by Chris Bowen
Chief Privacy & Security Officer and Founder
One morning earlier this week while enjoying my coffee, I came across this headline: Healthcare data breaches costs industry $4 billion by year’s end, 2020 will be worse reports new Black Book survey. I put down my coffee. In my work as a Chief Privacy and Security Officer working exclusively in healthcare, I wish I was surprised. What I am, however, is outraged. So fair warning readers - this post gets personal.
I founded ClearDATA in 2011 to protect patient privacy. I did this because in my work with healthcare organizations, I realized there was no company solely focused on protecting PHI (protected health information). And I believe in my core that individuals - whether citizens, consumers, or patients - have a right to privacy and to have their data secured.
When I founded this company, I thought that more providers and physician practices would have course-corrected by now, but as you can see, the carnage of poor security persists. To be clear, not all providers are leaving the gates of their castles wide open for medical identity theft. I work with some incredible leaders who are making strong and strategic commitments to protect the data of the people who trust them with it. I’m excited to help them succeed. But check out the stunning statistics in this article of those who have not made that commitment.
According to the story from Black Book™ Research, “So far in 2019, healthcare providers continued to be the most targeted organizations for industry cybersecurity breaches with nearly 4 out of 5 breaches.” You’d think if you knew you were a target and were under attack, you’d shore up your defenses, right? Think again. Below are some stats from the survey respondents (2,876 security professionals and 733 provider organizations):
- Over 93% of healthcare organizations have experienced a data breach since Q3 2016, and 57% have had more than five data breaches during the same timeframe.
- More than 300 million records have been stolen since 2015, affecting one in 10 healthcare consumers
- 90% of hospital representatives surveyed said their IT security budgets had remained level since 2016
- Physician organizations and groups report a decrease in cybersecurity expense allocated, with less than 1% of their IT budgets earmarked for cybersecurity in 2020
- 70% of IT management respondents report their operations are not fully aware of the variety of cybersecurity solutions sets that exist
- 58% of hospitals did not select their current security vendor in advance of a cybersecurity incident
- 35% of healthcare organizations did not scan for vulnerabilities before an attack
And, perhaps the most egregious of these startling statistics:
- 94% of hospitals have not augmented their cybersecurity protections since their last breach.
Read that one again. If you look at that by itself, you might conclude that someone is asleep at the wheel. I cannot imagine being the victim of a cyberattack and doing nothing - nothing at all - to augment the existing safeguards. Patients should not tolerate that kind of lack of action.
I understand what Black Book founder Dan Brown points to as a core reason for that lack of action: budget constraints make replacing legacy software and devices tough, leaving providers more prone to attacks than other sectors. We all understand the challenges of dwindling margins. I’ve heard for years, “If we don’t have a margin, we don’t have a mission.” I get that. You must have money to deliver healthcare. The challenge is when a hospital administrator looks solely at the revenue side of the ledger. He or she ignores the expense side. They fail to consider how much money it costs to remediate a data breach. Check out recent headlines – it’s in the hundreds of millions of dollars. The cost of privacy and security safeguards, compared to the price of making things right after an attack, is marginal. And that’s not even taking into account how to repair the damage inflicted on so many patients’ lives.
From a business perspective, it makes a lot more sense to proactively protect your data than to have to respond to a breach. Incidentally, during a breach, it’s not the best time to be shopping for cybersecurity support and managed services. To say the budget doesn’t make shoring up the defenses possible is penny wise and pound foolish.
Organizations looking to defend their data (and they must) need a defense-in-depth posture that often requires multiple solutions to fill gaps in their cyber-defenses. Think about the HIPAA security rule; there are more than a dozen technical controls that need to be in place. Not the least of which includes encryption designed to help protect the data if someone gets to the place where the data is stored. Other safeguards need to be in place as well at different places within the castle – a physical example of defense-in-depth principles. Using that metaphor for a moment, imagine if during the Game of Thrones saga, the castle gates are pried open, the white walkers storm the castle, and the sentries neglect to fix the gates once the invasion is over. You’d be screaming in your living room that they must defend the castle! And yet we see in this survey a glaring percentage of providers have done nothing to augment their security after an attack. It’s like leaving the castle gates broken. Yes, there will be more attacks, and yes, they will be costly to the people in the castle. So, if you are a physician group or provider reading this, and you don’t have a security officer on your team who is actively, vigilantly addressing these issues then in addition to getting one, here is some advice to get started:
1. Decide upon a risk framework to use as your standard. The standard may come from the NIST Cybersecurity Framework. It may be the HITRUST Common Security Framework – the gold standard. It may be ISO-based. Or it may just be the HIPAA Security Rule.
2. Understand the deviation from your chosen standard. Perform a security risk assessment that looks across technical, administrative, and physical safeguards.
3. Create your inventory of assets and a PHI inventory. You have to know where your data is to protect it.
4. Evaluate your risk associated with that data inventory. Create a prioritized remediation road map where your management and IT teams align on what is most urgent to fix first, second, and so on.
5. Fix the problems! Don’t ignore your plan. To quote OCR Director Roger Severino, “When covered entities are warned of their deficiencies but fail to fix the problem, they will be held fully responsible for their neglect.”
6. Commit to using industry-standard best practices.
Don’t know the best practices? Great news, in addition to a lot of people and organizations who do know and are anxious to help you, there is also a plethora of information available to guide you. There are lots of places where you can learn more about best practices around cybersecurity. You have to go back to the defense-in-depth approach. Here are the very basics in a checklist:
- Encryption – in motion and at rest
- Patching of the OS (operating system)
- Making sure the OS is hardened according to up-to-date CIS standards
- Making sure anti-virus running and working
- Ensuring there are timely backups and that they are stored somewhere that is not the same place the primary is located. A colleague recently shared an experience at her hospital where a helicopter crashed on the roof, collapsing it into their on-premises data center that had not separated the backup geographically - everything was destroyed.
- Ensuring logging is happening correctly and that they are retained for the right period as required by law and as required by your retention policy
- Making sure those logs are being diligently monitored in order to detect any questionable behavior or anomalies
- Placing role-based access controls and limiting access to data to only those who need it
- Removing access when roles change
- Archiving or destroying the data when no longer needed
I was also shocked to see how many hospitals and practices had not simulated a security incident. Can you imagine a hospital never practicing a fire drill? We wouldn’t stand for it. Hospitals wouldn’t dream of waiting until a patient arrived in cardiac arrest to figure out how to admit and treat a heart attack victim. They must practice for a security event. As someone who does these simulations across the country, trust me when I tell you the time to figure it out is not while it’s happening to you. Having an incident response plan isn’t enough; you have to do the simulations.
In the last paragraph of the Black Book article it reads, “Cybersecurity risks are not at the front of administrators minds.” Well it needs to be. I understand that we have to weigh the spend. There are a lot of stakeholders that need funds. Our hospital systems are trying to stay in business based on low margins that are actually getting lower. They view security as a cost that erodes the margin, but in reality, if you don’t take care of the data hygiene - the basic blocking and tackling - no matter what creative revenue generating things are happening, it will be for naught if someone comes in the back door and steals the data.
Several forward-thinking providers have realized this and are doing their part to transform healthcare and improve patient outcomes. I’m honored to work with them. But reading this shocking article, it’s clear many are lagging. It’s time to wake up. Let’s figure out how to solve these challenges that are equally as important as not leaving a sponge in a patient at the end of the surgery.
If these survey statistics mirror your healthcare organization’s, it’s time to shore up your defenses. If you need advice, I urge you to reach out and message me on LinkedIn. I’ll give you free advice. Seriously. Let’s fix this.