Skip to content Skip to navigation

Knowing the Enemy, Knowing Ourselves: Mac McMillan Challenges HIT Leaders on Data Security

August 17, 2015
by Mark Hagland
| Reprints
Mac McMillan challenges attendees at the Seattle CHIME Lead Forum to rethink data security strategies

Urging his audience to ramp up its awareness of the rapidly accelerating threats in healthcare to data security, nationally recognized healthcare data security guru Mac McMillan, CEO of the Austin, Tex.-based CynergisTek consulting firm, told attendees at the CHIME Lead Forum-Seattle on Aug. 17 that “knowing the enemy, knowing ourselves” is going to be the key to healthcare IT leaders’ making progress on data security in a rapidly changing world.

Speaking on the topic “What Is Cyber Security and Why is It Crucial to Your Organization?” McMillan provided the opening keynote to the CHIME Lead Forum-Seattle, cosponsored by the Ann Arbor, Mich.-based College of Healthcare Information Management Executives (CHIME) and the Institute for Health Technology Transformation (iHT2—a sister organization to Healthcare Informatics under the joint umbrella of the Vendome Group, LLC).

In his address to his audience, McMillan painted a landscape of rapidly accelerating threats to protected health information (PHI), data security, and the optimal functioning of patient care organizations across healthcare. Yet that landscape is one whose full measure of risk, he asserted, too few senior executives, even including senior IT executives, in healthcare yet appreciate.

Mac McMillan

An example of the menace, McMillan noted, is what’s going on nowadays around medical devices, as medical devices become increasingly fully integrated into the information networks of hospital organizations. “This is something that baffles me,” he said. “We now have definitive evidence that there are hacks taking advantage of weak networks, and yet we still have no real concrete action to create a standard for devices that connect to a network. Anyone who wants to can go out there in their garage and develop the next intravenous pump and take it to market, as long as it meets basic safety requirements of the FDA [the Food and Drug Administration]. We had devices sold on the market until the beginning of this year, that were based on the very first version of XP. And people bought them by the hundreds, knowing they were devices that were insecure and unsupportable.”

More broadly, McMillan said, “What’s really interesting to me is that this industry has absolutely embraced technology in the way that it supports care—in terms of medical and surgical procedures. We have all kinds of technology that assists us in terms of doing procedures, and yet we still don’t think of IT as a strategic asset. If we thought of it as a strategic asset, we would probably think we need to protect it better. And yet we spend less than half of what other industries spend on security.”

What’s more, all of the new threats—phishing attacks, commercially driven hacking and hacking to facilitate identity theft and fraud, hacking on the part of hostile foreign governments, and all the other threats—are taking place in the context of a patient care operations landscape in which more than 98 percent of all processes are automated, more than 98 percent of all devices are now networkable, and more than 95 percent of all patient information is digitized, McMillan emphasized. In addition, he said, “We have our supply lines extended incredibly compared to a few years ago. Ten years ago, there would be fewer than 50 people who would touch a patient record or information, today, there are more than 150 people who touch a patient record, and more than half do not work for the hospital. So the universe of folks touching our information has grown tremendously,” he said.

Awareness is increasing now, McMillan conceded. As evidence, he noted that 87 percent of respondents to a recent cyber security survey conducted by the Chicago-based Healthcare Information and Management Systems Society (HIMSS), reported that data security/cyber security has become a higher priority in their organizations, while two-thirds noted that they had experienced a significant data security incident recently.

McMillan spoke extensively about the need for the healthcare IT leaders at patient care organizations to begin to focus on proactive, automation-facilitated monitoring of the behaviors of individuals in patient care organizations, and the need to let go of the illusion that simply fulfilling federal compliance mandates will do the job. He cited as an example the fact that when professional-level hackers infiltrate hospital-based organizations’ networks, they are inevitably careful in not tripping wires around violating rules that are compliance-based. Instead, they are simply viewing patient records and sensitive information at far higher rates of volume than they should be doing, and only through automation-facilitated auditing processes, can such behaviors be identified, and criminals be unmasked.

Indeed, he said, the first thing that the hackers have done in all the most high-profile recent breaches of health plans and patient care organizations is to, once they infiltrated networks, immediately give themselves elevated data security privileges. He cited an example he said was really disturbing.