During the past week, the health information technology (HIT) community has raised awareness about the pivotal role that IT has played in the ongoing transformation of healthcare delivery as part of National Health IT Week.
With this ongoing digital transformation of healthcare delivery there also has come, unfortunately, an increased level of information security breaches that put healthcare organizations at risk. Cybersecurity incidences cause operational, financial and reputational damage for healthcare organizations and can put patient privacy and safety at risk as well.
During a webinar about healthcare cybersecurity in conjunction with National Health IT Week, leaders with CareTech Solutions, which sponsored the webinar, shared some cold, hard numbers.
Healthcare security breaches are expensive at a cost of $398 per record, compared to $154 per record for all other industries. And, as many hospitals and health systems have discovered, if there is a Health Insurance Portability and Accountability Act (HIPAA) violation, the settlements can be costly as well. New York Presbyterian, for example, reached a $3.3 million settlement last year with the U.S. Department of Health and Human Services Office of Civil Rights for a breach that occurred in 2010, which exposed 6,800 patients’ records to the internet.
Criminal attacks are now the leading cause of healthcare data breaches. And, according to Jim Hunter, director of CareTech Solutions’ security and Pulse, its IT monitoring service, healthcare data is a rich target for cybercriminals. Information such as credit cards, banking accounts, addresses and social security numbers can be used for financial and insurance fraud and identity theft. And, personal information can be used for blackmail.
“Credit card information typically sells for $1 on the black market, whereas healthcare data can get anywhere from $50 to $1,000. And that’s driven by the number of people in the data set and who they are,” Hunter said. “And, then healthcare overall, from a fraud detection standpoint, is poor when compared to other industries. The financial industry has much higher fraud detection and they’ve had to evolve that over the years.”
Hunter said healthcare organizations need to look at cybersecurity from this perspective: it’s not a matter of if you get hacked, but when.
While that is a daunting statement, it is for this reason that many information security experts say that a hospital or health system’s security strategy needs strong support from senior leadership and the board of directors.
“The board of directors need to understand and approach cybersecurity as an enterprise-wide issue not just an IT issue,” Jim Giordano, president and CEO of CareTech Solutions, said. “Not every cybersecurity issue can be solved through IT, it needs to be done by policies and procedures.”
More boards of directors have begun to address cybersecurity as a serious risk-oversight issue that has strategic, cross-functional, legal and financial implications, according to the Global State of Information Security Survey by PwC.
The survey found that within the healthcare industry 40 percent of boards participated in their organization’s overall security strategy; 36 percent had participated in the security budget; 32 percent were familiar with security policies; 25 percent reported they were aware of cybersecurity and privacy risks and only 15 percent reported they had reviewed the security and privacy testing.
Many chief information security officers would like to see this level of involvement increase.
For a previous article, I interviewed Ron Mehring, chief information security officer at Texas Health Resources, and he said information security is gaining more attention and visibility in healthcare organizations.
“Fortunately, working for Texas Health Resources, we’ve always had an actively engaged compliance program as well as an actively engaged executive leadership and board membership that asks questions. But from an industry perspective and from talking to my peers, they are all getting asked much deeper questions today. In other words, the executive leadership is now actually wanting to see some sort of evidence in terms of how we are performing in these areas in the security program,” Mehring said.
Mehring is leading the security program at Texas Health Resources with a risk and threat management strategy and many healthcare organizations also are using this kind of enterprise-wide approach to security.
During the webinar, Hunter with CareTech outlined six questions that senior leadership and board members should ask in order to approach cybersecurity as an enterprise-wide issue and not just an IT issue:
- Does the organization have a security framework?
- What are the top risks in the organization related to cybersecurity?
- Are employees aware of their role related to cybersecurity?
- What are the internal and external threats?
- Is there governance set up within the organization to deal with security and security risks specifically?
- In the event of a breach, is the organization prepared to manage those incidents when they come up?
Giordano also suggested board members meet with their chief risk officers to assess the risks and consider cyber liability insurance.
He also recommended having a dedicated position for cybersecurity, separate from the head of the IT department.
“People sometimes ask, ‘Do you need a separate person for cybersecurity and why can’t it be IT?’ You can look at it from this perspective, the person who builds your house is not the same as the person who secures it,” he said.