Hospitals Paying the Price of Not Investing in IT Security

Irv LichtenwaldMathematically, the gap between $3.6 million and $17,000 is a chasm. This is something you know well if you’re Hollywood Presbyterian Hospital, which paid the latter number to unlock patient data held hostage by malicious hackers using ransomware when the former number is what the hackers initially asked for.

While the dramatic reduction in ransom may have caused Hollywood Presbyterian to breathe a sigh of relief, there is no reason they or you should feel comforted. Consider this an initial shot across the bow of what promises to be a lengthy and spirited battle between wired healthcare and cybercriminals.

The fact is, most of healthcare simply doesn’t spend enough on data security. In a study conducted by HIMSS Analytics and Symantec that polled 115 IT and security professionals in hospitals with more than 100 beds, more than half (52 percent) said their organization dedicated between zero and 3 percent of the IT budget to security. Just 28 percent said they spent between 3 and 6 percent of IT budget on security.

“All of this makes healthcare organizations rich targets for cybercriminals,” reads the study summary. “Stolen patient data fetches up to 50 times more than a Social Security or credit card number, because a patient’s EHR contains data that can be used for medical or identity theft, or other fraud. As a result, criminal attacks on healthcare information systems have increased 125 percent in the past five years.”

Smaller IT budgets mean fewer resources for security personnel. Among respondents to the HIMSS Analytics/Symantec poll, 72 percent employed five or fewer people dedicated to security; 10 percent of respondents have 21 or more on the IT security staff. When adjusted to include employees with data security responsibility outside of IT, the average among respondents was 10 people.

So, how many data security pros is enough? How much of the IT budget should hospitals spend on security, adjusting for size? The report offers no specifics. Right now, faced with a growing security concern in hospitals, the answer seems to be “more.”

“The irony is that information technology and data in healthcare are clearly critical to the mission of providing care, yet data security is an afterthought,” said Mac McMillan, chair of the HIMSS Privacy & Security Policy Task Force and CEO of information security and privacy consulting firm CynergisTek. “We don’t have enough” data security specialists, McMillan added, “and we don’t have enough who are qualified to do their job.”

One interpretation of the HIMSS Analytics/Symantec report is that we’ll have a much better idea of how much and how many is enough once we know most healthcare facilities are following proper protocols and successful hacker intrusions level off or decline.

Organizational structure and reporting, for example, is one protocol that deserves attention. It turns out most chief information security officers (CISOs) report to a chief information officer (CIO), effectively making the person primarily responsible for security also in charge of monitoring their superior’s work. Among respondents, 54 percent said security reports to the board don’t happen regularly and 8 percent said they never happen.

The reality is that hospitals need to spend what it requires to avoid the Hollywood Presbyterian scenario. Sure, it was only $17,000 this time, but it will be more next time, and perhaps it will be a lot more than one organization can afford.

The initial investment in sound security will require more dollars, physical and technical protections, and people, but it doesn’t have to stay that way after a solid, sustainable security program is in place. Witness recent examples in Ottawa, Canada, and Henderson, Kentucky, in which hospitals were hit with ransomware attacks and were prepared to weather the assault.

Proper security. No assault. No ransom paid. No data lost. No patient data compromised.

In the real world, there are critical access hospitals that don’t have 21 doctors and nurses combined, let alone 21 employees focused on IT security. Fewer security personnel reliably correlates with vulnerable technical infrastructure and an inability to keep up with essential IT changes and upgrades.  

So what can hospitals that lack money and a current security plan do to avoid the same fate as Hollywood Presbyterian? For starters, line up the ducks. The organization of waterfowl, according to HIMSS Analytics and Symantec, requires establishing priorities and inculcating organizational practices.

  • Make the CISO and CIO parallel positions to maintain separate spheres.
  • Include security updates in regularly scheduled reports to the board.
  • Establish an ongoing, consistent risk-management program.
  • Prioritize and reach a consensus on data-security measures.
  • Make medical device security and the Internet of Things part of the security plan.

“Healthcare is a very open, caring and trusting business,” said McMillan. “They [hospitals] don’t understand that you cannot have privacy without good data security.”

Okay, maybe some in healthcare don’t fully grasp the dangers of the brave new IT world their hospital or clinic is moving into. However, I think that, after years of internalizing HIPAA, clinicians and other healthcare workers understand privacy and security just fine. It’s not like healthcare is the only industry to be successfully hacked, after all.

My question is not so much about understanding as it is about investing in safety. How are hospitals already close to the financial margin going to pay for additional security protections, including needed staff, to keep the bad guys out of the (data) bank vault?

We won’t arrive at the solution simply or quickly and it will require extensive collaboration similar to creative broad-based initiatives currently underway.

To date, the ONC-initiated Interoperability Pledge, for example, has garnered written commitments from healthcare organizations of all stripes across the nation. These include the five largest health systems and providers in 46 states, as well as companies that provide 90 percent of the EHRs used by hospitals nationwide. No, a pledge is not binding, but it is indicative of a serious appreciation of the need to ensure easy, secure access to health information for patients and the providers serving them. It may also pave the way for more substantive collaboration around future nationwide interoperability.

Perhaps the CHIME National Patient ID Challenge, which focuses on the challenge of accurately matching patients with records and offers $1 million for the best solution, can serve as a model. Like security breaches, inaccurate matching annually creates millions of dollars in additional costs and harms patient safety. A patchwork of identification solutions have yielded at most 80 percent matching accuracy, even in our most sophisticated hospitals. Aiming for 100 percent accuracy, the CHIME challenge has lit a fire under at least 80 entrants across seven countries ranging from startups to large corporations to clinicians and even including credit bureaus.

Both the CHIME and Interoperability Pledge initiatives strive to harness the collective wisdom of a diverse community and maximize limited resources, including people, in a way that produces broadly beneficial results.

At some point in the near future, this kind of cross-industry collaboration on effective security systems, standards and strategies could be shared affordably with smaller hospitals and other providers that face ongoing resource challenges. In that aspect of dealing with burgeoning security threats, there is probably a role to play for everyone from the federal government to private industry to healthcare providers right down to the smallest critical access hospital in rural New Mexico.  

That hackers are increasingly targeting healthcare clearly says something about the newfound maturity of the industry. That they are lured by the prospect of easy pickins says something as well. We can take a moment to dwell on the former, after which the latter demands all the energy we can spare.  

Hospitals Paying the Price of Not Investing in IT Security was authored by Irv Lichtenwald and published in the HITInsight Blog. It is reprinted here with permission. The original post can be found here.