Editor’s Note: This article is a guest column, written by healthcare blogger Elizabeth Zima, who has interpreted and written both clinical and policy information for the media, consumers, scientists and doctors. Opinions expressed are her own.

EXECUTIVE SUMMARY:

The struggle to protect organizations from cyber threats and data breaches crosses all industries. However, within the healthcare world, that struggle is a couple notches higher.
Read the full story, below….

In 2016, Ponemon reported in its Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data that nearly 90 percent of the healthcare organizations studied had suffered a data breach in the previous two years; 45 percent had more than five data breaches in the same time period. These startling statistics make it look like cybersecurity in the health industry is an afterthought.

But that is far from the truth according to a recent survey: 42 percent of healthcare organizations have a vice president or C-level official in charge of cybersecurity. Sixteen percent of those groups had “fully functional” security programs. Another 41 percent reported that they’ve developed and were starting to implement a plan — this according to a study conducted by the College of Healthcare Information Management Executives (CHIME), which looked at large hospitals or integrated delivery networks.

Physicians have a lot to lose when it comes to security. The average cost of a data breach is estimated to be $380 per patient record; plus, healthcare practices could be hit with expensive, and public, HIPAA violations. Not only that, patient goodwill could suffer.

At the same time, the numbers of cybersecurity personnel qualified to handle the mosaic of healthcare data are hard to locate and hire. Interviews with consultants say hospitals and health systems are struggling with a dearth of cybersecurity professionals to fill roles in the layered landscape of healthcare data. And when they do find candidates, hospital system HR professionals do not know how to value their skills.

In a recent editorial published in online magazine CSO, author Ben Rothke writes about how not to hire for cybersecurity, pointing to a hospital employment advertisement as an example.

According to Rothke, the hospital required the candidate to have a Ph.D. and stated that the candidate would be a part-time, high-ranking member of the senior management team, responsible for “the planning and implementation of enterprise IT systems, business operations and facility defenses against security breaches and vulnerability issues.” All this for $90 hourly when most industry experts know that  junior security team members regularly charge $250 an hour.

His editorial suggests that many in the healthcare industry either do not know what cybersecurity entails or they do not know what to pay a qualified candidate. The underlying problem, he said, is that this hospital and others like it are looking for a cheap information security officer rather than a chief information security officer (CISO). “This is an information security perfect storm of low-ball rate and a part-time role, which will result in a disastrously mishandled situation…….They will be in triage mode in a year or so when they will urgently need a real CISO to clean up the mess.”

To be effective in cybersecurity within healthcare, professionals need to have a broad range of skills and knowledge beyond healthcare IT. The job includes knowing legal and regulatory issues that the industry faces including HIPAA, PCI, and HITECH. Also, the CISO must have a sound understanding of industry business process, vendor management and threat awareness, physical security, and business continuity management (not just disaster recovery).

Consultants interviewed for this story suggested the best that physicians can hope for is to look for a partner-consultant that will help the practice think about its security risks and help the clinicians take action against intrusions.

“Physicians should look at consultants with local affiliations to hospitals, insurers, and other larger physicians groups to reinforce their cybersecurity, said Don Meyer, head of cloud and data center marketing at Check Point Software Technologies. “This can be an expensive proposition, but the penalties for the lack of security are huge.”

Physicians should understand the risks of not using cybersecurity, he said, and the potential costs of an intrusion. And, he cautions, it is not enough just to satisfy HIPAA requirements to be threat-proof. “Being secure is not just passing an audit,” he said. Physicians are experts in delivering healthcare, but to secure your data, you must think about your broadband connections; how securely your cloud computing company will host your data; who are you doing business with and how do they access your system.

An example of how much physicians need to think about their affiliations is the Target breach of 2013. The intrusion, as Brian Krebs reported, was “traced back to network credentials stolen from a third-party vendor” that supplied refrigeration, heating and air conditioning to some locations at Target.

Business affiliations can make or break you, said Meyer. The Target breach resulted in the theft of 40 million credit and debit cards; and some 70 million names, addresses, emails and phone numbers were also taken from shoppers. As the result of these thefts, profits dropped 46 percent. To get back on track, Target spent $100 million upgrading their payment terminals to support chip and pin cards.

With this type of threat looming from the dark side of the web, Meyer noted that physicians just don’t have the expertise to configure their electronic data; their expertise lies elsewhere. “Once you identify a consultant,” he said, “they need to be willing to adhere to standards for protecting your business data.”

The world of cybersecurity is young, he added. “We are all still behind the curve trying to keep up with new threats, and the landscape is changing rapidly.”

For example, he points to the recently discovered Key Reinstallation Attack (KRACK), a flaw in the Wi-Fi Protected Access II (WPA2) protocol, which could allow hackers to hijack connections, view communications and decrypt traffic on all Wi-Fi-enabled devices, and launch an attack.  Hospitals, clinicians, patients frequently all access the same Wi-Fi network, said Meyer, but is that wise? Wi-Fi was an unknown risk, until now, he said.

The challenge to security experts is how to keep up with the constant discovery of flaws in the security of systems. Said Meyer, “This is something that clinicians cannot hope to keep up with. That is why they need to find partners who think this way and know the risks.”