With all the recent headlines and developments around data security breaches, hacking incidents, and even ransomware attempts, hitting U.S. patient care organizations, one might think that CIOs, their fellow c-suite executives, and hospital and medical group boards of directors might be farther along on their data cybersecurity journey. In fact, a new survey-based study has found, there is real reason for concern. During HIMSS16 in Las Vegas earlier this month, leaders from HIMSS Analytics, a division of the Chicago-based Healthcare Information & Management Systems Society, and from the Mountain View, Calif.-based Symantec, released the results of a new study, entitled “Healthcare IT Security and Risk Management Study.” David Finn, the health IT officer at Symantec, released and described some of the results on Wednesday, March 2, on the exhibit floor of the Sands Expo in Las Vegas, during HIMSS16.
The survey was conducted online in December 2015, and received 115 online respondents. Then interviewers pursued 10 phone interviews with CIOs and other healthcare IT leaders, in order to obtain more richness of detail from the online survey results.
With regard to the respondents, 38.3 percent represent hospitals and health systems with 501 or more beds; 26.2 percent represent hospitals and health systems with 251-500 beds; 36.5 percent represents hospitals and health systems with 101-250 beds; and none represent hospitals and health systems with fewer than 100 beds.
Among the numbers important findings:
- When asked what percentage of their total IT budget (operating and capital) is devoted to IT security, 51.6 percent said 0-3 percent; 28.6 percent said 4-6 percent; 9.9 percent said 7-10 percent; and 9.9 percent said more than 10 percent.
- Asked how many employees from both inside and outside IT are allocated to IT security in their organization, the results were as follows: fewer than 1 inside IT, 12.0 percent, fewer than 1 outside IT, 55.9 percent; 1-5 inside IT, 60.2 percent, 1-5 outside IT, 32.5 percent; 6-10 inside IT, 10.2 percent, 6-10 outside IT, 2.9 percent; 11-20 inside IT, 8.3 percent, 11-20 outside IT, 20.0 percent; 21-30 inside IT, 3.7 percent, 21-30 outside IT, 1.0 percent; more than 30 inside IT, 5.6 percent, more than 30 outside IT, 5.9 percent.
- The adjusted total average number of IT employees devoted to IT security was 9.9 FTEs.
- With regard to how often IT security was discussed at their organizations’ board meetings, 53.9 percent said it was discussed “upon request of the board or executive management”; 20.9 percent said, “at most board meetings”; 10.4 percent said, “at every board meeting”; 7.8 percent said, “never”; and 7.0 percent said, “other.”
- Unfortunately, only 46.09 percent of respondents are currently addressing data security threats potentially coming through their organizations’ medical devices, though 33.04 percent are “beginning” to do so, and another 16.52 percent “plan to do so.” The percentages of respondents whose organizations are already addressing IT security on mobile devices and on cloud-based applications are higher, at 69.57 percent and 61.74 percent, respectively.
Finn, a former hospital CIO, spoke this week with HCI Editor-in-Chief Mark Hagland regarding the study. Below are excerpts from that interview.
There are a lot of significant results to talk about from this survey and study. Were you surprised by any of the results involved?
You know, that’s a great question. We get that asked a lot. And honestly, since I’ve been doing this for so long, the only surprising thing is, here we are 13 years down the road from the privacy act, and 11 years down the road from the security act, and the only thing surprising to me is that we still haven’t done very much, substantively speaking. Independent Security Evaluators, ISE, did a survey, too.
We haven’t addressed some of the real issues like medical devices; and we still haven’t addressed issues like cloud and mobile devices. And we still approach it from this kind of “check-the-box” perspective, as though it’s a compliance issue, and compliance doesn’t protect you, you’ve still got to be secure.
The now-infamous ransomware situation unfolded at Hollywood-Presbyterian Medical Center after the survey had been completed. What do you think of that situation in the context of the survey/study?
I went directly to HIMSS from a week on the road, and my weeks on the road are typically with customers. And every customer that week before HIMSS had noted an uptick in ransomware attempts. And these are not purely Symantec customers, they also have other products. And they all made it through those ransomware attempts; one struggled, but they all made it through. And there was some bashing about Hollywood Presbyterian paying the ransom. But the thing is, this is not a security problem. When Hollywood Presbyterian paid the ransom, it wasn’t to get data back or turn systems on, it was because they couldn’t take care of patients. This is not a security issue, it’s a patient care issue. And this will continue to happen. And it really needs to become a concern of the c-suite—and CIOs need to communicate that to the c-suite.
What do CIOs need to do to get their fellow c-suite leaders engaged around data security right now?
The issue is, the IT people do see this as an IT issue, and there is an IT issue, of course, and if IT folks don’t effectively run anti-virus and anti-malware programs and address patch issues, and maintain good firewalls, and all that—well, all that is necessary, of course. But the problem is that IT people so often don’t explain the problem well in terms of the business issues involved.
I’ll tell you a story from when I was a CIO. We went through a network upgrade at one point, and we needed to upgrade a number of Pyxis (medication dispensing) cabinets in order to keep our network updated. So I had my CTO address the issue with our information management governance committee. But he came back to me and told me we hadn’t gotten the money we needed, which was $325,000. That may sound like a lot, but my annual budget was $20 million, so it wasn’t a huge amount. My CTO had focused on the need to upgrade systems, etc.; in other words, he had spoken in [technocratic] terms.
So I took him with me and we went and spent some time with a nurse manager. And what we ended up with was good data on the real costs involved in loss of productivity from non-replacement of those cabinets. We found out what the time lag would be if a cabinet couldn’t be unlocked in a timely way. Ultimately, the costs around loss of productivity meant that the hospital would have to hire more nursing staff, and the numbers added up. So I went back the next week and said, this is the additional cost to the nursing budget. So needless to say, we left the meeting without even having to ask for the money. So this is what CIOs need to do: they need to be able to translate the costs [of non-investment in IT into specific costs] for the clinicians and executives.
Another survey result was that only 19.9 percent of respondents reported that more than 6 percent of their organization’s total IT budget was being spent on data security. Do you think that that proportion will change anytime soon?
We are starting to see an uptick in 2016 spending, and most other surveys are seeing that. But if you look at that, over half of respondents were spending 3 percent or less. And what we find is that federal government officials say that 16 percent of their IT spend goes to IT security. And in the financial services sector, we see 12-16 percent on average. So at 3 percent, we’re never going to be secure. And we have much more valuable data than some other industries. And so who are the bad guys going to go to? I think we see the answer to that.
Another significant survey result was that on average, most organizations have fewer than five employees dedicated to data security.
Yes, there are two pieces to that. The first reaction I get from people [when they hear how few staff are dedicated to data security nationwide] is that they conclude that we’re talking about small hospital organizations. But 60 percent of our respondents were from organizations with over 250 beds, and 38 percent were over 500 beds. So these are not critical-access hospitals.
Will that change soon?
Well, we’re actually starting to see security people embedded in [a variety of] business units. That’s why we asked about security people inside and outside of IT. I’m aware of a couple of hospitals requiring that the business units in revenue cycle and other areas, hire someone to do IT security within the unit rather than IT. I was a little surprised that the numbers were so small outside IT, but I think it’s the beginning of a trend. So yes, I was surprised that it was still five or fewer for the most part. And we don’t have a clear idea whether they’re referring to parts of an FTE; and in fact, that may actually be true. You know, often, they have a network guy who does half-time firewall and half-time network support.
One survey result was that CIOs seemed to be more focused on broad strategy than on end-user education. Would you agree that that is a problem?
It’s a big problem, and even though a high-ranking security strategy sounds good, what’s clear from an additional survey result is that the regular education of end-users is still a relatively low priority. And it’s quite disturbing that cybersecurity for end-users was the lowest-rated of several priorities. The level of training was a little higher, but it’s annual end-user training. And we know that the once-a-year, 40-minute, training doesn’t do very much. But the reality is that every end-user needs to be a security person. And we found that in the nuance in the in-depth interviews that most of the training is once-a-year stuff. A lot are doing phishing testing of staff, and that’s a good thing, but they need to do more, and do it more regularly.
What did you think about the results around how often data security is discussed at board meetings?
That result looks good, until you realize it’s on request, and that only 10 percent are doing it at every board meeting. And if we’re saying that cybersecurity strategy is key for the organization and that cybersecurity is a function of the business, which it should be these days, I believe that every board should get a financial/spending report and also a quality/adverse event report, at every board meeting. They’re not getting cybersecurity reports at every board meeting, because it’s not actually as important as their CIO or CISO tells us it is. And for the CEO or board to be ignoring it means that there’s a huge disconnect there.
Given all of these results, what should CIOs be doing right now?
The first thing is that whether the CIO or CISO or ideally, both of them together, are involved, they need to go to the board and put in a plan for IT security governance, and the governance committee has to include stakeholder leaders from across the entire organization. And it has to include additional tools, spending, and head count. The other thing is that that governance group has to include medical device security now. We found that over half of organizations were either just beginning to address, or were planning to address, medical devices. And last year, we saw medical devices being used as points of entry for bad stuff. The bad guys have figured out how to use medical devices to get access to data through the network using that device.
How would you characterize your level of optimism or pessimism around all this, on a scale from 0 to 10?
That is a tough question. I frankly am not optimistic, in the sense that I believe things are still going to get worse before we change our focus and context. All is not lost; I’m not ready to jump off the top of a tall building. We haven’t hit bottom yet. We should have, after Anthem and after HP, those were clarion calls, the message was pretty clear; but I don’t think we’ve figured it out yet.
Is there anything else you’d like to add?
CIOs and CISOs didn’t even understand the threat environment, how dangerous it is, until recently. But I think they realize that everything is out the window, and we need to refocus away from protecting devices, but instead protect the data. People are stealing credentials to get in. What’s more, we still don’t fully understand the data flows, how data flows into the organization, through it, and out of it. And the IT folks are finally beginning to understand that compliance means that you’re compliant, but it doesn’t mean you’re secure. And we’ve got to get some of these compliance and risk managers involved, and looking at the actual risk. We need to change our perspective into one that’s not IT-based, but based on the business, and on the engagement of top stakeholders in the organization.