It was a privilege and a pleasure to moderate the panel “Healthcare Cyber Security Solutions: Concepts and Trends,” at the Denver CHIME Lead Forum on Monday, July 20. The panel I moderated was part of a daylong event held at the Sheraton Downtown Denver, and sponsored by the Ann Arbor, Mich.-based College of Healthcare Information Management Executives (CHIME) and the Institute for Health Technology Transformation (iHT2, a sister organization of Healthcare Informatics under the corporate umbrella of our parent company, the Vendome Group LLC).
I was joined on the panel by Mike Archuleta, director of IT at Mt. San Rafael (Colo.) Hospital; Guy Turner, chief data security officer at Sutter Healthcare (San Francisco); Francisco C. Dominicci, R.N., CIO and director of health IT for the Colorado Springs (Colo.) Military Health System; Ryan Witt, vice president, healthcare industry practice, at Fortinet (Sunnyvale, Calif.); and Steve Shihadeh, senior vice president at the Seattle-based Caradigm.
Our panel’s discussion covered a very wide range of topics under the cybersecurity umbrella, including why that term itself is becoming more used these days.
Numerous statements were made by panelists that I found to be particularly worth recounting. Among those was Turner’s strongly urging attendees to adopt behavioral pattern recognition solutions, as had been recommended earlier in the day by Mac McMillan, CEO of the Austin, Tex.-based CynergisTek consulting firm. As McMillan had stressed, so did Turner, the fact that, as Turner put it, “You have to invest in tools for pattern recognition for anomalous behavior.” To not do so essentially leaves one’s entire clinical information system open to hackers once they’ve penetrated the outer defenses of the system.
Importantly, all the panelists agreed that investing in cybersecurity solutions and measures really is exactly that: a form of investment. It can’t be seen purely as a “cost” or set of costs, as can many purchases, given the risks facing patient care organizations these days.
As for the term “cybersecurity,” there was general consensus around the idea that there is some logic to that term in some cases now eclipsing the terms “data security” and “IT security” in industry usage, since so many of the security issues facing patient care organizations really are online and electronic in nature.
Among the important statements made during the discussion were this one by Dominicci: “Providers need to hold vendors accountable, he stressed, noting that there is an intensifying need on the part of healthcare IT leaders to be able to hold vendors accountable for their ability to help ensure the security of information systems in a more thorough way than was ever needed until recently.
How will the accelerating consolidation of patient care organizations through mergers and acquisitions affect the broader dynamics around investing in cybersecurity? In fact, said Shihadeh, with consolidation proceeding apace, this is in fact a good time for investment in cybersecurity tools and processes. “There is a good opportunity now to invest,” he said, “because of the bigger patient care organizations involved. Large integrated delivery networks are being created, and those larger organizations will have the capital to be able to fund these initiatives” in beefing up cybersecurity/IT security, in his view.
Of course, there are people-based issues as well. What about a question from the audience around whether the leaders of patient care organizations should focus their efforts on grooming or recruiting individuals with healthcare industry-specific data security experience, versus bringing talented individuals in from other industries, and teaching them the ins and outs of healthcare IT security, versus IT security in other industries? Turner was very blunt in stating his perspective: “It’s easier to teach someone the healthcare business than it is to teach someone with a healthcare background all the technical aspects of IT security,” he said. “I would very willingly seek people outside healthcare,” he opined, as patient care organizations are finding themselves trying to fill such important positions as chief information security officer (CISO) in an environment in which the number of potential candidates is dwarfed by the need for qualified individuals these days.
And what of the next couple to few years in this whole arena? There was a broad consensus on the panel that things will get worse before they get better, across range of issues in the IT/cybersecurity arena. The panelists agreed that the ongoing series of announced data breaches will inevitably intensify, growing in number and frequency, before a very broad collective consensus emerges in the U.S. healthcare industry around what to do about all of this, and industry leaders will band together in very broad, concerted efforts.
It was very clear to me from this panel discussion with these industry leaders, that it will indeed require a huge, collective commitment, at a policy, industry, strategic, and business level, for the leaders of healthcare IT industry-wide, to move forward together to address the issues facing us. Several references were made to the recent disclosure on the part of the leaders of the UCLA Health System of a massive data breach there, which may have exposed 4.5 million people to being data-compromised; and the consensus on the panel was that such disclosures are being seen as “wake up calls”—in a patient care delivery setting, they might be referred to as “sentinel events”—that will eventually compel collective action, on the industry and policy levels.