Providers are beginning to understand that they can't afford not to protect themselves against security vulnerabilities like Heartbleed, revealed earlier this year, and the latest threat to healthcare, Shellshock. Shellshock, which was announced last week, targets the open source Bash shell to put appliances and network gear at risk—think things like medical devices.
Breaches because of coding bugs or other security flaws put a lot of pressure on hospitals, primarily because of the reputational hits they face in the event of a breach.
"You hear it all the time—you don't want to be the next CHS," Mac McMillan, chair of the HIMSS Privacy and Security Policy Task Force and co-founder of IT security and regulatory compliance firm CynergisTek, told Healthcare Dive.
The loss of consumer confidence, according to McMillan, costs hospital bottom lines. Based off of a recent survey, he estimated that 20% of people whose health provider had a major breach would rethink whether they wanted to return to that provider.
"If you lose 20% of your inventory, that could be a big hit," McMillan said.
Part of the solution, according to McMillan, is the adoption of an industry-wide cyber-security framework.
Although there has been ongoing debate over what the cyber-security framework should be for healthcare, the industry has yet to prescribe or adopt a standardized program. Healthcare currently relies entirely on the Health Insurance Portability and Accountability Act of 1996, which McMillan says is, at best, "a floor."
"HIPAA doesn’t cut it," McMillan said. "It’s a compliance standard. It is not a framework that you would build a program around."
Some hospitals have on-boarded a more robust infrastructure, but there is little consensus about which infrastructure to use. Some hospitals have adopted ISO, a standard created in Great Britain that is typically used in the manufacturing industry. Some hospitals have adopted ITIL, a framework that focuses on feedback from the user community and is most appropriate for service-based operations. Still others have adopted NIST (from the government-funded National Institute of Standards and Technology), a risk-based framework that is the most likely option for healthcare at large. Still other hospitals use a hybrid of several different frameworks.
McMillan believes that there is a "better-than-average" chance that the industry will adopt a standardized framework—whatever that might be—and if it does come to fruition, it will be within the next 18 to 24 months.
"I think there's a better than average chance that it will take hold, primarily because it's got the endorsement at least of the federal government already," McMillan said.
Of course, even if a standardized framework is adopted on the quickest possible timeline, the de facto adoption is likely to be a much longer, more painful process—McMillan estimates five or more years, depending on the sophistication of the organization in question. There are significant costs associated with the implementation of such a framework.
"There are going to be commitments in personnel and acquisition of technology and a great commitment in discipline in [operations]," McMillan said. "There's going to be a higher level of commitment with respect to the qualification of the people who actually manage this program. You're not going to be able to take the HIM person and make them the security person."
But while all of that might make it sound like adoption of such a program might be cost-prohibitive for some organizations, McMillan insists that the opposite is true: Organizations cannot afford not to get on board.