- Organizations’ approaches to healthcare data security may have become more comprehensive over the past few years, but there is still a long way to go if a recent study by HIMSS Analytics and Symantec is any indication.
Most organizations conduct IT security risk assessments only once a year, according to the HIMSS Analytics Healthcare IT Security and Risk Management Study. The research also showed that the healthcare data security budget might not be very significant for organizations. Specifically, of the 91 respondents who answered the question, just 10 percent spend more than 10 percent of their total budget for security.
In total, the study polled 115 IT and security personnel responsible for data security in hospitals with more than 100 beds.
HIMSS Analytics Executive Vice President Blain Newton told HealthITSecurity.com that the study was a combination of quantitative and qualitative research. The goal was to understand where the market is at in terms of information security and data security.
“The quantitative research was designed to kind of get a baseline, and then we worked with them through in-depth interviews to gain a deeper understanding of some of the drivers behind where we’re at,” Newton explained.
Taking a broader look at the healthcare industry was important, according to Symantec Health IT Officer David Finn, CISA, CISM, CRISC.
“It used to work when we were all stand-alone [facilities] and no one shared, but now that we have to share the information, and be secure,” Finn stated. “Your strength is only as good as the hospital or the physician or other covered entity down the street that you’re sharing the data with. We need to understand the industry as a whole if we’re actually going to have this interoperability.”
One of the more surprising takeaways of the study for Finn was that the industry is not spending enough money or prioritizing the right amount of staff to healthcare data security. Some of the results you would expect if it were 2006, he said, but it’s instead 11 years after the Security Rule was initiated.
“We all talk about data and information technology being a strategic function of healthcare today and yet we found almost 54 percent of the boards were only talking about security at their request,” Finn said, adding that those same board members probably receive a financial statement at every meeting.
Additionally, board members probably also receive a quality report at every board meeting.
“But they don’t care about security until there’s a headline in the newspaper,” Finn maintained. “And then they call the CIO and the CISO to come to the board meeting. We’ve got to change the focus in healthcare on security.”
Newton agreed, saying that the apparent lack of strategic focus on security was a very surprising study result.
“You’d think that fear would be a great motivator to include it in the strategy,” Newton said. “So far, it seems to be still very much an event driven, ‘put out the fire’ type approach to security.”
That needs to change because healthcare IT has become mission critical, Newton added.
“You cannot care for your patients without it,” he cautioned. “You see a lot of advancement in the technology to care for the patients, but the basic blocking, tackling, and making sure they can operate securely has not accelerated at the same pace in terms of strategic overview and up to and including vulnerabilities in medical devices. These very significant vulnerabilities that exist you wouldn’t expect to see in a mission critical system.”
Working to take a proactive, not reactive approach
Healthcare needs a culture change in its approach to data security, according to Finn, and those in the industry need to change the way that they think about the data itself. That goes beyond just healthcare, and needs to be a personal change for everyone involved.
“Your provider now has all this information digitally, such as your name, address, Social Security number, credit card information, insurance account numbers,” Finn explained. “And we put it all in one place in healthcare to make it easy for clinicians, for billers, for coders, and for the patient to come in and get admitted. But now, healthcare has all this data about you digitally, and in society we introduced mobility and cloud and social media.”
There is an incredible amount of data sharing going on, Finn said, but now there is all of this very valuable data sitting in one place at the healthcare level.
Previously, when it was only paper charts, the record room could simply be locked up. If a doctor took charts home to review and sign off, he would take maybe a half dozen, Finn stated. But now, if a doctor logs into a system from his home PC or he takes a jump drive home, it might have 100,000 records on it.
“If you were one of those six paper charts that became lost it was tragic enough, but now you can take out a whole city on one jump drive,” according to Finn.
There must be a change in how people think about data, but more importantly how that data is protected.
“No one leaves their car unlocked at the hospital’s parking lot, but they will go away and not encrypt email, leave their screen up, or send an email to the wrong address without thinking,” Finn cautioned. “This is what we’ve got to change – that is a cultural change. It has to start at the top of every organization, not just a CIO. It has to be the CEO, it has to be the board.”
Healthcare data breaches unlikely to cease anytime soon
While 2015 was often referred to as “the year of the data breach,” Newton said that there is no indication that the breaches or attacks are going to slow down.
“If anything, I think it’s going to accelerate,” he stated. “There are vulnerabilities, and there’s not the investment from a health system level, or a governmental level, or any other level that is adequate to protect against it now.”
Finn agreed, calling back to the recent ransomware threats that affected Hollywood Presbyterian Medical Center.
“Now that we’ve got some publicity over the fact that healthcare is easy to get into and that they will pay ransom, it’s going to be a bigger target. It isn’t going to abate,” Finn warned.
Another increasing concern Finn called to is medical device security and mobile device security.
“What we found is over half the covered entities we talked to were really at the planning stage around addressing security for medical devices,” he said.
There are typically two to five bio-medical devices for every traditional endpoint, such as a laptop or desktop computer. If a smaller hospital has just 1,000 computers, that could still give it up to 5,000 medical devices, Finn explained.
“If you’re not managing the computers very well in terms of security, you probably aren’t doing anything about the medical devices, and this is important.”
The recent FDA medical device guidance is definitely a step in the right direction, Finn acknowledged, especially with its call to device manufacturers focusing on security. However, a “hurry up” is still needed.
“We all recognize the problem, it’s time to fix it.”