One morning earlier this week while enjoying my coffee, I came across this headline: Healthcare data breaches costs industry $4 billion by year’s end, 2020 will be worse reports new Black Book survey. I put down my coffee. In my work as a Chief Privacy and Security Officer working exclusively in healthcare, I wish I was surprised. What I am, however, is outraged. So fair warning readers – this post gets personal.
I founded ClearDATA in 2011 to protect patient privacy. I did this because in my work with healthcare organizations, I realized there was no company solely focused on protecting PHI (protected health information). And I believe in my core that individuals – whether citizens, consumers, or patients – have a right to privacy and to have their data secured.
When I founded this company, I thought that more providers and physician practices would have course-corrected by now, but as you can see, the carnage of poor security persists. To be clear, not all providers are leaving the gates of their castles wide open for medical identity theft. I work with some incredible leaders who are making strong and strategic commitments to protect the data of the people who trust them with it. I’m excited to help them succeed. But check out the stunning statistics in this article of those who have not made that commitment.
According to the story from Black Book™ Research, “So far in 2019, healthcare providers continued to be the most targeted organizations for industry cybersecurity breaches with nearly 4 out of 5 breaches.” You’d think if you knew you were a target and were under attack, you’d shore up your defenses, right? Think again. Below are some stats from the survey respondents (2,876 security professionals and 733 provider organizations):
And, perhaps the most egregious of these startling statistics:
Read that one again. If you look at that by itself, you might conclude that someone is asleep at the wheel. I cannot imagine being the victim of a cyberattack and doing nothing – nothing at all – to augment the existing safeguards. Patients should not tolerate that kind of lack of action.
I understand what Black Book founder Dan Brown points to as a core reason for that lack of action: budget constraints make replacing legacy software and devices tough, leaving providers more prone to attacks than other sectors. We all understand the challenges of dwindling margins. I’ve heard for years, “If we don’t have a margin, we don’t have a mission.” I get that. You must have money to deliver healthcare. The challenge is when a hospital administrator looks solely at the revenue side of the ledger. He or she ignores the expense side. They fail to consider how much money it costs to remediate a data breach. Check out recent headlines – it’s in the hundreds of millions of dollars. The cost of privacy and security safeguards, compared to the price of making things right after an attack, is marginal. And that’s not even taking into account how to repair the damage inflicted on so many patients’ lives.
From a business perspective, it makes a lot more sense to proactively protect your data than to have to respond to a breach. Incidentally, during a breach, it’s not the best time to be shopping for cybersecurity support and managed services. To say the budget doesn’t make shoring up the defenses possible is penny wise and pound foolish.
Organizations looking to defend their data (and they must) need a defense-in-depth posture that often requires multiple solutions to fill gaps in their cyber-defenses. Think about the HIPAA security rule; there are more than a dozen technical controls that need to be in place. Not the least of which includes encryption designed to help protect the data if someone gets to the place where the data is stored. Other safeguards need to be in place as well at different places within the castle – a physical example of defense-in-depth principles. Using that metaphor for a moment, imagine if during the Game of Thrones saga, the castle gates are pried open, the white walkers storm the castle, and the sentries neglect to fix the gates once the invasion is over. You’d be screaming in your living room that they must defend the castle! And yet we see in this survey a glaring percentage of providers have done nothing to augment their security after an attack. It’s like leaving the castle gates broken. Yes, there will be more attacks, and yes, they will be costly to the people in the castle. So, if you are a physician group or provider reading this, and you don’t have a security officer on your team who is actively, vigilantly addressing these issues then in addition to getting one, here is some advice to get started:
1. Decide upon a risk framework to use as your standard. The standard may come from the NIST Cybersecurity Framework. It may be the HITRUST Common Security Framework – the gold standard. It may be ISO-based. Or it may just be the HIPAA Security Rule.
2. Understand the deviation from your chosen standard. Perform a security risk assessment that looks across technical, administrative, and physical safeguards.
3. Create your inventory of assets and a PHI inventory. You have to know where your data is to protect it.
4. Evaluate your risk associated with that data inventory. Create a prioritized remediation road map where your management and IT teams align on what is most urgent to fix first, second, and so on.
5. Fix the problems! Don’t ignore your plan. To quote OCR Director Roger Severino, “When covered entities are warned of their deficiencies but fail to fix the problem, they will be held fully responsible for their neglect.”
6. Commit to using industry-standard best practices.
Don’t know the best practices? Great news, in addition to a lot of people and organizations who do know and are anxious to help you, there is also a plethora of information available to guide you. There are lots of places where you can learn more about best practices around cybersecurity. You have to go back to the defense-in-depth approach. Here are the very basics in a checklist:
I was also shocked to see how many hospitals and practices had not simulated a security incident. Can you imagine a hospital never practicing a fire drill? We wouldn’t stand for it. Hospitals wouldn’t dream of waiting until a patient arrived in cardiac arrest to figure out how to admit and treat a heart attack victim. They must practice for a security event. As someone who does these simulations across the country, trust me when I tell you the time to figure it out is not while it’s happening to you. Having an incident response plan isn’t enough; you have to do the simulations.
In the last paragraph of the Black Book article it reads, “Cybersecurity risks are not at the front of administrators minds.” Well it needs to be. I understand that we have to weigh the spend. There are a lot of stakeholders that need funds. Our hospital systems are trying to stay in business based on low margins that are actually getting lower. They view security as a cost that erodes the margin, but in reality, if you don’t take care of the data hygiene – the basic blocking and tackling – no matter what creative revenue generating things are happening, it will be for naught if someone comes in the back door and steals the data.
Several forward-thinking providers have realized this and are doing their part to transform healthcare and improve patient outcomes. I’m honored to work with them. But reading this shocking article, it’s clear many are lagging. It’s time to wake up. Let’s figure out how to solve these challenges that are equally as important as not leaving a sponge in a patient at the end of the surgery.
If these survey statistics mirror your healthcare organization’s, it’s time to shore up your defenses. If you need advice, I urge you to reach out and message me on LinkedIn. I’ll give you free advice. Seriously. Let’s fix this.