It was fascinating to speak this week with David Finn about healthcare data security. Finn, a former long-time CIO and the health IT officer of the Mountain View, California-based Symantec, helped lead a survey-based study cosponsored by his organization and by the Chicago-based HIMSS Analytics, one that looked in some depth at the data security issues facing CIOs, CISOs, and other IT leaders in U.S. healthcare. He is also someone who sees very clearly some of the challenges—and yes, opportunities—facing CIOs, CISOs, and other healthcare IT leaders right now in our healthcare system. He had released the results of that study, entitled “Healthcare IT Security and Risk Management Study,” on Wednesday, March 2, on the exhibit floor of the Sands Expo in Las Vegas, during HIMSS16.
The survey on which the study was based was conducted online in December 2015, with in-depth phone interviews with CIOs and other healthcare IT leaders following up on some of the findings in the survey in order obtain greater depth of understanding on some of the results. Key findings, as I reported in my article on Monday, included the following:
- The percentage of total IT budget being spent on data security is still small: 51.6 percent are spending 0-3 percent; 28.6 percent are spending 4-6 percent; 9.9 percent are spending 7-10 percent; and just 9.9 percent are spending more than 10 percent.
- The number of IT employees devoted solely to IT security is still relatively small, at 9.9 FTEs.
- These are not smaller hospitals: fully 38.3 percent of respondents work at hospitals and health systems with 501 or more beds; 26.2 percent represent hospitals and health systems with 251-500 beds; 36.5 percent represents hospitals and health systems with 101-250 beds; and none represent hospitals and health systems with fewer than 100 beds.
On a more qualitative level, David Finn told me, when I asked him whether he was surprised by any of the results, that “The only surprising thing is, here we are 13 years down the road from the privacy act, and 11 years down the road from the security act, and the only thing surprising to me is that we still haven’t done very much, substantively speaking. We haven’t addressed some of the real issues like medical devices; and we still haven’t addressed issues like cloud and mobile devices. And we still approach it from this kind of “check-the-box” perspective, as though it’s a compliance issue, and compliance doesn’t protect you, you’ve still got to be secure.”
So what should CIOs and CISOs being doing? I asked David. “The first thing is that whether the CIO or CISO or ideally, both of them together, are involved,” he said, is that “they need to go to the board and put in a plan for IT security governance, and the governance committee has to include stakeholder leaders from across the entire organization. And it has to include additional tools, spending, and head count. The other thing is that that governance group has to include medical device security now.”
Here’s the thing: if ever there were a time for CIOs and CISOs to get real about data security, now would seem to be it. As David and I noted, the now-infamous ransomware incident that took place at Hollywood Presbyterian Medical Center in Los Angeles happened after the HIMSS Analytics/Symantec study had been completed, but before David Finn had presented the results at HIMSS16. David agreed with me that he and I are both hearing of many regular ransomware incidents now; but that the Hollywood Presbyterian situation had received a great deal of attention because that hospital’s CEO had spoken openly to the local news media in Los Angeles.
So, as I noted in a blog at that time, we appear to be entering a dangerous and frightening new phase in terms of data security issues in U.S. healthcare—or perhaps we should say, data insecurity. And what the juxtaposition of this survey-based study’s results and the Hollywood Presbyterian situation makes clear is that the rather routinized, “business-as-usual” approaches to data security that have been the norm until now just are no longer going to cut it any longer. And the types of resources—financial, technological, and human—that have been devoted explicitly to data security in hospitals, medical groups, and health systems—remain woefully inadequate to present needs, not to mention future ones, as the landscape—littered with ransomware and other emerging phenomena—becomes more perilous by the month. Indeed, spending less than 3 percent of one’s organization’s IT budget on data security—even as the healthcare industry’s IT investment norms continue to lag behind those of other industries, like financial services and manufacturing, to begin with—seems honestly woefully inadequate in the face of the challenges building now like a rapidly building seismic sea wave.