CynergisTek CEO Goes from Monitoring WMDs to Securing Medical Data

A former U.S. Defense Department intelligence officer, CynergisTek CEO Mac McMillan is now a leader in securing material of a different form: health care IT data.

From monitoring access to weapons of mass destruction to safeguarding medical data, Mac McMillan has done it all as far as security is concerned.

A former director of security at two Defense Department agencies in charge of overseeing inspection of WMDs, McMillan was also an intelligence officer who oversaw the implementation of international arms control agreements between the United States and other countries. In addition, he led programs to provide humanitarian aid to suffering nations of the former Soviet Union, including Azerbaijan and Turkmenistan.

McMillan is currently CEO of CynergisTek, a health care security firm founded in 2003, and chairman of the Privacy and Steering Committee for HIMSS (Health Care Information and Management Systems Society), where he educates companies on data breaches and provides recommendations to the government on how to deal with them.

Recently eWEEK spoke with McMillan to get his take on what causes data breaches and how health care companies can better secure their data.

eWEEK: What trends are you seeing as far as medical identity theft?

McMillan: Probably the main trend in medical identity theft is still fraud as it relates to people getting access to someone else's medical information to put in a false claim and defraud the system. That is still probably the largest or biggest type of event that you see in medical identity theft. When you look at that, unfortunately the bulk of it is done by insiders.

Fraud is the No. 1 reason, and insiders are the No. 1 cause. People who have legitimate access to information who then do something wrong with that knowledge. Probably the No. 2 cause after insider abuse is physical theft or physical loss-stealing computers, stealing tapes, loss of tapes, loss of a laptop, etc. As long as information has value, as long as somebody thinks there's a way to make money by misusing information, there's going to be a risk to that.

Patient safety is probably the biggest risk associated with medical identity theft. And there are cases of medical identity theft where someone has used someone else's information for the purpose of getting treatment. It's still minor compared to the fraud side of it, but it's a serious issue. Whether it is just the fraud aspect of it or more importantly the patient safety aspect.

eWEEK: How might a data breach such as that of Health Net have been prevented? How can health care companies avoid data breaches in the future?

McMillan: We have a tremendous amount of health information that is in unstructured files, Excel spreadsheets, Access databases, PowerPoint presentations, Word files, you name it, that live outside of those application databases that are resident on laptops, thumb drives and desktops.

So the first thing we need to do is manage our data better. We need to determine where that data needs to be and how it needs to be presented so that we can limit the amount of exposure we have and clean up some of this data that is spread all over the place that maybe shouldn't be in a lot of the places it is.

Second, we need to become more information aware. What I mean is understanding what is going on in our environment. Most of our hospitals today are still not auditing or monitoring in a real-time fashion. It's still very much reactive.

Thirdly, we need to do a better job of monitoring our controls. When you look at the Health Net case and you look at a lot of other cases that have occurred, in many cases they occurred because of a lack of control or a lax control. We need to do real-time monitoring of controls. HIPAA requires that you have automated time-outs set on all of your systems. So that when a system is inactive for some period of time or a user has not been in a file for some period of time, the system is supposed to automatically log them out. In many organizations, we're not actively monitoring that control to make sure that nobody has disabled it.

No. 4 is we really need to step up education of our users and our patients. Organizations cannot afford to be responsible for everything. They need to educate their employees, their staff, their volunteers that are organizing their patient information and make sure they really understand what they're supposed to be doing, what their responsibilities are and that they're paying attention to what's going on around them as well. Then educate our patients, because really patients are going to be your No. 1 method of identifying when something's not right-in terms of identity theft, reviewing their credit report, reviewing their medical bill, reviewing their insurance claims, making sure what's on those claims is really what happened to them while they're in the hospital, questioning things that they don't recognize because often that's how we end up catching it.

eWEEK: How can health care companies keep patient information secure in the age of electronic health records?

McMillan: The first thing is obviously to acquire a certified EHR or EMR. The nice thing that the federal government has done for us today is that for an electronic health record system to be certified, it has to have basic security functionality. What that means is if I buy a certified EHR or EMR, I'm going to have the basic functionality in that application to implement or protect the data properly.

We need to quit buying systems that can't protect the information. We need to buy systems that have that capability.

The next thing is you need to implement that functionality. I can't tell you how many assessments we've performed in health care where somebody has had an application, or even an EHR with all the functionality, and still hasn't implemented it.

Have somebody else look at your system that's not involved in the day-to-day running of that system that will look at it with an objective third-party eye and validate it that it makes sense and identify the areas you need to mitigate.

Risk assessment is required under meaningful use, under HIPAA, yet we still have a lot of organizations that have not conducted a risk assessment or are still conducting what I would call less-than-adequate risk assessments-or doing them themselves. Even though that's permitted, it is always best to have an independent tester to deal with security.

eWEEK: From a security perspective, what's your take on the potential of EHRs and HIEs [health information exchanges]?

McMillan: If they're done correctly and implemented properly, if the functionality is enabled, if the system is managed properly, they've got great potential to enhance or improve security-at least around the information contained in that EHR.

That still doesn't answer the question of all the unstructured data (network and share files), that still needs to be addressed. But from an EHR perspective, organizations now have what they need to do a better job of managing privacy and security in that environment. The EHR environment that provides more awareness to both the patient and the provider equals better care.