Security issues reach beyond IT staff
Data breaches are out there, by many accounts they’re even getting worse while healthcare organizations still aren’t taking the steps they must to safeguard patient data.
"Providers need to realize that this is a much more serious game than it has been in the past," says Mac McMillan, CEO of the information security company CynergisTek and chairman of the HIMSS Privacy and Security Task Force. Data breaches, he says, "are definitely getting more serious, and definitely becoming more deliberate."
That's why privacy and security issues will dominate a lot of conversations at HIMSS15 this April in Chicago. McMillan, in fact, will be sharing his unique insights during a session titled "Selecting the Right CISO and Building the Security Office" on April 13.
Surveys consistently put privacy and security at or near the top of the list of concerns for healthcare providers this year, and with some estimates saying data breaches could cost the industry upwards of $5.6 billion annually, it's no small concern. More numbers to consider: 29.3 million patient records compromised since 2009, and 4 million patients considered compromised in the 2014 theft of unencrypted computers at the Advocate Health System.
In fact, 2014 could rightly be termed "the Year of the Data Breach," thanks to major events like the Sony hack, Heartbleed and Shellshock and major breaches at Community Health Systems (some 4.5 million patients affected) and the Montana Department of Health and Human Services (1.3 million). One hacker even tried to extort a ransom from a critical access hospital for its stolen health data. And no one is thinking 2015 will be any easier.
McMillan, in fact, says he's seen an uptick in provider investment in security technology and partnerships with managed service partners, but he feels the C-suite still isn't taking the issue seriously enough.
"They're still thinking that this is just an IT issue," he said. "It's an organizational issue. They need to view privacy and security as part of their core mission."
His concerns going forward include an increase in so-called zero-day attacks and phishing scams, as well as hacked medical devices and the need to more robustly secure mobile computers, be those patients’ cellphones or the doctors’ tablets.
"I hate to say it, but I think consumers are kind of fatigued by it," he said. "They don't trust anybody."