure what's on those claims is really what happened to them while they're in
the hospital, questioning things that they don't recognize because often that's
how we end up catching it.
How can health care companies keep patient information secure
in the age of electronic
The first thing is obviously to acquire a certified EHR or EMR.
The nice thing that the federal government has done for us today is that for an
electronic health record system to be certified, it has to have basic security
functionality. What that means is if I buy a certified EHR or EMR,
I'm going to have the basic functionality in that application to implement or
protect the data properly.
We need to quit buying systems that can't protect the information. We need
to buy systems that have that capability.
The next thing is you need to implement that functionality. I can't tell you
how many assessments we've performed in health care where somebody has had an
application, or even an EHR with all the functionality, and still hasn't
Have somebody else look at your system that's not involved in the day-to-day
running of that system that will look at it with an objective third-party eye
and validate it that it makes sense and identify the areas you need to
Risk assessment is required under meaningful use, under HIPAA, yet we still
have a lot of organizations that have not conducted a risk assessment or are
still conducting what I would call less-than-adequate risk assessments-or doing
them themselves. Even though that's permitted, it is always best to have an
independent tester to deal with security.
: From a security perspective, what's your take on the potential
of EHRs and HIEs
[health information exchanges]
If they're done correctly and implemented properly, if the
functionality is enabled, if the system is managed properly, they've got great
potential to enhance or improve security-at least around the information
contained in that EHR.
That still doesn't answer the question of all the unstructured data (network
and share files), that still needs to be addressed. But from an EHR
perspective, organizations now have what they need to do a better job of
managing privacy and security in that environment. The EHR environment that
provides more awareness to both the patient and the provider equals better care.