In a bracing discussion on Thursday morning in Los Angeles at the Health IT Summit-Beverly Hills, sponsored by Healthcare Informatics, the focus returned over and over again to some of the fundamentals of IT security strategy. The first panel discussion of the HIT Summit, which is being held at the Sofitel Hotel Los Angeles at Beverly Hills, focused largely on the major gap between available strategies and technologies and their actual implementation in patient care organizations across the U.S.
Ryan McDaniel, vice president of security and technology at the HCI Group consulting firm, moderated the panel. He was joined by Richard Greenberg, the information security officer at Los Angeles County Public Health; Gary A. Gooden, chief information security officer and director of IT at the Center for Personalized Medicine at Children’s Hospital Los Angeles; and Chris W. Jeorg, chief information security officer (CISO) at Cedars-Sinai Health System—all three IT security leaders local to the conference.
Framing the broad statistics around data security—and insecurity—in the U.S. healthcare system, McDaniel noted early on in his introduction of the panel discussion, that “We’re looking at approximately 118 million records that have been breached, which means that over one-third of the population of the U.S. has potentially been breached. And we should look at the most relevant updates from 2016. Over the next 24 months, any healthcare location has a 26-percent chance of being meaningfully breached,” he noted. “So certainly, this is an important topic we’re discussing.”
Turning to his fellow panelists, McDaniel asked, “What scares you, what is the one problem keeps you up at night? For me, what keeps me up at night as I work with different organizations, is the category of threats that can be described by the phrase ‘unknown unknowns,’ including insider threats.”
“I’ve been in IT for 25 years, and things are rapidly growing today,” Greenberg said, “And one of the big concerns I have is that the hackers are taking on all sizes, shapes, and forms, but they’re well-organized,” in fact, better-organized than ever. “And they’re sharing information on the dark side. They’re putting kits out there. It’s a multi-billion-dollar industry that’s underground. And each of us is trying to fight that with our little pockets. And we have a disconnect around laws that make it harder to share corporate information. You might recall a few years ago, President Obama asked for more data-sharing, and that’s what he had in mind.”
“To echo what Richard mentioned,” Gooden said, “while patients want to own their data, security is a multi-billion-dollar issue; at the same time, per what Richard said, the hacker today is not the hacker yesterday—this notion of some kid in somebody’s basement. This is a multi-billion-dollar business. And they don’t care about any of the rules or regulations; they care about gathering data to monetize it. And that’s only going to get worse. The rate of change of the technology, the mathematical models being generated to create these ransomware packages, is only going to get more prevalent.”
In addition, Gooden said, “What I found interesting is that several years ago, most healthcare organizations didn’t have CISOs. And upwards of 70 percent of healthcare organizations are already being compromised. And if their environment is hacked, the typical gap in time between the actual hack and its being discovered is 200 days. So what keeps me up at night is what I don’t know. And the second thing is the race to prevent biomedical devices from being compromised. And that’s a whole different level from the concern over ransomware. For instance, a lot of these biomedical devices are relatively primitive, in terms of their data architecture.”
“Information security is a big focus for us at Cedars-Sinai,” Jeorg said. “What keeps me up at night is what is sometimes referred to as ‘rogue IT,’ where users circumvent security controls to use their own devices. How do we prevent that, and address it in a meaningful way when it’s going on? The other piece for me is data loss because of a breach, and data loss that culminates in the eventual loss of patient trust. If someone’s data or privacy is breached through the fault of a healthcare provider, that is a very big problem.”
“Health data is worth more and is more easily accessible,” McDaniel said. “So let’s ask why healthcare is a primary target. Is it the monetary value of a patient record?”
“It’s the monetary value, and also, it’s a soft target, basically,” Jeorg replied. “If you go to a bank or a credit card company, they’re focusing on information security in a much more mature way. So it’s a lack of maturity in the focus in healthcare security. We need to protect the confidentiality, integrity, and availability of information.”
Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.