Chris Van Pelt is a principal in the healthcare IT practice at PricewaterhouseCoopers Advisory LLC. The Cincinnati-based Van Pelt, who has been a healthcare CIO, including for three years at Clarian Health in Indianapolis (now IU Health), and who has 24 years' experience in the healthcare industry, has been in his position at the PwC consulting firm since Aigust 2012.
As attendees gathered for the opening reception of the CHIME Fall Forum, being held at the J.W. Marriott Resort in San Antonio, Tex., and being sponsored by the Ann Arbor, Mich.-based College of Healthcare Information Management Executives, Van Pelt sat down with HCI Editor-in-Chief Mark Hagland to talk about recent developments in the data security arena in healthcare. Below are excerpts from that interview.
We’re beginning to see really serious attacks on patient care organizations now, including a sustained attack on Children’s Hospital of Boston earlier this year, that go beyond the low-level (yet still-significant) data breaches that had already become commonplace. Is it your belief that we’ve seen a lot of missed opportunities around data security in our industry?
Absolutely. We could have gotten ahead of what we knew to be coming. The financial services sector was attacked very purposely by for eign countries—actual governments including China and Russia, as well as organized crime syndicates in African countries—and the federal government has had to intervene to help all the banks and financial institutions. There are now weekly conference calls involving federal officials and senior IT managers at all the major banks, to combat what’s going on.
And logically, we all knew that the healthcare and energy industries should have been next in line to be targeted by these very major entities. And as it turns out, both are now being hit. As recent reports have noted, our financial identity is worth about 1 cent to 3 cents, because it can be turned off very quickly when personal identity theft is revealed; it costs a significant amount to us as individuals, of course. Meanwhile, a medical identity has been determined to be worth between $75 and $150 per identity, versus 1 cent to 3 cents for a financial identity, because you now have huge amounts of money, collectively, invested in health savings accounts and flexible spending accounts, HSAs and FSAs, and those accounts have been configured to roll over from year to year. And since a medical identity can transcend years, it has a useful life to it that’s much longer than it used to be. And that’s not even to mention the value of being able to bill fraudulently using your account.
What can healthcare IT leaders do, then, facing such huge threats, from actual foreign governments and from large, organized crime syndicates headquartered abroad?
We’ve had numerous discussions in public forums about this. Last year at the CHIME Fall Forum, we facilitated a discussion with about 35 CIOs and CISOs from across the country, and had that point made. We’re not big as hospital-based organizations, and we’re not banks. And yet patient care organizations in this country, whether 40-bed hospitals or 20-hospital systems, absolutely are at risk for these attacks now. These criminals, and governments, are coming at anything they can get access to. Water seeks its own level, and they’re going to access anything they can. So frankly, whatever size patient care organization you are, they’re coming after you.
And within healthcare, we’ve focused as an industry on HIPAA-mandated and other types of compliance. It’s a total checklist mentality. And it’s so basic an approach, it doesn’t even get to preparedness. The delta between, are you compliant, and are you prepared, is monumental. You can do mental exercises, etc. And I can tell you as a partner in a major firm, I could go around to half the CIOs in the industry and ask them, would you know that your organization was being intruded upon from a foreign government? It’s totally different from the level of an intrusion from an individual. If a foreign government breaches your security, they don’t want you to know what’s going on; they’re very sophisticated, and they’re going after your data. So during a two-year period, would a single hospital or health system know that was happening? By and large, the answer would be no. And what would they do to insulate the hospital or health system and allow it to continue to operate while facing that threat? We’ve got a very basic diagram around compliance versus preparedness that we share with client organizations, in this.
Children’s Hospital of Boston was targeted by hacktivists earlier this year, and the IT leaders and managers there spent two weeks fighting their sustained attacks on their information system.
That’s right, whereas, again, a hostile foreign government is not there to let you know they’re there. We had an example of where CHS [Community Health Systems] in Nashville was breached by Heartbleed [in August]. A government intrusion wouldn’t want you to know they were there, versus a denial of service situation like with Children’s of Boston would purposefully make itself known.
What would hostile foreign governments want, overall?
Identities, intellectual property, including learning what kinds of experiences we’re having with specific medical devices and implants, for example, or information on clinical trials.
Given all these threats, what should CIOS and other healthcare IT leaders be doing?
They have to get more proactive. When we spoke at CHIME last year, we found some organizations like KLAS are surveying people. And most organizations have begun to reach out to consultants for attack and penetration consulting support. Most hospitals typically engage a small firm to look at intrusion inspection, to see if they’re safe.
You essentially have to engage outside consultants, then?
The OCR [the Office of Civil Rights in the Department of Health and Human Services]—when you are breached and you have to reach out to the federal government—the OCR requires you to be externally assessed, at least annually. And there’s a minimal attack and penetration check—usually proffered by a very small firm. That doesn’t begin to approach the sophistication needed per foreign threats.
Your prediction regarding this situation?
It will only get worse. It took about two years for that series of attacks to get up to speed in the financial services industry. We’re at the very beginning of this in healthcare. It’s very scary. The government got involved with banks. The banks now collaborate, all the security officers get on a call and fully disclose what happened to them.
All this will eventually touch nearly every adult resident of the U.S. Look at the recent breaches at Target, Home Depot, and J.P. Morgan Chase. Those already have touched hundreds of millions of people, apart from some of the healthcare-specific breaches so far.
In the case of the Target breach, it turns out that the individual who made the actual physical breach was an HVAC technician—the software running the HVAC became the doorway. And in CHS’s case, it was Heartbleed. It’s a known thing sitting there, but did the institution go through the process of analyzing its vulnerabilities? The basic checklist approach doesn’t take you there. So the industry as a whole has to get more aggressive, more proactive; and this compliance mentality has to change. People are going to have to take it up a notch. And at the end of the day, it’s no longer a question if you’ll get breached, but when. And I believe the OCR wants to see that you’ve intended to meet the spirit of it, and that diligence requires being proactive.