Mac McMillan, one of the healthcare industry’s leading lights on data security, offered stern warnings and bold perspectives on Monday morning, October 6, as the opening keynote speaker at the “Health Information Executive’s Guide to Cyber Security: A CHIME LEAD Forum Event in Collaboration with iHT2.” The event, being held on Oct. 6 at the Westin Arlington Gateway in Arlington, Va., is being cosponsored by the Ann Arbor, Mich.-based College of Healthcare Information Management Executives (CHIME) and the Institute for Health Technology Transformation, or iHT2. (Since December 2013, iHT2 has been in partnership with Healthcare Informatics, through the Vendome Group LLC, HCI’s parent company.)
After an introductions by Russell P. Branzell, president and CEO of CHIME, McMillan, the president and CEO of CynergisTek, an Austin, Tex.-based consulting firm, and the current chair of the Privacy and Security Committee within the Chicago-based Healthcare Information and Management Systems Society (HIMSS), gave a passionate, sobering presentation on the extent of the current threats to healthcare data security in the U.S., warning his audience of healthcare CIOs and other senior IT executives that things are going to get worse before they get better in healthcare IT security.
McMillan underscored in various ways the exploding set of threats facing healthcare organizations in the current operating environment, noting that while the healthcare industry was ranked by some as 15th or 16th in terms of data security risk several years ago because of the lack of electronic data storage 10 years ago, it is now seen as one of the most threatened U.S. industries, as up to 99 percent of patient data is now electronic.
MacMillan walked his audience through a list of serious cybersecurity incidents in U.S. healthcare that have taken place this past year, including one incident involving 4 million medical records breached on four workstations; the loss by a physician of a laptop carrying psychiatric patient records; the accidental e-mailing of 10,000 patient records to 200 patients on the part of a neurologic institute; and a very sobering phishing-based conspiracy that involved the theft of $3 million from six academic medical center-based health systems.
In that last case, a group of extremely sophisticated criminals over a period of months infiltrated the human resources data processes of the academic medical center organizations, quietly scraping information from employees’ benefits renewal applications, and then using that information to assume identities within those organizations’ e-mail systems, and later intercepting any legitimate e-mails questioning what was going on. Ultimately, they were able to essential steal identities within those organizations, triggering a series of events. The hackers over time were able to divert portions of the electronic paychecks of the employees whose identities they had stolen, diverting those monies to a mule account, and from there to North Africa and then to Russia. These thefts took place over a three-month period and netted $3 million, in a shockingly successful theft of millions of dollars from the payroll systems of major patient care organizations in the U.S.
More broadly, McMillan strongly urged his audience to think both broadly and deeply about what their organizations need to do going forward in a time of increasing data insecurity. Among his key points in that regard:
- Data breaches are increasing steadily now, on two fronts: outsider hackers and other criminals, and internal sources, who include clinicians and administrative staff in hospitals and medical groups.
- The cost of data security is going up, and part of the cause is the increasing cost of lawsuits against patient care organizations, which can multiply the initial data breach costs.
- It is a huge mistake to “chase the device,” when it comes to mobility. Instead, what’s needed is a comprehensive strategy around where to allow the placement of data, one that leaves mobile devices secure.
- In order to actually be successful in this area, the IT leaders of patient care organizations will need to develop sophisticated behavioral modeling strategies, in order to spot those from within their organizations (doctors, nurses, administrative staff, etc.) who are engaging in these criminal activities. Simple audit trail work will no longer suffice.
- New federal mandates around accounting for disclosure and minimal necessary response will inevitably be forthcoming, but most likely not until after the 2016 presidential elections. Whatever the party of the president who is elected in 2016, some turnover of top political appointees will take place in 2016 and 2017, and the most likely timing of new federal mandates around data security will come after that, giving providers a bit of time to get caught up with current mandates and build stronger security infrastructures.
In the meantime, McMillan asserted that “Only about 60 percent of hospitals and health systems have CISOs [chief information security officers], and of those, only about 50 percent have real CISOs”—individuals with the capabilities to meet the increasing demands of the emerging operating environment.
Still, McMillan said, he remains optimistic overall. He stated that he believes that the healthcare industry is about halfway through a 20-year journey of developing the people, process, and technological infrastructure needed to support the industry in terms of data security going into the future.