Dr. Will Gordon has been working at the intersection of healthcare delivery, health tech, and information security for many years.
Before medical school at Weill Cornell Medical College, Dr. Gordon was a developer at Careplace, one of the first health based social networks. He then honed his clinical skills at Massachusetts General Hospital in Internal Medicine, before becoming Product owner, manager, and director for Kyruus a venture-backed health IT SaaS startup focused on provider data management, referrals, and patient access, all while continuing to treat patients at MGH. He is now a Clinical Informatics and Innovation Fellow at Partners Healthcare, and recently wrote a New England Journal of Medicine (NEJM) perspective paper on threats to information security to public health.
In your NEJM article, you outlined many critical threats that information systems introduce and some ways to reduce risk. What is one strategy all health systems can implement today to help mitigate risk?
Dr. Gordon: I think an important strategy that all health systems can implement is increasing awareness. Employee behavior – for example, opening attachments sent to them in an email, or clicking on phishing links, is the biggest risk to information systems in hospitals. Increasing the awareness among employees – through targeted internal marketing campaigns, phishing simulations etc., can raise awareness, and allow employees to not only avoid suspicious emails and other breach attempts, but also allow them to alert information security teams of suspicious communications.
What is one common mistake you see health systems make as relates to approach to cybersecurity?
Dr. Gordon: I think a common mistake health systems make is treating cybersecurity as a back-office, administrative issue. The reality is that attacks against hospital systems now directly impact patient care. We’ve already seen this with some of the attacks from this year causing canceled surgeries, canceled appointments, decreased access to laboratory systems, etc. Cybersecurity is a public health issue, and health systems need to start treating it as such.
Is there a right balance health systems should take to push technology vs not being exposed to too much risk?
Dr. Gordon: Absolutely. Technology has (and will continue to) change how healthcare is delivered. As newer technology continues to evolve and be implemented in healthcare systems, however, we must acknowledge new risks and work on strategies to mitigate these risks. Making providers and patients aware of the new risks is an important first step. Additionally, new technology should undergo rigorous information security review processes prior to implementation to ensure best practices are being followed.
What is an area of risk that you think health system admins are ignoring right now?
Dr. Gordon: I don’t see health care systems ignoring risk, however I do think that health care systems are not investing as heavily in information security as they could be. I worry that much of our response continues to be reactive instead of proactive. If we invest up-front in information security, we can potentially prevent or mitigate an attack; however, the business case for increased investment in information security is often not made until a system has already been attacked successfully.
Does the HIT interoperability requirement for Stage 3 meaningful affect how healthcare IT leaders should think about risk?
Dr. Gordon: Yes, I think so. In particular, the API requirement of MU3, while incredibly exciting from the perspective of interoperability and openness of data for research and clinical applications, is a new paradigm for information sharing. Healthcare IT leaders will need to start to think about many more external applications accessing clinical data. Additionally, how healthcare systems communicate the risk of this new paradigm of data sharing and openness will be incredibly important for patient acceptance and usage of the new technology.
On the other end of the spectrum, what are you most excited about as relates to use of informatics in healthcare?
Dr. Gordon: I am really excited by the success and energy behind standards like SMART on FHIR. Clinical data is complex, but the community has really come together to work on a way of expressing clinical data so that clinical applications can be portable between health care systems, breaking down traditional silos of information stores. While we are starting to see some of this benefit in a few select places, I am optimistic that this will spread widely and really change how clinicians and patients interact with their clinical data.
What are a couple ways health systems can use technology to improve care and lower costs?
Dr. Gordon: A few ways that have generated attention and strike me as exciting in this area: telehealth for physician collaboration and second opinions, better scheduling software to optimize usage of physician calendars and allow patients to see providers more quickly, ride-sharing apps for patient transport. I think in general, identifying the highest cost aspects of care delivery and asking “Is there a way we can use technology to improve this process?” is a great place to start identifying other areas that technology may benefit care and care delivery.