All the sessions at Tuesday’s CHIME LEAD Forum-Toronto, being held at the Omni King Edward Hotel in downtown Toronto, focused strongly on the many dimensions of cybersecurity challenges in patient care organizations—across the U.S. and Canada, and globally. The event, being sponsored by the Ann Arbor, Mich.-based College of Healthcare Information Management Executives (CHIME), in cooperation with the Institute for Health Technology Transformation (iHT2—a sister organization to Healthcare Informatics under the Vendome Group corporate umbrella), began with a keynote address by Russell P. Branzell, CHIME’s president and CEO.
Branzell began the day by offering attendees a stark view of the current international cybersecurity landscape. Placing the current healthcare data and IT security situation into a global, pan-industry context, Branzell shared with LEAD Forum attendees his perspectives on why the healthcare industry, in the United States and Canada and internationally, is particularly vulnerable.
Early on in his presentation, Branzell asked the question, “How are we truly going to secure a world that’s uncontrollable, in terms of data?” He shared a story about a healthcare IT vendor’s client conference in which about 40 hospital and health system CEOs had been gathered together. Branzell said that some of what was said at that meeting astonished him. For example, he told his audience, “I asked those CEOs, how many of you outsource data to a third party? They all did. And the reality, when people talk about the cloud, is that there isn’t really some amorphous ‘cloud’—in fact, your data is in a data center—or in multiple data centers. And I also asked the CEOs, how many of you know where your data actually is? And no one could say that they did. People don’t know where their data is, because we’ve gone to a virtualized world.”
What makes the healthcare industry particularly vulnerable, Branzell told the CHIME LEAD Forum audience, derives from two different factors. First is that the value of a medical record on the open market is ten times greater than the value of a credit card number; second is that healthcare data is so fragmented and exists in so many places.
Branzell shared with his audience several key facts, including the following:
> In 2015, 110 million medical records were breached in the top ten breach incidents in the United States, while at least half of the medical records in the U.S. were breached last year.
> Globally speaking, there has been a 60-percent increase in data breach incidents, year over year, among healthcare payers and providers.
> Also internationally, the largest single data breach in healthcare, in a patient care organization in 2015, was a breach in South Korea that exposed 17 million patient records at once.
> The largest number of data breaches that occurred in any country in 2014 occurred in the United Kingdom.
> Also worldwide, 35 percent of breaches took place in the healthcare.
> The average cost of a data breach, globally, was $3.79 million. And that is a bankruptcy even for a small hospital.
The challenge for healthcare providers in all countries, Branzell noted, is that more than 98 percent of all processes in healthcare are automated now, more than 98 percent of all devices are networkable, more than 95 percent of patient information is digitized, and that accountable care and patient engagement rely on it. Thus, any outage, corruption of data, loss of information, risks patient safety and care.
Looking at the top data security risks in healthcare, Branzell noted that they include the following:
> Theft, fraud, and loss: nearly half of all healthcare data breaches involve the theft or loss of a device that was not properly protected.
> Insider abuse: nearly 15 percent of breaches in healthcare are carried out by knowledgeable insiders for identity theft or some form of fraud.
> Unintentional action: nearly 12 percent of data breaches are caused by mistakes or unintentional actions such as improper mailings, errant emails, or facsimiles.
> Cyber-attacks: There was almost a doubling of these types of attacks in 2014.
> Meanwhile, there was a 138-percent increase in medical records exposed worldwide in 2013.
Among the challenges facing healthcare executives, Branzell noted, are the following:
> Patient care organizations’ cybersecurity defenses are not keeping pace with the emerging threats.
> The three most common types of cyber-attacks now are spear phishing, Trojan horse attacks, and malvertising.
> Most patient care organizations still can’t effectively detect or address these emerging types of attacks.
> Most hospital boards of directors still lack actual oversight over cybersecurity issues.
> Most patient care organizations are still not proactively preparing themselves for ransomware attacks.
> And 17 percent of hospital organizations in the United States have yet to conduct a cybersecurity risk assessment.
In addition, Branzell cited “questionable supply chains,” in which patient care organization leaders cannot confidently name all the entities that are involved in their data, including patient data.
Meanwhile, Branzell also shared with his audience some facts about malware and related threats, including:
> There are more than 3.4 million Botnets active in United States healthcare markets.
> Currently, 20-40 percent of recipients in phishing exercises fall for phishing scams.
> What’s more, 26 percent of malware is being delivered via HTML, with one in every 300 emails infected.
> Malware analyzed was found undetectable by nearly 50 percent of all anti-virus engines tested.
The threats are only going to become more intense over time, Branzell said, partly because of clinician and staff mobility—and the mobility of all workers. “We are living in a world of mobility,” he noted. “And medical staff are turning to mobile devices to communicate, because doing so is easier, faster, and more efficient. And yet,” the noted, “In that room with 40 CEOs in it, not a single CEO raised their hand when asked whether they had required doctors and others who bring their personal mobile devices into their patient care organization, to have their devices securitized.” That, he said, shows how frightening the situation really is on the ground these days.
Meanwhile, Branzell told his audience, cybersecurity insurance policies are being written, but there are a number of challenges in that emerging area. What those policies are called differs from one insurance company to the next. Common nomenclature includes “identity theft,” “privacy,” and “data security” policies. Those police are being underwritten as sub-policies or endorsements to errors and omissions policies. However, because they are being written under errors and omissions policies, non-insured contracting parties cannot be named as “additional insureds.”
Finally, Branzell noted, the average percentage of overall hospital organization operating budgets being spent on IT right now is 3.5 percent among U.S. hospital-based organizations. And within that, about 3.5 percent of hospitals’ IT budgets are being spent on data security. That, he noted, contrasts strongly with the 8-10 percent of overall operating budgets being spent on IT by big banks, and with the 27 percent of their IT budgets that they are spending on data security. And, he added, “When I talk to people at the big banks, they are saying that that 27 percent of IT budget being spent on data security is not enough.”
Panel reflects on challenges
In the afternoon, the cybersecurity focus continued, as CHIME executive vice president and chief strategy officer Keith Fraidenburg moderated a panel entitled “Essential Factors for Cybersecurity Preparedness.” The three healthcare IT leaders on the panel were all CIOs, one Canadian, and two American. They were: Lydia Lee, senior vice president and CIO of University Health Network, Toronto; Patty Lavely, senior vice president and CIO of Gwinnett Health System, in Lawrenceville, Georgia.; and Jeff Wilson, director of information services, assurance and IT security, Albany (New York) Medical Center.
Asked to summarize some of the current challenges and advances on their organizations’ journeys around cybersecurity, Gwinett’s Lavely said, “Currently, we are in the process of relaunching our cybersecurity program. We started last year. We engaged a consulting firm partner to help us develop our program and to supplement our staff. Staffing is a real issue for us,” Lavely said. Despite the cybersecurity staff deficit, she reported that “We have expanded our risk assessments,” and that, rather than being focused primarily on complying with regulatory requirements, the risk assessment process in her organization is now more strategic, thorough, and comprehensive.
“I think that our senior leadership does realize how important this is,” Lavely continued. “But when it comes down to our labor committee, do we end up hiring more nurses, or cybersecurity people? We continue to hire nurses,” she conceded. “And cybersecurity vulnerability continues to be an issue for us,” with regard to an awareness on her team of the challenges getting end-users to do better at phishing tests. That said, she noted that “We do a daily leadership huddle, and cybersecurity issues and data breaches are reported in that daily huddle.” What’s more, she said, “Our recent phishing awareness campaign did succeed in raising awareness.” Meanwhile, she noted, “We recently did a system-wide password reset. And if you want to get people’s attention, do a system-wide password reset.” Among other areas she and her team are working on are that she and her colleagues have redone their incident response protocols. Further, she noted, “Probably the biggest win for us is that our board of directors really takes an involved approach to cybersecurity and are very concerned, and ask questions,” particularly with regard to the monthly cybersecurity report that she prepares for them.
Albany Medical Center’s Wilson noted that, “Up until 2014, our security group was dedicated to provisioning systems—setting up accounts and turning them off. But with all the data breaches,” he said, “we started reassessing what we were doing and where the gaps were. We did that in 2014 and 2015. By December of 2015, we had completed an incident response assessment. And we have something like 18 projects in play this year,” he noted.
The three keys to success in the cybersecurity arena, Wilson posited, are “prevention, detection, and response. You prevent what you can, you detect what’s going on, and you respond to what is happening. Unless you can effectively respond, your response plans are inadequate.”
University Health Network’s Lee noted that, given that UHN is a four-hospital, 1,304-bed system with 18,000 users, her IT staff of 200 is relatively small. What’s more, she said, noting the academic and research nature of her organization, “We are operating in a highly, highly complex clinical IT environment.”
In addition, Lee said, “The thing that’s a little bit different in this region is that we’re also very active in leading our regional HIE [health information network], which runs across the entire greater Toronto metro area, with 7 million people. Our team led that,” she noted. And the HIE encompasses a diagnostic imaging repository, and “All of our information feeds that repository. And, as much as we’re concerned about what’s going on inside our organization, we’re also concerned about what goes on outside it. So we have to be very concerned about how all of our systems are architected, because your best security is only as good as your weakest link.”
Lee noted that recently, “When we took a step back and took a look at our information security landscape, we looked at our privacy process. We had gone through a whole maturity assessment and program review, and we followed the guidelines developed in our privacy program review, which was ratified across Ontario. There are seven principles about design development in privacy, and we took those and adapted them to security.” Among them, she said, was to make privacy—and now security—a default setting; to embed privacy—and now security—into system design; to achieve proactive functionality; and to provide enterprise-wide, end-to-end security.
Lee noted that a lot of reporting now takes place around data security deficits within the organization, so that the challenge is how to strategically and tactically address those deficits. Interestingly, she said, “Most threats that are uncovered appear ostensibly to come from Canadian sources. We’re thinking that what that means is that international people are using Canadian sources as a doorway. So it’s very tricky to actually see what’s going on.”
When, during the audience-participation portion of their session, the panelists were asked what they would do if they could have an ideal situation, Gwinett’s Lavely said, “Right now, 3 percent of our IT spend is on security; it probably should be above 10 percent. And we should triple our IT staff. Now, we’re in the middle of a merger with another organization, so that will influence the outcome of this; but that’s what we’re looking towards.”
“I would say increasing the overall level of maturity in the system would be my wish,” Albany’s Wilson said. And UHN’s Lee echoed Lavely when she said, “I would definitely like to increase staffing. We have only three people on our IT security team—one CISO, and two who do systematic control and audit. So that keeps me up at night. Staffing is definitely a major issue for us. So rather than buying more stuff, I would invest heavily in more in staffing. So that, instead of us having to remediate after the fact, after someone clicks on something they shouldn’t have, we want to get ahead of that. Just as ten years ago, we said quality was everybody’s business, now we’re saying that about security.”
Some of these broad discussions will continue on Tuesday and Wednesday, as the Health IT Summit-Toronto gets underway, also at the Omni King Edward Hotel in Toronto.