In May, when the Michigan-based Ponemon Institute released the results of its fifth annual survey about privacy and security issues facing healthcare organizations, it found that for the first time, providers reported that the No. 1 root cause of their data breaches was criminal and malicious attacks, surpassing mistakes and employee negligence. Ponemon also found that the rate of data breach is remarkably high, with 91 percent of providers experiencing one or more breaches in the last year, and 40 percent of respondents had more than five data breaches over the past two years.
While these were the statistics that drew the biggest headlines, it should also be noted that the survey found that healthcare organizations spent an average of more than $2 million to resolve the consequences of a data breach involving an average of almost more than 2,700 lost or stolen records. Another study from Ponemon and IBM revealed that healthcare emerged as the industry with the highest cost per stolen record with the average cost for organizations reaching as high as $363. “Based on our field research, we identified three major reasons why the cost keeps climbing," Dr. Larry Ponemon, chairman and founder, Ponemon Institute, said in a statement at the time of this report. “First, cyberattacks are increasing both in frequency and the cost it requires to resolve these security incidents. Second, the financial consequences of losing customers in the aftermath of a breach are having a greater impact on the cost. Third, more companies are incurring higher costs in their forensic and investigative activities, assessments and crisis team management."
To this end, it’s become imperative for patient care organizations to stop breaches before they start, and at worst, limit their damage. Alexander Grijalva was recently hired at New York City-based NYU Langone Medical Center to do just that. There, Grijalva is head of information security risk management where he is in charge of risk assessments for Langone's applications to ensure both regulatory compliance and policy compliance, determining if these systems present risk. Grijalva recently spoke with HCI Senior Editor Rajiv Leventhal about the growing threat of data breaches in healthcare, strategies to help minimize breaches, and costs associated with them. Part one of Grijalva’s interview with Leventhal from last week can be found here; part two excerpts can be seen below.
Tell me about your strategy to better protect data at NYU Langone.
Right now, we are beginning another risk assessment cycle. That involves close coordination between all the IT groups, compliance, and internal audit. We don’t have silos when it comes to information security, which I think organized crime and insiders have exploited at other hospitals. Of course, compliance with all the regulations that govern us is a focus and very important. But the output of our risk assessments is also reviewing the efficacy of our controls and processes. Information security threats are evolving rapidly and the effects more devastating. Therefore, we also have to evolve and affect the ROI of cyber criminals. Many operate as a business, and we have to make ourselves an expensive target. The more labor and time they spend, the less their return. At least, that is how I think. But that approach requires heavy investment, which many hospitals can’t do.
Of course, we also have activists like anonymous knocking on the door of hospitals. For example, back in 2014, anonymous went after Boston Children’s hospital over a child custody case. That is a threat that all hospitals now have to deal with, as well.
We are fighting a war on multiple fronts, both as an organization and as an industry. But I think hospitals know the effect of giving up. We can’t let people and organizations with malicious intent stop us from providing care, investing in research, educating, and improving public health. Medicine is a noble profession, full of idealists. And that idealism has never been broken, and I firmly believe will never be broken. That is why at Langone we invest heavily in healthcare information technologies, IT security and work closely with all stakeholders. Our mission is sacred, and certainly at my previous employers —NewYork-Presbyterian and University of Medicine and Dentistry—the same applied.
I sincerely embrace these principles, because the work is long and hard. One of the things I have done during my years in the hospital industry is I tour the hospitals. As I walk through ICUs, emergency rooms, and pediatric areas, for example, I remind myself that our services are important to safeguard. We provide an essential public service. It is not about IT. It is about our employees, volunteers, and patients and our services. For example, I have friends, acquaintances and even my own doctors not affiliated with Langone whose children were born in the medical center. They rave about the level of care. And my own son had surgery at Langone, as well as my daughter who had emergency surgery recently. So, it is very important to me to maintain and improve both the reputation of the medical center and the level of care. Although I am not a clinician, I believe that IT and information security are essential to the hospital. Leadership certainly believes that as well.
Of course, the industry changes also make addressing information security threats difficult. Hospitals are merging. Depending on the size of the merger, they aren’t integrating technologies very quickly. It is hard to quickly standardize across the board, particularly when you are talking about massive hospital system mergers. It takes a long time and millions of dollars. Fortunately at Langone, IT is already centralized, which makes technology management and implementation easier and transparent. And Compliance, Legal and Internal Audit work closely with us. There isn’t the tension that exists at other organizations, thankfully. We are partners. We get to share the pain.
Additionally, it is also hard to manage the academic culture of openness. Medicine is a science, and it requires information exchange and public discussion. Otherwise, you can’t improve public health or teach the next generation of clinicians and researchers. So, information security requires a great deal of investment and dedication to safeguard and facilitate that scientific culture and ensure its longevity.
What are the costs associated with effective IT security at healthcare organizations?
The bigger you are, the more expensive it gets to implement controls. The fortunate part of Langone is that it is an internationally renowned institution, known for providing excellent care. We draw patients from all over the world who want the best care; and we also have generous benefactors who care deeply about the medical center. [Leaders at these organizations] will look at their health IT budgets and realize there’s not much there for security. I have a dollar, and I have to put it somewhere. I’ll deal with security later. That’s the mindset—at some places, there just isn’t the focus that there needs to be.
Threat intelligence is a big thing these days, as we want to bring that more in-house. We understand the workflow and the output. But we are also resource-starved in the sense of human resources. Even someone of our size and prestige cannot compete with banking or retail. They’re paying much more for talent than what we would offer.
So what will it take for organizations to get to the level of preparedness that they need to be at?
Well, there are a few things to consider. On the regulatory side, part of it is trying to define the programs and getting the experts in there who know how to implement. Getting human resources in there is a problem. The other part that will always be a challenge is that hospitals are offering more services to drive up revenue with new technologies coming in, yet there are no resources to assess them and see what risk you’re dealing with. Vendors at times with knowingly sell you a system that has known vulnerabilities. Sometimes you aren’t discovering this until after the fact.
There also needs to be even more collaboration between the hospitals to say look, these are the issues we have, how are you dealing with it? Folks can share information that way. I am a former co-chair of the Association of American Medical Colleges (AAMC) security working group for hospitals and academic medical centers, and we talk amongst ourselves about what we’re seeing and hearing, and what are the biggest challenges? You need clinicians to buy in too. They are scientists and are not used to limiting access to, or restricting distribution, of scientific information. Information security can sometimes be contrary to the culture and needs of their profession. And you have to accommodate that. These are all things we have to factor in.