Commentary: Healthcare providers must spend more on cybersecurity readiness
Not long ago we introduced you – assuming, let's hope, that your organization hasn't been introduced already – to one of the latest species of ransomware: The so-called "Crysis" bug doesn't just encrypt a hospital's critical data, it can exfiltrate it to the bad guys' own servers.
Thus the question with this variant is not just whether or not to pay ransom to the cyber attackers. It's whether there's been a HIPAA breach. As the security expert we spoke to for the story puts it, that's a question no one – not least a covered entity – wants to be asking.
So how to avoid it? The easy answer, of course, is to improve security preparedness – both with regard to people and technology.
The harder thing to grapple with, especially for cash-strapped hospitals, is that that costs money. "On a board level, it needs to be clear that cybersecurity cannot take the backseat," said the expert. "They have to open up resources."
Global spending on information security surpassed $75 billion in 2015, according to Gartner – a modest increase of 4.7 percent over the previous year.
The healthcare industry in particular has some substantial ground to make up, however.
Providers typically spend less than 6 percent or so of their IT budget on security, according to HIMSS Analytics data. Financial institutions, by way of comparison, invest between 12 and 15 percent on average.
If healthcare is to have any hope of doing right by patients and keeping their data safe from attack, that budgetary gap is going to have to narrow.
Luckily, the 2015 HIMSS Cybersecurity Survey suggests that may be happening, if slowly: 87 percent of respondents said infosec had increased as a priority at their organizations over the past year, with notable improvements in network security, endpoint protection, data loss prevention, disaster recovery and more.
But as the threats proliferate from opportunistic phishing emailers, politically-motivated hacktivists, bitcoin-greedy ransomware crooks, negligent insiders and others bad actors, hospitals are still often caught flat-footed, using basic or even outdated technologies that leave them open to risk, rather than protect.
Sign up for the Healthcare IT News Privacy & Security Update newsletter.
"Healthcare organizations continue to rely on technologies such as anti-virus software, firewalls and data encryption to secure their IT environments," according to HIMSS. Advanced security technologies and strategies – multi-factor digital identity, dynamic biometrics, intrusion detection systems, data loss prevention tools – were much less common.
In Healthcare IT News' July print edition, we examine how both people and technology are key to keeping pace with fast-evolving cyber threats.
Our buyer's guide offers detailed insight on an array or intrusion detection and prevention tools, helping IT buyers know what they need to know about this crucial technology.
Our cover story, meanwhile, takes a look at the increasingly critical job of the chief information security officer, exploring just where the role should fit in a hospital's reporting structure. Should the CISO report to the CIO? Or be grouped with compliance or the general counsel? Or something else?
With the stakes of a data breach so high, many are arguing that these security pros need more autonomy and power. One thing's for sure: With CISO salaries now often exceeding $400,000, many are making a whole lot more money.
And that's probably as it should be.
"I think information security is probably the single biggest issue facing IT operations in healthcare right now," said Geisinger Health System Chief Data Officer Nick Marko, MD, in an outtake from my recent interview with him.
At the same time, he says, it's "one of the most under-recognized and systematically neglected" areas in this industry.
"Hospital boards and CEOs have to start demanding that a larger fraction of hospital budgets be devoted to security, and we have to start being creative, as IT people, about how we build out our security programs," says Marko.
"It's not getting any safer out there, and healthcare is a great target: We've got lots of important information, and some of the weakest security."
At Geisinger – particularly over the past year-and-half of hair-raising security headlines – security spending is on the rise, says Marko. "We've accelerated our data security operations, and there's been a jump in spending. Personally I wish it was more, but we're definitely moving to the right direction."
Getting the powers that be to open up the purse strings for bolstered cyber-readiness is a must-do. Read Tom Sullivan's Innovation Pulse column for some tips on how to convince them of that.