A survey released this morning from CHIME revealed that about 70 percent of responding patient care organizations do not have a comprehensive security program in place, leading one cybersecurity expert to speak out on how troubling a trend this still is across healthcare.
The survey, released on October 31 at the College of Healthcare Information Management Executives (CHIME) 2018 Fall CIO Forum in San Diego, found that just 29 percent of the more than 600 participating organizations have a comprehensive program in place, which CHIME outlines as doing all of the following: reporting security deficiencies and security progress to the board; having a dedicated CISO (chief information security officer) and cybersecurity committee; providing security updates to the board at least annually; and having a board-level committee that provides security oversight.
For Mac McMillan, chairman, CEO and co-founder of Austin, Texas-based consulting firm CynergisTek, while these findings are quite troubling to him, he’s not surprised. McMillan, who caught up with Healthcare Informatics at the CIO Forum, says he was speaking with a CIO today who just moved organizations, and who was asked at the forum this morning what the security program is like at the new hospital he works at. “His answer was ‘what security program?’” McMillan recalls. “This CIO said he couldn’t believe that he didn’t have a CISO or a security program in place [at the new hospital]. People think that because their organization is surrounded by other bigger ones, the [attackers] will leave them alone, but that’s really naïve. It shows that you don’t understand the nature of the threat, because most threats are indiscriminate—it has no idea who it’s hitting until it gets there,” says McMillan.
McMillan, who recently wrote that the industry is well over a million cybersecurity professionals short of what is needed, believes that true cybersecurity experts—who he says should be functional enough to have a background and perform in both IT and security—are not made overnight. “There is training and education involved, and also experience. I might have taken a test to become a CISSP [Certified Information Systems Security Professional], but there is a big difference in passing a test and managing a security program in an organization, and all of the nuances involved in that—the politics, the coordination, and being able to balance risk, for example,” he says.
And it’s the same thing for the technical skills, he adds. “You might have taken courses on the technical side, but that is quite difference from actually managing firewalls or managing an incident response process.” McMillan notes that even if every U.S. university started a curriculum for cybersecurity tomorrow, that still leaves four years of education, and then years of experience on top, meaning “we are a decade away before we start making a dent in that [1 million] number,” he says.
Looking at the average hospital, McMillan attests that firewalls are not managed by the security team, but rather by the network team. “When you look at who is managing those critical security assets, they are not trained on them. They are not certified in every one of those technologies. So you have people who have general networking skills doing the best they can, but they aren’t real security people,” he says.
As such, in order to solve this problem in the short run, McMillan emphasizes that there is a need to reconsider the idea that security is a one-off skill. “Quit treating it as a specialized skill and start treating it as a core skill for anyone who touches the system,” he says. “So if you are a database analyst, you should understand security as it relates to databases. That means whatever you are doing as an analyst, you need to know how to do that from a secure perspective. Make that part of everyone’s curriculum, so eventually we are not relying on that ‘cybersecurity army,’” he adds.
Because of the lack of qualified people who are paying attention to security within healthcare systems, it might take months—or sometimes even more than a year—for institutions to even identify that they have been attacked. McMillan notes that the organization that fails to catch a problem likely does not have proactive monitoring going on, doesn’t have someone looking at the audit logs regularly, and doesn’t have someone monitoring critical systems and reporting issues. He speaks to an organization he recently worked with that was six months behind in applying security patches, had no hardening standards for its systems, and no security standards in general. “In this case, the organization wouldn’t even know if it was being attacked,” he says.
Why is that? McMillan points to a number of reasons, such as organizations choosing not to prioritize security and investing money into it. “Sometimes it becomes a choice of how to spend limited dollars, and security loses in that argument,” he says. “In another scenario, whenever an organization is up for sale, one of the first things that stops happening is security. It’s like when you sell your house; you don’t fix the roof or the fence. You let the new guy fix it.”
But according to McMillan, major breach violation payments, such as the recent $16 million fine paid by Anthem, likely won’t serve as motivation for health systems to get their act together. Actually, he says, most industry observers look at the payment and “believe that it’s embarrassing given the size of Anthem and the egregiousness of the breach. They think the fine being so small doesn’t match the incident that occurred. A million dollars to a small organization would be 100 times worse than $16 million for Anthem,” he says.