*Disclaimer: This article orginially appeared in Health IT Outcomes.
Three steps to reverse the trend.
It’s well established th
Furthermore, recent headlines such as Healthcare firms invite cyberattacks and Report: Healthcare the least prepared sector against cyberattacks make it clear that, not only is this problem not going away, healthcare organizations are allowing it to continue.
This begs the question — what’s holding healthcare organizations back from doing more to protect themselves?
They’re Focusing More On Productivity Than Security
Doctor/nurse efficiency and productivity has been seen as a major driver of healthcare IT changes over the past few years. Productivity has been the call to arms, rather than security. Doctors need to be able to move quickly from system to system and device to device without obstacles. Unfortunately, in many cases, productivity and security have been seen as an either/or decision. That’s not true across the board, certainly not with identity and access management technology, for example, but that thinking has spread enough that many in healthcare view the situation in that light and they’ve chosen productivity as the priority.
HIPAA Leads Them To Focus On Compliance More Than Security
The national compliance standard, intended to protect the privacy of patient data, can be partially blamed for the inaction of healthcare organizations in securing that data. HIPAA instructs medical providers on when they can share patient information and with whom. It also states healthcare organizations must protect patient data and information. What it does not do is establish how that data must be secured. HIPAA contains very few mandates on the protection of patient information. This leads many healthcare facilities to build an infrastructure that is compliant with HIPAA rather than secure. It’s actually created a false sense of security among many healthcare providers. Many that are in compliance with HIPAA actually are not securing patient information very well at all, as the multitude of recent cyber-attacks has revealed.
Executives Are Not Prioritizing Security
Amazingly, even with all the data and evidence demonstrating the clear and present danger of attacks, security doesn’t seem to be a priority for those running healthcare organizations. On average, healthcare providers spend less than 6 percent of their IT budget on security. Their counterparts at financial institutions spend at least double that (12 to15 percent of their IT budget) while the federal government spends 16 percent of its IT budget on security. Another sign security isn’t receiving adequate attention in the boardroom is the fact 60 percent of healthcare boards of directors only get security updates on an as-needed basis, compared to regular quarterly reports on finances and operations.
All of these issues have contributed to the growing problem healthcare institutions face with cybersecurity. The longer they’re seen as vulnerable, easy targets, the more the attacks on them will continue. With the use of networked medical devices continuing to increase, we can only expect hospitals and other healthcare providers to become even more appealing targets for attackers.
Healthcare organizations must begin improving their security programs, protocols and solutions now. To reverse this trend and begin proactively securing their organizations, healthcare providers should take three steps toward a company-wide shift in security.
To overcome this unintentional ROI bias, those making security requests must supplement their ROI analyses. Instead of relying solely on ROI, add a Risk Assessment Report or a Security Audit to the decision. This Report or Audit would cover the technology that funding is being considered for — IAM software or a firewall or an intrusion detection system, for example. It would define the breaches the technology can prevent and analyze the vulnerabilities the organization currently faces without the technology. An Assessment Report would also determine the probabilities of the breaches identified, as well as the likely losses if it were to take place. Complementing the projected ROI of the solution with this numerical risk data can make a more compelling case for security technology when positioned against patient-facing tools for budget. The numerical risk data can become even more helpful when using real-world examples of breaches, along with the costs the attacked organizations had to spend in the aftermath.
Ultimately, the costs of proactive preventative security solutions are minimal when compared with the expenses of dealing with a cyber-attack, especially when factoring in the eligible HIPAA fines which now reach the millions.
Healthcare organizations must get proactive in dealing with their security instead of waiting for something to happen to make changes. Cyberattacks have become too damaging and too costly to sit back idly and wait. Systemic change is needed at healthcare organizations, from systems admins all the way up to the CEO and board. The right people, technologies and protocols need to be implemented that can prevent attacks and minimize damage in the event of an attack.
Failing to get serious about preventing attacks like those we’ve seen recently, means we’ll continue to see alarming, damaging headlines. Take action now. Don’t become the next headline.