Chris Van Pelt is a principal in the healthcare IT practice at PricewaterhouseCoopers Advisory LLC. The Cincinnati-based Van Pelt, who has been a healthcare CIO, including for three years at Clarian Health in Indianapolis (now IU Health), and who has 24 years' experience in the healthcare industry, has been in his position at the PwC consulting firm since Aigust 2012.
As attendees gathered for the opening reception of the CHIME Fall Forum, being held at the J.W. Marriott Resort in San Antonio, Tex., and being sponsored by the Ann Arbor, Mich.-based College of Healthcare Information Management Executives, Van Pelt sat down with HCI Editor-in-Chief Mark Hagland to talk about recent developments in the data security arena in healthcare. Below are excerpts from that interview.
We’re beginning to see really serious attacks on patient care organizations now, including a sustained attack on Children’s Hospital of Boston earlier this year, that go beyond the low-level (yet still-significant) data breaches that had already become commonplace. Is it your belief that we’ve seen a lot of missed opportunities around data security in our industry?
Absolutely. We could have gotten ahead of what we knew to be coming. The financial services sector was attacked very purposely by for eign countries—actual governments including China and Russia, as well as organized crime syndicates in African countries—and the federal government has had to intervene to help all the banks and financial institutions. There are now weekly conference calls involving federal officials and senior IT managers at all the major banks, to combat what’s going on.
And logically, we all knew that the healthcare and energy industries should have been next in line to be targeted by these very major entities. And as it turns out, both are now being hit. As recent reports have noted, our financial identity is worth about 1 cent to 3 cents, because it can be turned off very quickly when personal identity theft is revealed; it costs a significant amount to us as individuals, of course. Meanwhile, a medical identity has been determined to be worth between $75 and $150 per identity, versus 1 cent to 3 cents for a financial identity, because you now have huge amounts of money, collectively, invested in health savings accounts and flexible spending accounts, HSAs and FSAs, and those accounts have been configured to roll over from year to year. And since a medical identity can transcend years, it has a useful life to it that’s much longer than it used to be. And that’s not even to mention the value of being able to bill fraudulently using your account.
What can healthcare IT leaders do, then, facing such huge threats, from actual foreign governments and from large, organized crime syndicates headquartered abroad?
We’ve had numerous discussions in public forums about this. Last year at the CHIME Fall Forum, we facilitated a discussion with about 35 CIOs and CISOs from across the country, and had that point made. We’re not big as hospital-based organizations, and we’re not banks. And yet patient care organizations in this country, whether 40-bed hospitals or 20-hospital systems, absolutely are at risk for these attacks now. These criminals, and governments, are coming at anything they can get access to. Water seeks its own level, and they’re going to access anything they can. So frankly, whatever size patient care organization you are, they’re coming after you.
And within healthcare, we’ve focused as an industry on HIPAA-mandated and other types of compliance. It’s a total checklist mentality. And it’s so basic an approach, it doesn’t even get to preparedness. The delta between, are you compliant, and are you prepared, is monumental. You can do mental exercises, etc. And I can tell you as a partner in a major firm, I could go around to half the CIOs in the industry and ask them, would you know that your organization was being intruded upon from a foreign government? It’s totally different from the level of an intrusion from an individual. If a foreign government breaches your security, they don’t want you to know what’s going on; they’re very sophisticated, and they’re going after your data. So during a two-year period, would a single hospital or health system know that was happening? By and large, the answer would be no. And what would they do to insulate the hospital or health system and allow it to continue to operate while facing that threat? We’ve got a very basic diagram around compliance versus preparedness that we share with client organizations, in this.
Children’s Hospital of Boston was targeted by hacktivists earlier this year, and the IT leaders and managers there spent two weeks fighting their sustained attacks on their information system.
That’s right, whereas, again, a hostile foreign government is not there to let you know they’re there. We had an example of where CHS [Community Health Systems] in Nashville was breached by Heartbleed [in August]. A government intrusion wouldn’t want you to know they were there, versus a denial of service situation like with Children’s of Boston would purposefully make itself known.
What would hostile foreign governments want, overall?
Identities, intellectual property, including learning what kinds of experiences we’re having with specific medical devices and implants, for example, or information on clinical trials.
Given all these threats, what should CIOS and other healthcare IT leaders be doing?