Creating a Cybersecurity Culture: What Healthcare IT Security Leaders Already Know | Mark Hagland | Healthcare Blogs Skip to content Skip to navigation

Creating a Cybersecurity Culture: What Healthcare IT Security Leaders Already Know

July 26, 2017
| Reprints
A robust discussion of building a culture of cybersecurity evinced excellent insights from healthcare IT security leaders last week

It was fascinating last week to hear several healthcare IT leaders discuss the topic of developing a culture of cybersecurity, during the Health IT Summit in Denver, sponsored by our publication, Healthcare Informatics. The discussion was wide-ranging and freewheeling, and offered the assembled audience a broad range of informed perspectives. It also reinforced for me how complex and challenging it really is to develop a culture of cybersecurity in any patient care organization.

The panel was moderated by Mitch Parker, executive director, information security and compliance, at Indiana University Health (Indianapolis). Parker was joined by panelists Michael Mercer, chief security officer, Denver Division, at the Federal Bureau of Investigation (FBI); Sheryl Rose, senior vice president and CIO, at the Denver-based Catholic Health Initiatives; Brian Sterud, vice president of information technology and CIO, Faith Regional Health Services (a 131-bed community hospital in Norfolk, Nebraska); and David Finn, a former CIO, and currently the health information technology officer at the Mountain View, California-based Symantec Corporation.

One of the issues that came up in that discussion is how different the organizational landscape is in healthcare from, say, the banking and financial services industry. For example, Finn, a former CIO, noted that “The problem with healthcare is that we have a couple of interesting dichotomies; healthcare is an industry where we need to share information, whether it’s a reference lab, a durable medical equipment company, etc. And we haven’t made the shift yet to understanding how we should protect it. And the second shift we haven’t yet made yet is that we don’t yet understand the (monetary) value of this data. The bad guys are looking at these pieces of data across huge spectrums, and they’re using the data in ways we haven’t thought about. And we need to catch up with this and train people that this is not only important for providing care, but that it has value” to the cybercriminals.

And, referencing the many years she had spent in the financial services industry as an IT executive before coming into healthcare, Catholic Healthcare Initiatives’ Rose said, “In financial services, it seems as though it was a black-and-white thing. We did our training, we told our employees what they needed to know. But it’s different in healthcare. My biggest day-to-day fear is that I’m going to end up being like Charlie Brown’s teacher, saying, ‘Wha wha wha’”—referencing the cartoons in which the children didn’t hear what their elementary school teacher was saying to them. “And with 105 hospitals and thousands of employees, it’s hard to get the message across,” she said. “So I try to find champions—physicians, nurses, everyone” who might be champions for IT security, “because they’re going to listen to those people more than to Cheryl Rose in the corporate office. We need to engage them, because, to your point, David, they’re going to click on that link.”

I think that Finn and Rose really hit the nail on the head here. Healthcare is different from other industries: data-sharing is essential, and is actually becoming more essential, as we move into a new era of accountable care, population health management, and care management. We simply cannot create cybersecurity parameters that impede the flow of data and information as used to manage the care of patients, particularly those with chronic illnesses; so all stakeholders around the table are going to have to figure out how to manage two ostensibly contradictory goals—securing data as much as possible from harm, while expanding its sharing for clinical and analytical purposes.

So one of the challenges that face healthcare IT security leaders as they begin to drill down through the layers of IT security governance, is how to determine where to draw firm lines, and where to negotiate with frontline end-users and end-user leaders, most particularly physicians. In that context, Sheryl Rose made the statement that “There are certain things that are non-negotiable. And when it comes to physician practices, if you’re going to connect as a new member of our family, there are certain things you have to do before you can connect. But then, on an ongoing basis, having the boots on the ground is much more important than having the talking heads in the national office. So one of the first things I did in my job” at Catholic Health Initiatives several years ago, Sheryl Rose noted, “was putting in regional security officers in. And what they prioritize their workload to be and how they message to their users, they have to be the bridge to the national security organization, but they’re allowed a lot of flexibility. And how things are done in Kentucky versus Tacoma or Fargo, may be very different; and I’m not going to get into the middle of that.” And Finn noted that he did something analogous as CIO, empowering managers to “implement security within their individual offices.” But he also noted that that kind of manager-level flexibility only works when a rigorous healthcare IT security governance infrastructure is created around it.

Indeed, Rose testified, “I was blessed” that there was a “great appetite” for improving healthcare IT security at CHI when she arrived at her organization several years ago. With that wind at her back, she reported, “we built a great security committee at national; and we had the same thing filtering down from there. And I spent years in financial services working successfully with steering committees. And it depends on the personalities of the people involved,” she noted.

But how might all this work in a smaller organization with fewer resources? Working in a standalone community hospital setting, Faith Regional Health Services’ Sterud reported that “We stood up an IT security committee,” and that “a couple of things we did well—one was the makeup of the group. The other thing was that I made clear that we had a lot of work to get done. So when we started getting going, they all knew that we had a lot to do,” he said. “And we made sure we had HR involved—there are a lot of things with onboarding and terminations.” And a moment later, he added that “You need to celebrate successes, too. So we’ve done a lot of important things over the course of the past five years, and we still have a lot of things to do. But things are moving forward, and it’s kind of self-governing at this point.”

All of these nuances speak to the challenges of translating broad, abstract principles around cybersecurity into actual organizational processes and norms, in actual patient care organizations, with living human beings. It’s never been easy, and it will never be easy. And healthcare IT security leaders are working, not in a vacuum, but in a swiftly changing operational landscape, one in which the tensions between accelerating data-sharing and accelerating data security threat vectors, will continue to be prominent, and will almost certainly become even more complex and frustrating.

But this is the operational landscape in which healthcare IT security leaders, especially CISOs and CIOs, will be working, going forward. There will be no shortcuts, and there will be plenty of bumps in the road going into the near future. The good news, as all the panelists in Denver noted, is that, because of all of the high-profile breaches in the news in the past year-and-a-half, the level of awareness of data security is greater than ever before.

So, soldiering forward, we’ll see how all of this plays out. In the meantime, it is good to hear from healthcare IT security leaders like the panelists at the Denver Health IT Summit, and to know that there are healthcare IT leaders out there who are building cultures of cybersecurity in their organizations, brick by brick, over time.


2018 Raleigh Health IT Summit

Renowned leaders in U.S. and North American healthcare gather throughout the year to present important information and share insights at the Healthcare Informatics Health IT Summits.

September 27 - 28, 2018 | Raleigh


HIPAA Settlements: Three Boston Hospitals Pay $1M in Fines for “Boston Med” Filming

September 20, 2018
by Heather Landi, Associate Editor
| Reprints

Three Boston hospitals that allowed film crews to film “Boston Med” on premises have settled with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) over potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.

According to OCR, the three hospitals—Boston Medical Center (BMC), Brigham and Women’s Hospital (BWH) and Massachusetts General Hospital (MGH)—compromised the privacy of patients’ protected health information (PHI) by inviting film crews on premises to film “Boston Med,” an ABC television network documentary series, without first obtaining authorization from patients.

OCR reached separate settlements with the three hospitals, and, collectively, the three entities paid OCR $999,000 to settle potential HIPAA violations due to the unauthorized disclosure of patients’ PHI.

“Patients in hospitals expect to encounter doctors and nurses when getting treatment, not film crews recording them at their most private and vulnerable moments,” Roger Severino, OCR director, said in a statement. “Hospitals must get authorization from patients before allowing strangers to have access to patients and their medical information.”

Of the total fines, BMC paid OCR $100,000, BWH paid $384,000, and MGH paid $515,000. Each entity will provide workforce training as part of a corrective action plan that will include OCR’s guidance on disclosures to film and media, according to OCR. Boston Medical Center's resolution agreement can be accessed here; Brigham and Women’s Hospital's resolution agreement can be found here; and Massachusetts General Hospital's agreement can be found here.

This is actually the second time a hospital has been fined by OCR as the result of allowing a film crew on premise to film a TV series, with the first HIPAA fine also involving the filming of an ABC medical documentary television series. As reported by Healthcare Informatics, In April 2016, New York Presbyterian Hospital (NYP) agreed to pay $2.2 million to settle potential HIPAA violations in association with the filming of “NY Med.”

According to OCR announcement about the settlement with NYP, the hospital, based in Manhattan, violated HIPAA rules for the “egregious disclosure of two patients’ PHI to film crews and staff during the filming of 'NY Med,' an ABC television series.” OCR also stated the NYP did not first obtain authorization from the patients. “In particular, OCR found that NYP allowed the ABC crew to film someone who was dying and another person in significant distress, even after a medical professional urged the crew to stop.”

The OCR director at the time, Jocelyn Samuels, said in a statement, “This case sends an important message that OCR will not permit covered entities to compromise their patients’ privacy by allowing news or television crews to film the patients without their authorization. We take seriously all complaints filed by individuals, and will seek the necessary remedies to ensure that patients’ privacy is fully protected.” 

OCR’s guidance on disclosures to film and media can be found here.

More From Healthcare Informatics


Independence Blue Cross Notifies 17K Patients of Breach

September 19, 2018
by Rajiv Leventhal, Managing Editor
| Reprints

The Philadelphia-based health insurer Independence Blue Cross is notifying about 17,000 of its members that some of their protected health information (PHI) has been exposed online and has potentially been accessed by unauthorized individuals.

According to an article in HIPAA Journal, Independence Blue Cross said that its privacy office was informed about the exposed information on July 19 and then immediately launched an investigation.

The insurer said that an employee had uploaded a file containing plan members’ protected health information to a public-facing website on April 23. The file remained accessible until July 20 when it was removed from the website.

According to the report, the information contained in the file was limited, and no financial information or Social Security numbers were exposed. Affected plan members only had their name, diagnosis codes, provider information, date of birth, and information used for processing claims exposed, HIPAA Journal reported.

The investigators were not able to determine whether any unauthorized individuals accessed the file during the time it was on the website, and no reports have been received to date to suggest any protected health information has been misused.

A statement from the health insurer noted that the breach affects certain Independence Blue Cross members and members of its subsidiaries AmeriHealth HMO and AmeriHealth Insurance Co. of New Jersey. Fewer than 1 percent of total plan members were affected by the breach.

Related Insights For: Cybersecurity


Report: Healthcare Lags Other Industries in Phishing Resiliency

September 19, 2018
by Heather Landi, Associate Editor
| Reprints
Click To View Gallery

It’s no secret that the healthcare industry continues to be a target for cyber criminals and healthcare organization leaders face constantly evolving cyber threats. It's widely konwn that phishing attacks are a serious problem in the healthcare industry, yet the industry continue to lag behind other industries in its resiliency to phishing attacks, according to a recent report.

In 2017, there were 477 healthcare breaches reported to the U.S. Department of Health and Human Services (HHS) which affected a total of 5.579 million patient records. A Verizon 2018 Data Breach Investigations Report (DBIR) released in April found that the human factor continues to be a key weakness in data breaches. Financial pretexting and phishing represent 98 percent of social incidents and 93 percent of all breaches investigated—with email continuing to be the main entry point (96 percent of cases). And, that report found that while, on average, 78 percent of people did not fail a phishing test last year, 4 percent of people do for any given phishing campaign. A cybercriminal only needs one victim to get access into an organization.

In a recently released report, Cofense, a security software services company, specifically examined phishing attacks in healthcare. Cofense’s analysis is based on more than 160 sample healthcare clients over the last year (September 2017-2018) and the report explores how phishing endangers healthcare providers and provides steps organizations should be taking to boost their resiliency rate.

The report researchers examined healthcare’ resiliency to phishing attacks. Resiliency is the ratio between users who report a phish versus those who fall susceptible, according to the report. While resiliency in healthcare has improved in the past three years—from a rate of 1.05 in 2015 to a rate of 1.49 in 2018, so far—but it doesn’t mark dramatic improvement.

Based on a resiliency analysis across industries of the last 12 months, the healthcare industry clearly trails behind other industries in its phishing attack resiliency rate, as the average resiliency score for all industries was 1.79, according to the report.

The energy industry had a resiliency rate of 4.01, the financial services industry had a rate of 2.52, and the insurance industry had a rate of 3.03. The report’s researches surmise that one possible reason resiliency is higher in insurance versus healthcare is that insurance is tied to financial services, which is frequently attacked as well as heavily regulated.

“The healthcare industry knows better than most that phishing is a serious problem. But the industry is still playing catch-up in phishing resiliency,” the report authors wrote.

One factor that surely inhibits the industry’s resiliency is high turnover, according to the report. “With physicians, registered nurses, and administrative staff constantly churning, it’s hard to gain traction in the fight against phishing,” the report states.

Cofense builds and tracks phishing simulations for its customers in which users receive simulated phishes. Based on the company’s analysis of these phishing exercises, the top five phishing scenarios that healthcare workers most frequently clicked on, based on the email subject line, were requested invoice, manager evaluation, package delivery, Halloween eCard alert and beneficiary change.

The next five were Holiday eCard alert, HSA customer service email, employee raffle, file from scanner and Halloween costume guidelines.

“These wide-ranging scenarios show that vulnerability is spread across business and social contexts,” the report authors wrote. The analysis indicates low scores in Requested Invoice and e-Card simulations alike. “While some would argue that an e-Card would never evade their secure email gateways, remember the gaps created by BYOD (bring your own device). Not everyone is on the corporate network and protected by its email systems. When personal devices are exposed, a breach can easily ensue,” the report authors wrote.

The Cofense report also notes that phishing attackers are masters at pulling emotional levers, as “Requested Invoice” plays on urgency, and “Manager Evaluation” taps into urgency too, tinged with fear. What’s more, “Employee Raffle” is purely about the desire for reward. “These are scenarios any healthcare company will want to use in conditioning employees to be careful and not take the bait.

In previous years, Cofense reported that fear, urgency, and curiosity were the top emotional motivators behind successful attacks. Now they’re closer to the bottom, replaced by entertainment, social media, and reward/recognition,” the report authors wrote.

The trend shows that as Internet behavior changes, so do phishing attacks, according to the report authors. And the report authors note that any active threats that a company faces is fodder for training. Security professionals who manage phishing awareness programs should ask their incident responders or threat intelligence analysts which active phishing threats should be simulated, according to the report.

“To guard against the phishing onslaught, healthcare providers would be smart to create an end-to-end defense, following the lead of the company featured in the case study. A collaborative defense, built with technology and skilled humans, both users and security professionals, is the best way to lower risk,” the report authors wrote.

See more on Cybersecurity