In our tech-driven age, a new business model, known as software as a service (SaaS), has come into vogue.
The premise is essentially to replace the cost of acquiring and maintaining hardware, licensing software, or trialing different digital solutions by more or less “renting” access to applications through subscription plans. It isn’t entirely unlike the way movie and television audiences stream entertainment, as opposed to renting or buying DVDs (necessitating the purchase of a DVD player, as well as storing or returning physical DVDs when renting).
And at the start of 2017, we saw the criminal world get its own, lucrative SasS: Goldeneye, an on-demand ransomware package available for purchase by would-be hackers around the world.
Healthcare leaders undoubtedly recognize the term “ransomware” better than most other industries, seeing as how 88 percent of ransomware attacks specifically target hospitals and healthcare data. So while hospitals are often stuck purchasing proprietary EHR solutions, with the associated support and training, in the more traditional model of licensed use, their chief threat has taken advantage of more mobile, sophisticated technology to turn data into financial leverage and payouts.
Cyberattacks and Syringes: All in a Day’s Work
For several years now, hospital leaders have routinely listed cybersecurity and data management solutions as top challenges and areas of focus for their organizations, their leadership teams, their HR staffing priorities, et al. In fact, the line between unlocking and securing data is blurred further every day; unlocking data (to make it more portable, more useful, and more meaningful) and security challenges (securing that same data and controlling its movement, its visibility, and its vulnerability) can seem fundamentally at odds with one another. With consumer-facing wearables and devices encroaching further and further into the healthcare sector, providers and clinical organizations have to balance demand with a need to keep their systems safe.
The challenge they point to, though, isn’t recognizing, understanding, or even finding ways to protect their organizations against the amorphous threat of cybercrime; it is finding the financial resources to do what they know is necessary.
The trouble seems to be that criminals and hackers are moving faster in their efforts than clinics are in achieving either security or interoperability. While hackers can purchase a ransomware SaaS, clinical researchers are still struggling to turn clinical research data into something that can be analyzed, processed, and organized the same way a retailer will crunch the numbers to appraise its finances and competitiveness.
The liability of clinical organizations, and the ceaseless demand for their services, means spending priorities are under constant threat of shifting, and that budgets will come up short. When it comes to choosing between ordering basic supplies and trialing a new security solution, compromises tend to favor the status quo over future-proofing measures. It isn’t a failure of leadership or vision, just the hard realities of economics.
One Way or Another, Security Costs Us All
The business world in general — and e-commerce in particular — has proven better than healthcare at quantifying risk, and the possible responses to cybercrime, fraud, and data theft. To be fair, though, the perpetual cycle of growth in the frequency, scale, and sophistication of cyberattacks targeting hospitals can make it all but impossible to accurately predict, much less quantify, the cost of either attacks or countermeasures.
Clearly, the cost of technology is contributing to healthcare costs. That is, in some respects, old news: we routinely hear about how new drugs, new treatments, even new imaging and diagnostic technology impacts the bottom lines of hospitals. Reflexively, we’ve also become accustomed to how utilization in the fee-for-service period of healthcare was driven at least in part by the need to justify the acquisition of new devices, and to turn them into sources of revenue as quickly as possible.
But new data technology carries more risks than malpractice suits or other liability considerations related to their use; far from paying for themselves, it seems data-management solutions are proving to be money pits, with expensive upkeep on top of opening clinics up to the cat-and-mouse relationship between security and cybercrime.
Even if a lack of financial resources is delaying progress on security, money is still being poured into cyber solutions. Unfortunately, many of these “solutions” are short-term bailouts, including nearly a billion dollars paid in ransom to hackers in recent years. The alternative is shuttering hospitals, suspending operations, and risking patient lives.
Are Leaders Having the Right Conversation About Health Costs?
The costs of healthcare are framed as being political and ideological as a matter of habit today, to where it almost seems novel to consider that data-management tech might be an apolitical source of significant revenue drain. Cyberattacks are certainly proven to be expensive, but unlike complaining that poor patients get treated for free while paying and insured patients foot the bill, it isn’t always easy to turn the security/vulnerability paradigm into an exercise in dogmatic finger-pointing. In American politics, if you can’t blame your opponent, you tend to avoid the subject altogether.
So the conversation over Obamacare and the repeal and/or replacement process remains firmly uninterested in considering whether we are all paying more, not because of insurance marketplaces, but because of criminal enterprises.
The unique relationship between healthcare and health insurance is also important to the evolution and cost of data technology. Obviously both sectors rely heavily on information: quantity, quality, and portability of data sets prices and risk pools for insurers, and commands best practices and measures outcomes of care. It should be no surprise that much of the investment in insurance tech in recent years has been dominated by health insurance specifically. If hospitals and insurers can share data, both can become more efficient, and theoretically, affordable.
Despite the adversarial way insurance and healthcare are sometimes described in public discourse, their goals and their means of achieving those goals intersect profoundly when it comes to data management: keeping more people out of the hospital using lower-cost, less-invasive means saves money and resources, and can be made possible through better analytics.
But the measures taken by insurers to manage and secure their data do not always (or even often) extend to the hospitals from whom they hope to collect even more data.
The conventional wisdom (or passive-aggressive boast) that America leads the world in innovation and the advancement of medical technology, if it weren’t under threat already, certainly seems doomed if we can’t get our hospitals and caregivers armed with digital devices in support of research and knowledge sharing. Doing that effectively requires security solutions, which in turn takes much more investment and savvy than healthcare organizations are currently able to access, afford, or leverage.
We ask who is paying for whom when it comes to care; we might pay more attention to how we are all paying thieves and hackers to threaten our data. Without budgeting for security, debating the fairness of any system is more of a luxury than a starting point for reform.