5 takeaways from the healthcare cybersecurity front lines
Want to read more on cybersecurity? Check out our comprehensive guide analyzing the cybersecurity trends and themes impacting healthcare in 2017 and beyond.
The recent massive DDoS attack may have thwarted some Netflix and chill plans but also provided a stark reminder the internet is a hostile beast. It additionally highlighted concerns over the state of cybersecurity in the healthcare industry. For example, one recent report stated that Internet of Things devices could be hacked in just three minutes.
Cyberattacks such as ransomware and selling personal health data online are becoming commonplace fodder for headlines in the industry. Healthcare Dive recently spoke with security experts on the matter and here are the 5 important lessons we learned (A full transcript of the conversation can be found here).
1. The notion of governance needs to be changed
The five key principles of compliance and security are governance; secure information access; information protection; infrastructure management, and; infrastructure security and protection, David Finn, health IT officer at Symantec, noted.
The roundtable confirmed data governance is key when considering health data, what can be done with it and who should actually have access to it. Providers know health data are a concern but the roundtable concluded health data as a strategic asset is just beginning to enter the collective provider consciousness.
"Like any other critical asset (people, capital or inventory), information is a strategic asset that requires high-level oversight in order to be able to use it effectively for decision-making, performance improvement, cost management and risk management," Finn told Healthcare Dive. "Strong information governance will shift the focus from technology solutions to the people and policies that generate, use and manage the data and information required for care and the related process. This means making information security not only a technology issue but a business issue. You will always need security tools around the data but the business must assess and manage risk with technical guidance from not only IT but all stakeholders in the data/information."
2. Technology adoption must not impede clinical workflow
CIOs work in a massive complex environment. It's very open and the fundamental purpose for a hospital is to provide excellent care to patients. There can be a lot of talk about apps, tools and solutions but CIOs need to remember where they work and not go to bat for tools that hinder clinical workflow.
"When you take a look at what needs to go on, CIOs need to take a step back and understand what their business is and realize that based on the business, there are certain things that can change and some that cannot," Feisal Nanji, executive director at Techumen, said. "When you think about all the clinical preparation and the business processes in a very open environment, you have to make sure that, fundamentally, you're not upsetting patient care or impeding clinical workflow. That is fundamental for what a CIO has to do. Your problem is the massive free flow of information that occurs in thousands of databases. It's not easy."
3. Patients care about breaches!
Each week seems to bring a new report on a provider or company notifying thousands, or in some cases millions, of patients about a breach and potential threat of information mishandling. It's easy to grab onto the big headline-fetching number but there are real people with real lives and bank account and health information attached to those breaches.
Still, it begs the question: When a provider sends out the notifications, do patients notice? The answer was a resounding "YES!"
Art Layne, executive vice president at Cognetyx, shared the story of a data breach of about 7.3 million records from a large health system where patients received a notification that they were going to provide a monitoring service but didn't think any data had actually been stolen. "Within a week, my daughter told me multiple applications had been submitted to credit cards using all her record information," Layne said. "She made it clear to me she would not go back to that health system. I have no doubt there are going to be many patients that will be blackmailed with the information that was stolen and there will be lots of stolen IDs. I have not talked to anyone in this large community that has not been affected by that breach that does not have concern and does not have questions about whether or not they are going to go back to their health system."
4. Breaches could change business relations
Breaches not only affect patients, they affect business relationships. Warren Brennan, co-founder of New Health Analytics, noted breaches have been changing the nature of indemnification clauses between business associates through business associate agreements (BAAs). "From the operating side, we all sign BAAs with some skill and precision and historically the indemnification clause has typically been at the order of two times for professional services," Brennan said.
For example, if an operator performs $20,000 worth of work for a provider, the operator receives a $40,000 risk. This, from Brennan's perspective, is changing. "I'm getting significant evidence across the industry the parent organizations – health systems – are demanding the indemnification clause start at $5 million for any vendor anywhere in the system because the cost of a breach is in access of $4 million. That is going to change potentially significant relations between vendors and providers," Brennan said.
5. It may take awhile to reduce attacks
So when will we see a reduction in cyberattacks? Finn was able to answer why the industry shouldn't hold it's breath:
"Well, that’s a trick question, in my book, but a good one. The hacks and attacks will not abate in the foreseeable future. Can we reduce the number of successful data breaches and ransomware attacks, for example? Yes, and we could do that fairly quickly with some training of end-users and additional tools and/or services at the organization level as well as appropriate staffing and training of the security and risk management functions in healthcare. That will take board-level and senior management engagement and sponsorship. I can tell you that we’ve seen success in both these areas with minimal investment.
It just takes the focus and organizational will to make the change. And then you have to begin to design and implement security as a strategy driven by the business needs – that is probably a three- to five-year effort."
Follow Jeff Byers on Twitter