CISOs must act as change agents, McMillan says
Once again, prominent data security guru Mac McMillan, CEO of the Austin, Tx.-based consulting firm CynergisTek, told attendees at the CHIME Lead Forum-Atlanta that healthcare organizations must do more when it comes to protecting their data.
McMillan spoke on the topic of cybersecurity on Dec. 1 to kick off the CHIME Lead Forum-Atlanta, co-sponsored by the Ann Arbor, Mich.-based College of Healthcare Information Management Executives (CHIME) and the Institute for Health Technology Transformation (iHT2—a sister organization to Healthcare Informatics under the joint umbrella of the Vendome Group, LLC).
In his keynote presentation, McMillan urged attendees to make cybersecurity more of a priority in their organizations—something he has been pleading the industry to do for years. "If you don't believe that you're in a battle, you're not paying attention," he said. "People out there want to do harm. They want to steal what we have worked so hard to achieve. So we need to understand where our soft underbelly is. Why are we putting protected health information (PHI) on mobile devices and why are we not encrypting [the devices]? We leave ourselves too open [to attacks]," McMillan attested.
McMillan pointed to this year's Healthcare Information and Management Systems Society (HIMSS) Cybersecurity Survey which indicated that 87 percent of provider respondents said that information security has increased as a business priority in their organization. However, two-thirds of those surveyed said they have experienced a "significant security incident." McMillan noted that despite this, data security is still not enough of a budget priority, which "doesn't add up," considering that there has been a four-fold increase in the number of hacks this year compared with previous years. Interestingly, McMillan said that outside attackers are not going for the patient data as much as they are for the intellectual property.
McMillan told a few stories of how security in organizations simply gets glossed over. For instance, he gave an anecdote of a healthcare clearinghouse that provided billing support for about 400 hospitals on the East coast. One week, the day before all of the bills were supposed to go out to its hospital clients, the clearinghouse noticed that all of the data in its systems suddenly was encrypted. At first the organization thought it was the internal IT department that was responsible for this, but it turned out that it was indeed an outside job. What made matters worse, McMillan explained, was that the clearinghouse didn't have any of its data backed up, resulting in a huge delay to the billing cycle. What's more, not one hospital that was in partnership with the clearinghouse asked about its security protocols when signing the agreement. As such, the clearinghouse lost 40 percent of its clients after the incident, but McMillan put blame on the hospital clients as well, calling it "flat-out irresponsible of them to not ask about security."
McMillan then outlined the several challenges that chief information security officers (CISOs) are dealing with in their organizations. At the top of this list is an increased reliance on IT—more than 98 percent of all processes are now automated, more than 98 percent of all devices are networkable, and more than 95 percent of all information is digitized, McMillan noted. "Back in the day, there wasn't a concern in regards to electronic health records (EHRs), meaningful use, accountable care organizations (ACOs), and health information exchanges (HIEs)," he said. "And these are certainly good things for healthcare. They are beneficial, but with them comes added risk."
Another challenge comes in the form of insider abuse, McMillan continued, as more than half of all security incidents involve staff. "Folks still think you can do traditional audit methods as a manual process. You will fail if you do that," McMillan warned. Instead, he said, "behavior modeling, pattern analysis, and anomaly detection is what's needed. You wont catch folks based on rules and compliance. We need to do a better job of monitoring our users. The only way to catch bad actions is to monitor the behavior," he emphasized.
Further issues arise with medical devices, McMillan said, noting that Congress has recently sent HHS (the Department of Health & Human Services) a letter wanting to know what the agency is doing about risk to medical devices. "The answer is they are doing nothing at the moment," McMillan said. "There is nothing constructive being done. The OIG (Office of the Inspector General) auditing medical devices next year is not about identifying the problem, but instead about finally documenting this issue and sending it to Congress. As such, McMillan said his suspicion is that "we will see legislation with greater control over medical devices and better standards in regards to how they're developed." However, in regards to meaningful use Stage 3, McMillan said that CMS (Centers for Medicare & Medicaid Services) "moved backwards, deciding that they wanted to divorce meaningful use from compliance and from HIPAA (the Health Insurance Portability and Accountability Act). What they tried to do in Stage 3 was take all security out of it and say that it's a HIPAA issue. Meaningful use attestation used to depend on some of this [security] stuff, but now due to the Stage 3 requirements, it has less teeth," he said.
Going back to the concept of mobility and data, and the idea that medical staff are increasingly turning to their mobile devices to communicate since it's easier, faster, and more efficient, McMillan noted that the country is getting to a point where we will have 1.5 mobile devices per living person. Right now, physicians have an average of 6.2 devices each. "This leads to confusion, and you have to wonder where data is going and whether or not it is being protected," McMillan said. To this end, he noted that theft and loss of devices are increasingly becoming bigger problems. "I always follow a simple rule: If [the device] is with me and has important information on it, it stays with me," McMillan said. "My stuff is completely encrypted, but it doesn't matter. People will lose devices and do stupid things. So let's quit putting data in places where it doesn't need to be. If I give you access, why does the data need to be stored?" McMillan asks, adding that the philosophy of having a good strong perimeter—and not worrying about what's behind that perimeter—isn't nearly good enough anymore.
Finally, McMillan mentioned that healthcare organization board involvement is part of the problem, but also part of the solution. He noted that 70 percent of board members feel they understand cyber risks, while 43 percent of CIOs/CISOs think boards are informed about threats to IT. But, board members admit their knowledge about cybersecurity is limited. As such, boards are still in the dark about security risks and incidents, and it took the major Target, Anthem, and Community Health breaches to get their attention, McMillan said. "It's not a compliance issue, but a business issue," he said.
As such, more qualified security professionals are needed in healthcare organizations, McMillan concluded. The aforementioned HIMSS survey found that 52 percent of provider organizations had a full-time security person. Many health are systems struggling to find a qualified CISO and retain them. "The country [needs] a lot more qualified CISOs," he said. He added, "Healthcare's culture must change. We need CISOs who are not afraid to be change agents in their institutions. That's not a safe place to be, and they will have to take their lumps. But it's the only way we will make a difference."