Mac McMillan Speaks to the Troubling Trend that Hospitals Still Aren’t Prioritizing Security | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Mac McMillan Speaks to the Troubling Trend that Hospitals Still Aren’t Prioritizing Security

October 31, 2018
by Rajiv Leventhal, Managing Editor
| Reprints
At the CHIME Fall CIO Forum, providers reveal just how dedicated their organizations are to security—and one cyber expert responds

A survey released this morning from CHIME revealed that about 70 percent of responding patient care organizations do not have a comprehensive security program in place, leading one cybersecurity expert to speak out on how troubling a trend this still is across healthcare.

The survey, released on October 31 at the College of Healthcare Information Management Executives (CHIME) 2018 Fall CIO Forum in San Diego, found that just 29 percent of the more than 600 participating organizations have a comprehensive program in place, which CHIME outlines as doing all of the following: reporting security deficiencies and security progress to the board; having a dedicated CISO (chief information security officer) and cybersecurity committee; providing security updates to the board at least annually; and having a board-level committee that provides security oversight.

For Mac McMillan, chairman, CEO and co-founder of Austin, Texas-based consulting firm CynergisTek, while these findings are quite troubling to him, he’s not surprised. McMillan, who caught up with Healthcare Informatics at the CIO Forum, says he was speaking with a CIO today who just moved organizations, and who was asked at the forum this morning what the security program is like at the new hospital he works at. “His answer was ‘what security program?’” McMillan recalls. “This CIO said he couldn’t believe that he didn’t have a CISO or a security program in place [at the new hospital]. People think that because their organization is surrounded by other bigger ones, the [attackers] will leave them alone, but that’s really naïve. It shows that you don’t understand the nature of the threat, because most threats are indiscriminate—it has no idea who it’s hitting until it gets there,” says McMillan.

McMillan, who recently wrote that the industry is well over a million cybersecurity professionals short of what is needed, believes that true cybersecurity experts—who he says should be functional enough to have a background and perform in both IT and security—are not made overnight. “There is training and education involved, and also experience. I might have taken a test to become a CISSP [Certified Information Systems Security Professional], but there is a big difference in passing a test and managing a security program in an organization, and all of the nuances involved in that—the politics, the coordination, and being able to balance risk, for example,” he says.

And it’s the same thing for the technical skills, he adds. “You might have taken courses on the technical side, but that is quite difference from actually managing firewalls or managing an incident response process.” McMillan notes that even if every U.S. university started a curriculum for cybersecurity tomorrow, that still leaves four years of education, and then years of experience on top, meaning “we are a decade away before we start making a dent in that [1 million] number,” he says.

Looking at the average hospital, McMillan attests that firewalls are not managed by the security team, but rather by the network team. “When you look at who is managing those critical security assets, they are not trained on them. They are not certified in every one of those technologies. So you have people who have general networking skills doing the best they can, but they aren’t real security people,” he says.

As such, in order to solve this problem in the short run, McMillan emphasizes that there is a need to reconsider the idea that security is a one-off skill. “Quit treating it as a specialized skill and start treating it as a core skill for anyone who touches the system,” he says. “So if you are a database analyst, you should understand security as it relates to databases. That means whatever you are doing as an analyst, you need to know how to do that from a secure perspective. Make that part of everyone’s curriculum, so eventually we are not relying on that ‘cybersecurity army,’” he adds.

Because of the lack of qualified people who are paying attention to security within healthcare systems, it might take months—or sometimes even more than a year—for institutions to even identify that they have been attacked. McMillan notes that the organization that fails to catch a problem likely does not have proactive monitoring going on, doesn’t have someone looking at the audit logs regularly, and doesn’t have someone monitoring critical systems and reporting issues. He speaks to an organization he recently worked with that was six months behind in applying security patches, had no hardening standards for its systems, and no security standards in general. “In this case, the organization wouldn’t even know if it was being attacked,” he says.

Why is that? McMillan points to a number of reasons, such as organizations choosing not to prioritize security and investing money into it. “Sometimes it becomes a choice of how to spend limited dollars, and security loses in that argument,” he says. “In another scenario, whenever an organization is up for sale, one of the first things that stops happening is security. It’s like when you sell your house; you don’t fix the roof or the fence. You let the new guy fix it.”

But according to McMillan, major breach violation payments, such as the recent $16 million fine paid by Anthem, likely won’t serve as motivation for health systems to get their act together. Actually, he says, most industry observers look at the payment and “believe that it’s embarrassing given the size of Anthem and the egregiousness of the breach. They think the fine being so small doesn’t match the incident that occurred. A million dollars to a small organization would be 100 times worse than $16 million for Anthem,” he says.

The Health IT Summits gather 250+ healthcare leaders in cities across the U.S. to present important new insights, collaborate on ideas, and to have a little fun - Find a Summit Near You!


Components of Strong Cybersecurity Program - A Closer Look at Endpoint Security Best Practices

Tuesday, December 18, 2018 | 1:00 p.m. ET, 12:00 p.m. CT

Endpoint protection remains a core security challenge for many healthcare organizations and it is more important than ever for healthcare organizations to actively manage their full range of endpoints.

Attend this session to learn why it's more important than ever for healthcare organizations to actively manage their full range of endpoints, endpoint security best practices, and how your endpoint management strategy may need to evolve over time.

More From Healthcare Informatics


4.4M Patient Records Breached in Q3 2018, Protenus Finds

November 7, 2018
by Rajiv Leventhal, Managing Editor
| Reprints

There were 117 disclosed health data breaches in the third quarter of 2018, leading to 4.4 million patient records breached, according to the Q3 Protenus Breach Barometer report.

Published by Protenus, a cybersecurity software company that issues a Breach Barometer report each month, the most recent data shows that although the number of incidents disclosed in Q3 decreased somewhat from Q2, the number of breached records increased from Q2 to Q3. Also, the number of affected patient records has continued to climb each quarter in 2018—from 1.13 million in Q1 to 3.14 million in Q2 to 4.4 million in Q3.

In Q3, the report noted that the single largest breach was a hacking incident affecting 1.4 million patient records that involved UnityPoint Health, an Iowa-based health system. Hackers used phishing techniques, “official-looking emails”, to gain access to the organization’s email system and capture employees’ passwords. This new incident follows one that took place at the same organization in April when 16,400 patient records were breached as a result of another phishing attack.

For incidents disclosed to HHS (the Department of Health & Human Services) or the media, insiders were responsible for 23 percent of the total number of breaches in Q3 2018 (27 incidents). Details were disclosed for 21 of those incidents, affecting 680,117 patient records (15 percent of total breached patient records). For this analysis, insider incidents are characterized as either insider-error or insider-wrongdoing. The former includes accidents and other incidents without malicious intent that could be considered “human error.” 

There were 19 publicly disclosed incidents that involved insider-error between July and September 2018. Details were disclosed for 16 of these incidents, affecting 389,428 patient records. In contrast, eight incidents involved insider-wrongdoing, with data disclosed for five of these incidents.

Notably, when comparing each quarter in 2018, there has been a drastic increase in the number of breached patient records as a result of insider-wrongdoing. In Q1 2018, there were about 4,600 affected patient records, in Q2 2018 there were just over 70,000 affected patient records, and in Q3 there were more than 290,000 affected patient records tied to insider-wrongdoing.

What’s more, the report found that hacking continues to threaten healthcare organizations, with another increase in incidents and affected patient records in the third quarter of 2018. Between July and September, there were 60 hacking incidents—51 percent of all Q3 2018 publicly disclosed incidents. Details were disclosed for 52 of those incidents, which affected almost 3.7 million patient records. Eight of those reported incidents specifically mentioned ransomware or malware, ten incidents mentioned a phishing attack, and two incidents mentioned another form of ransomware or extortion. However, it’s important to note that the number of hacking incidents and affected patient records have dropped considerably when comparing each month between July and September 2018.

Meanwhile, of the 117 health data breaches for which data was disclosed, it took an average of 402 days to discover a breach from when the breach occurred. The median discovery time was 51 days, and the longest incident to be discovered in Q3 2018 was due to insider-wrongdoing at a Virginia-based healthcare organization. This specific incident occurred when an employee accessed thousands of medical records over the course of their 15-year employment.

Related Insights For: Cybersecurity


Survey Reveals Disconnect Between Perception and Reality of Medical Device Security

November 6, 2018
by Heather Landi, Associate Editor
| Reprints

A recent survey of healthcare IT professionals found a troubling disconnect between IT leaders’ confidence in the visibility and security of their connected medical devices and the effectiveness of legacy solutions to secure connected medical devices.

The vast majority of healthcare IT professionals (87 percent) feel confident that the connected medical devices in their hospitals are protected in case of a cyberattack. However, the survey also revealed a contradiction between the confidence that healthcare professionals have in the visibility of connected medical devices and security of their networks, and the inefficient and ineffective legacy processes many still rely on to keep them secure.

The survey from Zingbox, a provider of Internet of Things (IoT) security solutions, is based on responses from 400 U.S.-based healthcare IT decision-makers and clinical and biomedical engineers and indicates that there continues to be a widespread misconception that traditional IT security solutions can also adequately secure connected medical devices.

Seventy-nine percent of respondents say their organization has real-time information about which connected medical devices are vulnerable to cyber attacks. And, 69 percent feel traditional security solutions for laptops and PCs are adequate to secure connected medical devices.

“Most organizations are thinking about antivirus, endpoint protection and firewalls, but there are many devices — like medical monitoring equipment — and no one is thinking about securing them,” Jon Booth, Bear Valley Community Hospital District IT director and Zingbox customer, said in a statement. Additionally, as noted in a Gartner report, Market Trends: Five Healthcare Provider Trends for 2018 published in November 2017 notes: “Generally, medical devices are not replaced for at least 10 years, with many running old software that has not been updated or patched.”

And there are other challenges: the Zingbox survey revealed 41 percent of healthcare IT professionals do not have a separate or sufficient budget for securing connected devices.

When asked about inventory of connected medical devices, majority of clinical and biomedical engineers (85 percent) were confident that they have an accurate inventory of all connected medical devices even though many rely on manual audits, which are prone to human error and quickly become outdated.

What’s more, close to two-thirds (64 percent) of responses from clinical and biomedical engineers indicate reliance on some form of manual room-to-room audit or use of static database to inventory the connected devices in their organization. Just 21 percent of responses say their devices receive preventative maintenance based on device usage as opposed to some kind of fixed schedule.

The survey also shows that more than half (55 percent) of responses indicate clinical/biomedical engineers must walk over to the device or call others to check on their behalf whether a device is in-use before scheduling repairs. Many make the trip only to find out that the device is in-use by patients and must try again in the future hoping for better luck, according to the survey.

“Despite the recent progress of the healthcare industry, the survey exemplifies the continued disconnect between perception of security and the actual device protection available from legacy solutions and processes. Unfortunately, much of the current perception stems from the use of traditional solutions, processes and general confusion in the market,” Xu Zou, CEO and co-founder of Zingbox, said in a statement. “Only by adopting the latest IoT technology and revisiting decade-old processes, can healthcare providers be well prepared when the next WannaCry hits.”


See more on Cybersecurity

betebettipobetngsbahis bahis siteleringsbahis