It is common to hear that healthcare is lagging behind financial services and other industries when it comes to information security. Unfortunately, it is also common to hear of patient health information breaches, phishing attacks on hospitals, and compromised personal health information. The frequency of these attacks and the lagging industry do not make for a great combination when it comes to patients feeling secure regarding their information, and the realization that their information can easily be used in a multitude of compromising ways.
As KLAS has delved into healthcare security research, we have found many interesting points about the state of security in the United States. One thing that has become evident very early on is that hospitals across the country are in drastically different phases of their security life cycle.
We’ve spoken to leaders at healthcare facilities where security is not yet a conversation at the board level. One CIO said that her administration preferred to “keep their heads in the sand” regarding IT security because they didn’t feel like security breaches would happen to them. Another CISO reported that his budget for security has tripled in the past year, that he meets regularly with his administration, and that the conversation around security is a regular agenda item at monthly board meetings.
While one CISO will sing the praises of a data loss prevention (DLP) system and the successes from having it in place, another CISO will tell us that he can’t see the value of a DLP system because he can’t hire enough resources to properly maximize the offering of the system. One CISO will tell us that his anomalous-behavior software is key in his security strategy, and another will express her concerns about being able to adequately train her staff to not click on phishing email links. The next CIO will tell us that the organization is desperate to hire a CISO but can’t find an applicant that is available for the position.
While the concerns are varied, the reality is that the risks are high, and healthcare leaders are facing numerous concerns and dealing with them in varying ways. And although there seem to be resources available to determine life-cycle positioning and lots of great advisory firms available to assist with everything from risk audits to road-map development, it does not seem that there is currently a widely accepted or utilized model.
Staffing, budgets, focus, time, tools, and expertise are just some of the criteria that differentiate the maturity of hospitals and health systems regarding healthcare IT security. The frequency of attacks and the increasing regulations surrounding HIPAA and government-regulated compliance continue to bring focus to the need for action in the healthcare IT security arena.
As we continue our HIT security research, we will work with healthcare providers to categorize provider organizations into levels of maturity and establish a checklist of what is necessary for the varying levels of maturity. This checklist, our focused research on innovative vendors that are helping make organizations feel more secure, and a look at core clinical vendors that align their security strategies with their healthcare clients, will all be part of the extensive report we are co-publishing with CHIME in early 2017. Feel free to email me directly to learn how you can participate in our research.