Why providers can’t let up on security training
Peter Singer, director of the Brookings Institution’s Center for 21st Century Security and Intelligence and co-author of the book “Cybersecurity and Cyberwar: What Everyone Needs to Know,” was quoted in Fortune as saying “Stop looking for others to solve it for you, stop looking for silver bullet solutions and stop ignoring it.”
The “it” healthcare management professionals must address is cybersecurity; the art and science of proactively and reactively protecting your hospital’s data, especially patient health information (PHI).
There’s a saying in IT security circles about how organizations acknowledge the ever-present threat of unauthorized intrusions into their information infrastructures. Basically, it notes at least 95 percent of public and private sector entities admit to have been hacked, while the other 5 percent are liars. Singer suggests 97 percent of all such institutions have been attacked and the remaining 3 percent don’t know it.
The takeaway from both the adage and Singer’s observation is that everyone has been hacked and, more often than not, multiple times—daily. Sometimes hackers will get into a system , park themselves inside and do nefarious things without being noticed.
Of course, the security issue too many hospitals are dealing with now is something that’s very much noticed: ransomware. It’s essentially kidnapping a hospital’s data stores as hackers take control of an IT system with some form of malware and as the term suggests, do some really bad things, including taking data hostage.
Using digital currency, often BitCoin, some hospitals have been forced to pay ransoms to regain access to their information repositories to resume normal operations. The reason ransoms are paid is obvious, pay the money or risk the entire ecosystem of your hospital.
Kim Zetter opined in a recent article in WIRED that hospitals were perfect targets for ransomware. They create and house significant amounts of critical data, the privacy of which must be maintained and access to this information can be lifesaving. They make lots of money (or have access to it) and, most importantly, they’re often sloppy or, worse, lazy.
Let’s not overlook the fact that hospitals contending with ransomware or a simple hack might not be able to send claims to insurance companies or bills to patients, which will cripple their cash flow Even worse, attacked hospitals could be in violation of PCI compliance if any credit card information makes its way into the wrong hands; that then opens them up to legal action as well.
Remember Singer’s admonition of not looking to someone else to solve it? The security of an information system is everyone at the hospital’s job, but most don’t know what to look for, what to do or, equally important, what not to do.
That’s because, like too many things that don’t directly have something to do with the clinical aspects of a hospital, it’ll get addressed when there’s time. When it comes to cybersecurity and ransomware, there is no time. I do not believe my suggesting your system is already infected would be proven false.
Recently the Department of Health and Human Services’ Office of Inspector General concluded a study into hospitals ability to protect their EHRs in the event of an unexpected event, be it natural disaster or “technical malfunction.” It drew the conclusion that “persistent and evolving threats to electronic health information reinforce the need for EHR contingency plans. This review and cyberattacks that have occurred since 2014 underscore our previous recommendation that the Office of Civil Rights (OCR) fully implement a permanent audit program for compliance with HIPAA.”
Just days after disclosing the study’s findings, HHS announced that The University of Mississippi Medical Center (UMMC) agreed to settle multiple alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) with HHS. OCR’s investigation of UMMC was triggered by a breach of unsecured electronic PHI affecting approximately 10,000 individuals. During the investigation, OCR determined that UMMC was aware of risks and vulnerabilities to its systems as far back as April 2005, yet no significant risk management activity occurred until after the breach, largely because of organizational deficiencies and insufficient institutional oversight.
Analyst firms that look at IT deployment in healthcare have long called it an industry that lags in adoption of this crucial technology. While the federal government’s edicts around EHRs have had the greatest impact in IT changes within healthcare, we continue to hear the grumblings. Plus, we learn of hospitals paying penalties for less-than-adequate vigilance, as with the UMMC’s $2.75 million sanction.
Security experts like Singer say the best way to protect and defend against hackers is to train your staff on what to look for and what to do. When he says staff, that means everyone; anyone who touches a keyboard, in an office, at a nurses’ station, wherever there’s connectivity to the IT network.
Healthcare is a business. The data kidnappers know that and, with the ACA and changes in health insurance, the role and place of patients in this equation have changed. More than ever before, they’re customers. There isn’t a hospital open for business in the United States that doesn’t have some sort of patient engagement effort in the works or well underway. All of those programs have to do with the clinical side of things.
Those private sector companies that were hacked saw sales plummet, share prices fall and reputations soiled severely when customer data was hijacked. Imagine what might happen if your customer information was held for ransom or sold to cyber-criminals?
On this, and all too many other digital processes, hospitals need to start today to create a plan to actively stay out in front of this and other equally important issues.