The real enemies of good cybersecurity – and its closely related cousin, patient safety – are often intangible: apathy, ignorance and indecision. Not the many threats we face today. Every federal agency that tracks cyber incidents has placed healthcare at the head of the pack in terms of risk. Every threat center or company that monitors security and publishes statistics and studies on the topic of cyber incidents has identified healthcare as the number one targeted industry.
Richard Clarke, former special advisor on cyber security to the President, commented on the state of insecurity in healthcare at the HIMSS Privacy & Security Forum in Boston in December, and Ed Marx, former senior vice president and chief information officer for Texas Health Resources, seemed to agree with the characterization of healthcare as “laggards” when it comes to protecting its systems and data. Cyber risk is a real issue with very costly consequences. So why doesn’t it get the attention and priority it deserves? What are the core issues contributing to our current state of affairs? In the spirit of true introspection and continuing the theme of honest appraisal started by Mr. Clarke and Mr. Marx, let’s examine some often unspoken contributors to our current state of security. Make no mistake, we’re in a fight here, and healthcare boards and executives must respond.
[See also: Richard Clarke's worst cybersecurity nightmare]
The first contributor is apathy in its many forms. Often described as indifference or disinterest, it usually manifests itself with respect to security in the form of not taking the threat seriously or not taking responsible action. It is also usually accompanied by rationalizing that other things are more important to the business. What’s interesting here is that there isn’t a health system in America where information technology and data are not critical, strategic assets of the business. We spend millions on information systems and software, swear by the importance of timely, reliable, and accurate data and then struggle with spending a fraction of that for security systems and resources necessary to protect that investment. The problem is the threat is not indifferent when it attacks. Just ask the folks at Boston Children’s Hospital who suffered a deliberate attack by hacktivists or any of the big breach victims from last year. I assure you none of them came away thinking the threat was not real or serious or in any way indifferent. Apathy leads to unpreparedness, and makes it easier for cyber criminals to succeed.
The second contributor is ignorance, which is often described as being unaware, or not understanding something. The threat is counting on you not knowing what it’s capable of or appreciating how it can exploit your enterprise. The worst form of ignorance is ignorance that results in feigned indifference. Classic examples of this are organizations that fail to test its security or examine controls because somehow not knowing obviates responsibility or liability. Just recently I saw another incredible example of this when a CISO asked for advice on how to deal with a General Counsel who opined that their organization should not ask its vendors about their security because knowing the answers would create liability. As much as a third of all breaches reported involve third parties. What’s more risky, doing the due diligence and perhaps having to accept some risk? Or not doing the due diligence and not knowing? More importantly, what is more responsible? How would the average patient react if told that their information was going to be shared with a third party, but we have no idea if it will be secure, and we aren’t going to ask because we’re more concerned about our liability than your privacy? The Ostrich defense is not particularly effective.
The last contributor is indecision. Again, there may be many reasons for indecisiveness, but regardless the failure to act when aware of an imminent threat, or a vulnerability known, can be a regrettable experience, as many have learned. And as before, exactly what cyber criminals are hoping for. Over and over again we hear stories of opportunities lost: the stolen laptop, but there was money in the budget for encryption; the stolen computer equipment, but plans to upgrade the locks were pending; the stolen server, but plans to move it into the data center from whoever’s office it was sitting in just hadn’t happened yet; the risk assessment put off, and the inevitable breach and OCR request to see that assessment. The embarrassment, not to mention the financial impact, when the billing company we use suffers a ransomware attack, because we never asked if they were prepared for an outage.
2015 was fraught with incidents that represented opportunities missed and huge costs, both in dollars and reputation, which could have been avoided. In general, the cost to recover far exceeds the cost to protect. Most of those predicting what will be this coming year see no slowdown in the onslaught of attackers and mishaps that will befall healthcare. But 2016 also represents a New Year and an opportunity to change that impression by eliminating those intangible factors that get in the way of making the right decisions and doing the things that will make it more difficult for bad actors and mishaps to undermine the mission of providing quality, safe healthcare.
That is the challenge for healthcare boards and executives: Seek to understand the threat, make appropriate investments in people and resources, partner smartly, expect independent review and assessment, know that vigilance and discipline are required, and that certifications don’t make us secure. If they did, we wouldn’t have had half the breaches we had last year. We’re all supposed to make a wish for the New Year, so mine is that we make meaningful progress in the fight against cyber criminals and reduce the number of cyber misdeeds. We do phenomenal things in healthcare every day. We can do better here as well.