Health IT Must Admit It Has a Security Problem
Guest post by Renata Magurdumov, director of marketing, ColoGuard.Renata Magurdumov
If you think about it, your doctor probably knows more about you than many of your friends. Healthcare providers store a ton of sensitive data about their patients; everything from their name to their address and place of employment to their Social Security number. In other words, everything a cyber-criminal would need to steal someone’s identity.
Given how valuable that information could be in the wrong hands, you’d think that healthcare providers would use the most high-tech, modernized infrastructure and the most up-to-date security practices to keep it safe. Unfortunately, you’d be mostly mistaken.
Recently, Premera Blue Cross was the victim of a ‘sophisticated cyberattack’ that compromised the healthcare records of 11 million patients. Before that, the victim was Anthem. Before that, Aventura Hospital and Medical Center.
As a matter of fact, according to a recent Kroll study, healthcare accounted for nearly half of the client breaches that took place in 2014, followed closely by business services and higher education. This was the second year in a row that these three industries accounted for nearly two-thirds of all “client events.” What’s more, only 30 percent of the breaches in healthcare were the direct result of hacking.
That means that the other 70 percent were the result of human error – of negligence, poor security practices or ignorance. For an organization whose collection of data can quite literally ruin lives by falling into the wrong hands, this is unacceptable. And it’s going to get worse before it gets better.
“I believe that healthcare IT systems are fragile and highly vulnerable today,”writes CIO Paddy Padmanabhan. “This, combined with the sophistication of hackers and the rising attractiveness of healthcare data in the black market, makes healthcare a huge target for disruption in 2015.”
The Rocky Relationship Between Healthcare and IT
Part of the problem is that many decision makers in healthcare have a serious attitude problem where technology is concerned. They simply don’t realize how important it is. Healthcare IT is often marginalized and undersold, with CIOs struggling simply to keep their departments afloat – if it’s not simply contracted out to third parties.
“While healthcare costs in the US as a percentage of GDP are the highest in the world, healthcare IT spend as a percentage of revenues is among the lowest across various industry sectors,” continues Padmanabhan. “Healthcare CIOs are constantly challenged to do more with less, and face budget cuts year after year.”
The end result of this is that many hospitals view technology as a hindrance. It’s obtuse, frustrating and poorly implemented – because their IT departments lack the resources to make it anything but. Writing for the New York Times, leading healthcare analyst Robert M. Wachter recounts how a job ad last year listed the fact that it didn’t have digital databases as a plus.
“In today’s digital era,” writes Wachter, “a modern hospital deemed the absence of an electronic medical record system to be a premier selling point. That hospital is not alone.”
“A 2013 RAND survey of physicians found mixed reactions to electronic health record systems, including widespread dissatisfaction,” he continues. “Many respondents cited poor usability, time-consuming data entry, needless alerts and poor workflows.”
Worse still, even those hospitals that have successfully implemented modern IT are fighting an uphill battle to figure out how it all works. They grew so accustomed to the way things were, says Wachter, that they found themselves utterly unprepared for a shift which was, for all intents and purposes, years in the making. They were complacent – and now they’re paying for it.
“Whopping errors and maddening changes in workflow have even led some physicians to argue that we should exhume our three-ring binders and return to a world of pen and paper,” he says. “That argument is utterly unpersuasive. Healthcare, our most information-intensive industry, is plagued by demonstrably spotty quality, millions of errors and backbreaking costs. We will never make fundamental improvements in our system without the thoughtful use of technology.”
Healthcare Providers Still Don’t See Themselves As Targets
Compounding the difficulties with electronic record keeping is the fact that many healthcare providers simply don’t realize what a large target has been painted on their industry. A hacker who steals financial data may have access to a few bank accounts and credit cards, sure; but once the misuse has been detected, the stream of income from that data quickly tapers off. Stealing someone’s patient records, though?
That’s huge – and incredibly lucrative. Suddenly, they’ve all the information they need to sign up for fraudulent credit cards, fake bank accounts; you name it. Sure, it’s true that identity theft can eventually be detected and dealt with…but it takes a lot more work than dealing with a stolen credit card, and in the meantime you’ve got a ton of people saddled with downright backbreaking debt – and a group of criminals living large off of that debt.
Basically, healthcare information is the crown jewel of stolen data.
“Malware, phishing schemes, Trojans, ransomware – these are the types of cyberattacks that happen to all institutions, through some are more likely to make headlines than others,” explains Ryan Witt of Healthcare IT News. “The healthcare industry often lacks the built-in protections and underlying security mindset of other industries and is thus particularly vulnerable to cyberattacks.”
With the number of connected medical devices steadily on the rise and more smartphones and tablets finding use in a medical context, this needs to change sooner rather than later. Healthcare organizations need to stop underspending on IT, start educating their staff, and start looking into better security solutions. Because if they don’t, these breaches are going to keep happening – and they’re going to keep getting worse.
Make no mistake, the healthcare industry has what can best be described as a rocky relationship with modern IT. Understaffed and under-budgeted IT departments are hard-pressed to implement the solutions necessary to keep their organization efficient and protected, while many healthcare professionals lack the knowledge or attitude necessary to avoid socially-engineered attacks. Those factors together form a dangerous cocktail; hospitals and providers need to get over their growing pains as quickly as possible.
It’s not going to be easy, but it needs to happen either way.
“Our iPhones and their digital brethren have made computerization look easy, which makes our experience with health care technology doubly disappointing.” notes Wachter. “An important step is admitting that there is a problem, toning down the hype, and welcoming thoughtful criticism, rather than branding critics as Luddites.”