Industry experts are agreed: most of the issues that have risen to the top of the list when it comes to IT security threats facing U.S. patient care organizations in the past year or so haven’t really changed; they’ve only intensified.
To illustrate just how difficult and confounding things have become, Healthcare Informatics reported in June that, according to a June 26 article posted by the news site DeepDotWeb, “A hacker claims to have 655,000 patient records allegedly obtained by hacking into three separate healthcare databases, and is attempting to sell those patient records on the dark web marketplace. According to the DeepDotWeb article… the hacker communicated with the site’s writers via an encrypted conversation,” Healthcare Informatics Assistant Editor Heather Landi noted in an article published online on June 28. “While it has not been verified whether any healthcare organizations have actually been hacked, the hacker provided the media site with images of the database hack from their internal network. The screenshot photos show healthcare databases that expose sensitive patient information, including full names, addresses, date of birth, social security numbers and other information…” What’s more, “The hacker claims to have three separate healthcare databases from healthcare organizations in Farmington, Missouri, an undisclosed location in Central/Midwest U.S. and one in Georgia, and is allegedly selling the databases on a dark web marketplace.”
Such developments can only add to the accelerating level of concern among healthcare IT leaders and industry experts, as ransomware, all types of malware, and other threats are posing a constant menace to patient care organizations and to patient data. Recent surveys on data security continue to affirm what everyone in U.S. healthcare already knows—patient care organizations are under assault as never before from cyber-criminals, with cyber-criminality having risen in the past few years to an unprecedented level of crescendo, overshadowing all other types of data and IT security threats.
Those with the title of chief information security officer (CISO) in patient care organizations are well aware of the scope of the threats. For example, when asked what the top data and IT security threats he faces are, Howard Haile, vice president and CISO at SCL Health, a multi-hospital health system based in Denver, says, “For me, the two things we’ve been dealing with the most are outsider threats attacking our users, gaining access to our network and data; and the other is the risks related to old legacy systems, such as medical devices that reside on the network. And there are a lot of them; there are way too many legacy devices and other systems dependent on older systems.”
And Fernando Blanco Dopazo, vice president and CISO at the 60-hospital CHRISTUS Health, based in Irving, Tex., says, “I see three major issues right now. The first one is reducing risks of external threats. That involves the basic blocking and tackling of protecting the organization. This is something that in my opinion the healthcare industry hasn’t done well in the past, and is something we’re working on now. The second thing is related to compliance. We have different initiatives we need to comply with, including HIPAA, and including external audits, which are increasing. And the third one is what we call building the resilient organization. It’s not ‘if’ you get compromised, but when. So it’s preparing for incidents. That’s a very important third pillar that we’re working on.”
Fernando Blanco Dopazo
Industry experts concur. Certainly, ransomware is "one of the top issues,” says John Peterson, a manager in The Chartis Group, a Chicago-based consulting firm. “And in terms of what CIOs and CISOs should be concerned about, the core topic isn't the data breach; it’s about securing their environment,” says the Albany, N.Y.-based Peterson. “Because it’s not if they’ll experience a data breach, it’s when,” he says, echoing Blanco’s statement. “You think of huge companies like Sony Pictures or Target, that shouldn’t be breached, but are. There are internal threats, and external threats. And Experian, the credit agency, puts out a report periodically; and in a recent report, the Experian people identified that 81 percent of all security events in 2014 were caused by employee negligence,” most commonly loss of user credentials—ID and passwords.
The issues are definitely multi-dimensional, and “They break down into different categories,” adds Mac McMillan, CEO of the Austin, Tex.-based CynergisTek consulting firm. “One of the biggest concerns I hear CIOs express is that they’re deathly afraid of that cyberattack that either ends up being a massive breach of millions of records, or takes their hospital offline, where they are publicly embarrassed because they can’t provide services,” McMillan says. “I’ve had CIOs say to me, I’ve worked really hard to build my career as a CIO; I don’t want a cyber-attack to destroy my career. So I think it’s that bit cyber-attack that they all know is possible, and they don’t know that they’re ready for.”
Levels of Vulnerability
Given all these threats, what are the levels of vulnerability that CIOs, CISOs and other healthcare IT leaders need to consider right now?