Cybersecurity is hard, got it? But let's stop blaming hospitals for every breach

Yes, health entities need to be held responsible for protecting patient data but public shaming isn’t making that happen. There’s a better way forward.
By Tom Sullivan
12:02 PM
Share
healthcare cybersecurity

Michael Figueroa, Executive Director of the Advanced Cyber Security Center, speaking at the HIMSS Security Forum in Boston Sept. 13.

I stepped into the Healthcare Security Forum this week in Boston hoping to walk away with perhaps a few nuggets of optimism, even small ones. That didn’t exactly happen but, instead, a new message emerged: the conversation about cybersecurity is so negative that it only triggers tension and hostility among infosec pros, executives and end users.

“Information security in and of itself is a tough business,” said Keith Fricke, Partner at TW-Security.

Michael Figueroa, Executive Director of the Advanced Cyber Security Center added, “Cybersecurity is about facing adversity every single moment every single day. What we hear about is when they fail. We don’t hear about the success.”

[Also: Healthcare must move from risk to resilience, Tom Ridge says]

Let’s use that reality to finally recognize how difficult cybersecurity work actually is so we can then move forward from there.

Just to get this out of the way, of course, this doesn’t mean Health and Human Services Office for Civil Rights should cease and desist audits and penalties. That’s not the point.

But instead of focusing on failures and pointing fingers, the healthcare sector needs to work on coordinated disclosure as well as identifying solutions and approaches that actually solve the problem.

“We need to stop the negative conversations,” Figueroa said. “Bad things happen in every stream of business. We need to learn from them instead of blaming people.”

Figueroa recommended a three-pronged approach to building a new security baseline. First, healthcare organizations must collaborate because having every one solve the same problems individually wastes time, financial and talent resources.

That’s a natural segue to the second prong: circulate information about cyberthreats and, ultimately, create a culture of sharing to advance collaboration and patient safety.

The third prong is to participate. With more collaboration and sharing, the final piece is to promote a community defense.

Infosec executives and security teams, at the same time, need to stop blaming the end users they support.

“The most insidious part of being a security professional?” Figueora said. “The mantra: People are the weakest link.” 

Many would argue that’s true and I won’t counter because the more important reality is the downstream effect such a mindset creates.

“Security almost always causes friction and makes the user experience less enjoyable,” said Tim Tompkins, Senior Director of Security Innovation at Aetna.

Another difficult aspect of infosec? “Owning risk is the hardest job in the industry,” said Stephen Nardone, Practice Director of Security and Mobility at Connection.

Nardone pointed to the human attack surface that is predicted to expand by 2020 to 4 billion people who can be social engineered in some way as a particular pain point.

As of HIMSS Analytics latest study more than half of IT shops own risk management, according to Bryan Fiekers, Senior Director of Research Services at HIMSS Analytics.

“We’re entering a phase of value-based care where all the information has to flow, where part of a patient’s digital record is what’s happening with smartwatches and Fitbits,” Fiekers said. “What we need is the balance of that availability coupled with security. There are all sorts of discussions that have yet to be had about how to manage this, how to create that balance.” 

I left the forum having realized a few things.

Cybersecurity is difficult, the situation will only get worse before it can get better — and for that to happen the industry must move beyond its current state of skewering hospitals for data breaches and other missteps.

Hold them accountable, slap hefty fines against negligent offenders, notify users of breaches, indeed. But the time has come to drop the finger-pointing and work together to focus on how healthcare as a community can fix the infosec problem.

Twitter: SullyHIT
Email the writer: tom.sullivan@himssmedia.com

 Read our coverage of HIMSS Healthcare Security Forum in Boston.
⇒ Healthcare must move from risk to resilience, Tom Ridge says
⇒ Equifax hack: What cybersecurity pros are saying about the breach
⇒ Slow breach detection, patching, operational snags handcuff healthcare security
⇒ As hackers become more destructive, security needs an all-hands approach
⇒ Obama's cyber czar warns of 3 troubling security trends
⇒ Old legacy devices pose greatest security risk, experts say
⇒ HHS CISO: 3 things hospitals should do right now to strengthen cybersecurity
⇒ Why hospitals should join an ISAC immediately
⇒ 5 common HIPAA compliance pitfalls for healthcare orgs to avoid
⇒ FDA exec to medical device manufacturers: 'Bake security into the design’
⇒ 'Cybersecurity' term might be scaring off young talent