All the sessions at Tuesday’s CHIME LEAD Forum-Toronto, being held at the Omni King Edward Hotel in downtown Toronto, focused strongly on the many dimensions of cybersecurity challenges in patient care organizations—across the U.S. and Canada, and globally. The event, being sponsored by the Ann Arbor, Mich.-based College of Healthcare Information Management Executives (CHIME), in cooperation with the Institute for Health Technology Transformation (iHT2—a sister organization to Healthcare Informatics under the Vendome Group corporate umbrella), began with a keynote address by Russell P. Branzell, CHIME’s president and CEO.
Branzell began the day by offering attendees a stark view of the current international cybersecurity landscape. Placing the current healthcare data and IT security situation into a global, pan-industry context, Branzell shared with LEAD Forum attendees his perspectives on why the healthcare industry, in the United States and Canada and internationally, is particularly vulnerable.
Early on in his presentation, Branzell asked the question, “How are we truly going to secure a world that’s uncontrollable, in terms of data?” He shared a story about a healthcare IT vendor’s client conference in which about 40 hospital and health system CEOs had been gathered together. Branzell said that some of what was said at that meeting astonished him. For example, he told his audience, “I asked those CEOs, how many of you outsource data to a third party? They all did. And the reality, when people talk about the cloud, is that there isn’t really some amorphous ‘cloud’—in fact, your data is in a data center—or in multiple data centers. And I also asked the CEOs, how many of you know where your data actually is? And no one could say that they did. People don’t know where their data is, because we’ve gone to a virtualized world.”
What makes the healthcare industry particularly vulnerable, Branzell told the CHIME LEAD Forum audience, derives from two different factors. First is that the value of a medical record on the open market is ten times greater than the value of a credit card number; second is that healthcare data is so fragmented and exists in so many places.
Branzell shared with his audience several key facts, including the following:
> In 2015, 110 million medical records were breached in the top ten breach incidents in the United States, while at least half of the medical records in the U.S. were breached last year.
> Globally speaking, there has been a 60-percent increase in data breach incidents, year over year, among healthcare payers and providers.
> Also internationally, the largest single data breach in healthcare, in a patient care organization in 2015, was a breach in South Korea that exposed 17 million patient records at once.
> The largest number of data breaches that occurred in any country in 2014 occurred in the United Kingdom.
> Also worldwide, 35 percent of breaches took place in the healthcare.
> The average cost of a data breach, globally, was $3.79 million. And that is a bankruptcy even for a small hospital.
The challenge for healthcare providers in all countries, Branzell noted, is that more than 98 percent of all processes in healthcare are automated now, more than 98 percent of all devices are networkable, more than 95 percent of patient information is digitized, and that accountable care and patient engagement rely on it. Thus, any outage, corruption of data, loss of information, risks patient safety and care.
Looking at the top data security risks in healthcare, Branzell noted that they include the following:
> Theft, fraud, and loss: nearly half of all healthcare data breaches involve the theft or loss of a device that was not properly protected.
> Insider abuse: nearly 15 percent of breaches in healthcare are carried out by knowledgeable insiders for identity theft or some form of fraud.
> Unintentional action: nearly 12 percent of data breaches are caused by mistakes or unintentional actions such as improper mailings, errant emails, or facsimiles.
> Cyber-attacks: There was almost a doubling of these types of attacks in 2014.
> Meanwhile, there was a 138-percent increase in medical records exposed worldwide in 2013.
Among the challenges facing healthcare executives, Branzell noted, are the following:
> Patient care organizations’ cybersecurity defenses are not keeping pace with the emerging threats.
> The three most common types of cyber-attacks now are spear phishing, Trojan horse attacks, and malvertising.
> Most patient care organizations still can’t effectively detect or address these emerging types of attacks.
> Most hospital boards of directors still lack actual oversight over cybersecurity issues.
> Most patient care organizations are still not proactively preparing themselves for ransomware attacks.
> And 17 percent of hospital organizations in the United States have yet to conduct a cybersecurity risk assessment.
In addition, Branzell cited “questionable supply chains,” in which patient care organization leaders cannot confidently name all the entities that are involved in their data, including patient data.
Meanwhile, Branzell also shared with his audience some facts about malware and related threats, including:
> There are more than 3.4 million Botnets active in United States healthcare markets.
> Currently, 20-40 percent of recipients in phishing exercises fall for phishing scams.
> What’s more, 26 percent of malware is being delivered via HTML, with one in every 300 emails infected.