D'Arcy Gue

Plain Talk: How Hospitals Are Undermining Their Own Security

March 30, 2016

HIPAA & Security 9 Minute Read

Many hospitals’ outdated thinking is promoting potential cyber attacks. Can we fix this?

Strong words.

But so are these:  Violation. Loss. Damage. Medical mistakes. They should automatically come to mind when healthcare data security is mentioned.  Ask any hospital leader whose facility has already been burned by a cyber attack. Yet in many hospitals whose systems have not been compromised by a hacker, the subject of security remains off the C-level radar, or simply irksome. At best, executives want the IT people to just get the security stuff done…no details, please. (And no budget boosts either.) At worst, they want the IT people to keep security improvements on a back burner, and mostly in the off position. Nevertheless, there is no time to waste in eliminating these dangerous scenarios; harmful hackers are leaping into our healthcare environment.

Americans pay less to protect our health information and our healthcare services than we pay to protect our money. The healthcare industry invests far less in security than other major sectors such as financial services. According to a new study conducted by HIMSS Analytics and Symantec,  52 percent of responding hospitals dedicate zero to 3 percent of their IT budget to security, and only 28 percent spend between 3 and 6 percent. In contrast, a 2015 SANS study reported that few financial services organizations spend less than 6% of their IT budgets on security, and most organizations spend well over 10% and up to 25%.

Consider the following: In the last month, York Hospital in Oregon, Saint Joseph’s Healthcare System in New Jersey, Methodist Hospital in Kentucky and Hollywood Presbyterian Hospital all were victimized by cyber attacks that impacted thousands of patients and employees. As I write this today, reports are coming out of the Washington DC area that the 10-hospital Medstar Health system has just been hacked. Access into these hospital systems has included PHI, social security numbers and even wages. Physicians and nurses have been prevented from using electronic health records. Ransom attacks were responsible for at least one of these incidents: Hollywood Presbyterian hospital agreed to a demand for $17,000 after a 10-day systems lockout.

Recent estimates are that at least one health care organization a month will be affected by cybercrime, but that number already looks too conservative. Hospitals that have not beefed up their IT security recently or have no plans to do so are clearly in peril. As are their patients and their employees.

Why is healthcare behind other industries on security…and how can this change? Over and over, as our staff meets with hospital clients, we see these common themes of resistance:

healthcare security risksStaunch commitment to an overriding priority of patient care. To their credit, most hospital staff work in healthcare because they want to save lives and provide quality care to patients. Hospital executives, even the most hardened CFOs, are committed to this priority. For them, extraneous concerns and their costs are unwelcome and frustrating. Buying and installing expensive security protections fit into this category, as does having to contend daily with associated operational constraints.  Moreover, every dollar invested in IT and data security is a dollar not spent on the new digital X-ray equipment the hospital needs.

Ironically, the goal of data security is very close to the hospital’s quality of care priorities: to protect patients and their well being. It’s broader of course, because employees’ well being and even the hospital’s economic stability are part of a strong security program’s deliverables. Most importantly, a healthcare environment that is vulnerable to technology intrusions may end up hobbled in its care efforts or even prevented from providing needed care by ransom attempts or simply viruses that shut down systems.

Traditional resentment of federal and state interference. I say “traditional” because beginning as the daughter of an Air Force hospital commander, I have heard regular expletives about “government interference” in healthcare for many decades. Many of them were justified, but over the last 20 years, security requirements have fallen directly in that category, under the much-maligned “HIPAA” regulations. Some hospital executives and staff see security almost entirely through the lens of this “HIPAA” brand; it’s just another irksome compliance agenda item foisted on them by the government.

Sure. Security is about compliance, but let’s face it: the confluence of healthcare’s record of poor security and its embrace of information technology was always bound to generate governmental security standards. The mismatch between getting hot new systems onto the market and the more conservative need to slow down and incorporate proper data protections has long been a problem. The authors of the 1996 Health Insurance Portability and Accountability Act (HIPAA) Act worried about weak data security even with fledgling systems used in the 90’s.  They anticipated greater risks as information technology became more fully integrated with healthcare practice – and they were right. Today’s full-featured interoperable health records make security protections critically important. We need to get over “in principle” objections to federal standards in healthcare, just as air traffic controllers, and food and drug manufacturers, and banks have .

Frustration with technology-based problems that are hard to understand. CEOs, CFOs, physicians and other users don’t like being one-upped by their star technology folks who love what they do (fortunately for us) but also speak a different language than we do. IT leaders who punctuate briefings with terms like “endpoint protection platforms,” and  “access control service” can be so unnintelligible that they cause more harm then good. We’ve seen many an executive throw up his hands in frustration and worse, delay in making crucial decisions.

Yes, security jargon is complicated — because security is complicated, along with its financial implications. But hospital executives need to understand the intersections of IT and security well enough to make decisions. They should rebel against techie talk and fuzzy estimates about costs and savings, displaying a low tolerance level for technology staff who would dictate the vocabulary of IT in security-related discussions.  In a nutshell, if your CIO’s reports and recommendations are incomprehensible, get a good interpreter or a new CIO.

Worries about job longevity, i.e. fear of being fired. Rarely discussed, this is a common problem in facilities where management staff feel under the gun to produce a lot with very few resources — or pay the ultimate price. CFOs must make the hospital’s complex and volatile numbers work every quarter.  CEOs must balance the same concerns with supporting physicians’ needs and priorities, as well as developing long term strategic roadmaps with their Boards of Directors — just for starters.

overwhelmed it staffCIOs stand out in this vulnerable group, caught in the crossfire between future-thinking IT strategies that the hospital wants, IT solutions that are necessary (e.g. security), ongoing operational requirements, user needs and, of course, budgets. CIO turnover is high and no wonder. As Healthcare IT News reported in 2014, “It’s not enough to excel in the role. Executives at the top of many healthcare systems are looking for their “’IT guy’ to be a transformational leader.” In 2013, John Halamka, CIO of Beth Israel Deaconess Medical Center, wrote: “The pace of change is accelerating to the point that scope, time, and resources can no longer be balanced with demand, expectation and sustainability.”

The adage “To err is human, to forgive is divine” fits pretty well here; some CEOs understand the dilemma of CIOs today, encourage their professional development and provide additional needed support — but many do not. The former approach is ideal. CIOs who feel inadequately supported tend to be protective of their territory, averse to scrutiny including objective security assessments, and resistant to change. For very human reasons, they may be putting their organizations at risk, and actually be part of the problem.

Budget concerns. Insufficient funding is a longtime challenge across healthcare, and was temporarily ameliorated by Meaningful Use incentives that enabled purchase of sophisticated EHRs. Today, even those hospitals that believed they had strong security controls around these and other systems are having to take a hard look as new and more sophisticated threats appear. Nevertheless, many security officers are allotted limited authority, sparse staffing and tight budgets.

Staying on top of systems security today is expensive. Until recently, the industry comfortably believed that most security threats were internal and/or physical threats (as in laptop thefts). Unfortunately, the increasingly aggressive reach of a worldwide hacker community costs much more to confront than encrypting laptops. And post-breach damage control is likely to cost more than paying for protections that should have been there in the first place.

Organizational position: this won’t happen to us. This posture is denial, plain and simple. In fact, small or large, rural or urban, every hospital is at risk. There is no accounting for criminal tastes. A 100-bed Phoenix client has experienced three ransomware attempts in the last two weeks, which our outsourced infrastructure management foiled. “Enuf” said.

If you aren’t already beefing up your security, you must. But where is the money going to come from in financially stretched hospitals?  The best answer is that If we look at IT security the right way, that question is the wrong question. Identifying security protections as an IT add-on, or accepting security holes as a necessary risk is a wrong point of view. Today’s reality  is that IT security is an essential infrastructure service, just as networks and communications systems are, and should be funded accordingly. A robust budget for IT security must be planned as yet another cost of doing business, as it already is in other industries.

Will the next hospital held hostage by hackers pay out just $17,000 or will it be faced with a demand for much more? In the next hacking incident, will thousands or only hundreds of patients and hospital employees lose the privacy of their health records, social security numbers and wages? If you have invested in a sustainable security program, and keep it up to date, you can prevent the substantial additional costs of such incidents.

But if you haven’t made the necessary investments up front, odds are getting stronger every day that you will have to pay for them anyway, and then some — after your organization has been breached. Think federal penalties, legal costs, the invaluable staff hours required for damage control efforts,  and perhaps most important, public confidence in your hospital.

To talk one-on-one with a member of our security consulting team, contact us. Or call me directly at 928-282-3038.

Related Posts