Top cybersecurity mistakes health organizations make

January 7, 2016

Don't let your healthcare organization's information be compromised. Watch out for these common mistakes.

Despite healthcare organizations' best attempts at maintaining patient confidentiality, the industry regularly accounts for a staggering number of data breaches. According to the latest Identity Theft Resource Center (ITRC)report, more than 120 million patient records were compromised in 2015 due to healthcare incidents alone.

Critics are quick to attribute these breaches to granular issues such as legacy infrastructure or poor identity access management. However, bigger picture problems include underinvestment in critical systems, conflation of compliance and security concerns, and an overreliance on internal expertise, that have left many firms without the means to accurately assess and defend against cyber attacks.

CurranThere are a number of drivers behind healthcare entities' poor security hygiene. Obstacles from organizational culture to resource allocation make it difficult for firms to embed cybersecurity throughout their operations. Before healthcare organizations can make meaningful strides toward better cybersecurity practices, they must address the underlying causes that leave them vulnerable in the first place.

Leadership deficiencies

Compared to other industries, healthcare organizations don't adequately invest in security leadership, nor do they have a vast talent pool from which to pull. An ISACA study from early 2015 found that 86% of organizations feel there's a global shortage of skilled cybersecurity professionals. As a result, many healthcare organizations are living without chief information security officers (CISOs), or they are promoting IT directors and adding security to their purview.

HindeWithout CISO representation, organizations lack a board presence to address cybersecurity-related issues, or advocate for solving them. Providers are not expected to become cybersecurity gurus in their own right, but failing to appoint IT security leaders makes it too easy to ignore security concerns until a crisis strikes. Tacking security on to existing directors' responsibilities isn't a sound fix either; instead, it can lead to more mismanagement and internal vulnerabilities.

Security should be handled separately from day-to-day IT concerns, and healthcare organizations’ leadership structure should mirror this. Without a clear chain of command with regard to cybersecurity, everyone’s problem quickly becomes nobody’s problem.

 

Next: Underinvestment in the right technology

 

 

Underinvestment in the right technology

Mirroring their cybersecurity leadership gaps, many healthcare organizations suffer from a lack of investment in security tools. Recent Forrester research claims that insurance organizations, hospitals, and doctors, devote only 14% of their IT spend to security concerns.

In many instances, healthcare IT spending has been focused on employee-facing tools (e.g., equipping doctors with tablets, or shifting to electronic health record software) and maintaining burdensome legacy technology rather than proactively building cyber defenses. Ideally, a small percentage of enterprise technology rollout costs should be devoted to buying tools, leaving the remainder to develop people and processes that can support these solutions. Throughout the healthcare sector, however, firms overemphasize the tools without taking steps to integrate them successfully in their daily operations.

Healthcare organizations need to take their patients’ privacy as seriously as they do their physical well-being, and that means investing in both the technology and people needed to maintain data confidentiality.

Misplaced focus on compliance

In today's strictly regulated environment, too many healthcare organizations focus on compliance to the exclusion of security concerns, leaving providers compliant with the letter, but not the spirit, of the law. Policies like HIPAA serve as high-level guidelines rather than prescriptive recommendations, but many organizations treat them as comprehensive security rulebooks. It isn't safe or practical to let cybersecurity practices be steered solely by regulatory mandates; organizations should embrace patient data protection for its own sake, and ensure that the resulting processes fulfill HIPAA requirements.

A byproduct of this issue is that, while most organizations conduct regulatory mandated risk assessments, many fail to act on the findings. Ignoring security holes and deficiencies isn’t a winning strategy; firms must identify the most critical deficiencies and commit the necessary resources toward addressing them.

Next: Deficient staffing

 

 

Deficient staffing

Healthcare organizations also have a habit of mistakenly inflating the capabilities of their existing in-house IT expertise. Without ample investments in advanced tools and human capital, a firm's internal cybersecurity staff and systems will always be deficient. This discrepancy explains why even large healthcare groups wrongly identify major sources of risk, or leave sensitive processes exposed.

These organizations can't afford to fumble cybersecurity, highlighting the need to bring in outside expertise, either through independent security professionals or relevant software and hardware vendors.

Depending too heavily on internal resources tempts organizations to perpetuate ineffective policies and exacerbate their vulnerability over time. With help from a variety of third-party providers, organizations can accurately identify (and plan around) their security needs and expenses, better understand which solutions to pursue, and shift some of the burden off of their limited internal resources.

Addressing cybersecurity shortcomings

Organizations throughout the healthcare sector have become so bogged-down in tactical cybersecurity issues that they miss the big picture. Resolving these shortcomings starts with addressing the foundational challenges. Above all, the industry must shake the widespread belief that data security and healthcare are opposing forces.

The ability to instantly access patient records and medical histories is critical to saving lives, but access must be restricted to maintain data security. Although these seem to be competing interests, protecting patients' health shouldn't come at the expense of jeopardizing their digital identities.

A handful of other barriers must be cleared before real progress can be made. Cybersecurity funding is in short supply; it can be difficult to justify spending for an identity management solution when MRI machines are desperately needed. Healthcare providers need to delineate IT from security through individual budgets and leadership, ensuring that both groups receive the right support. And while organizations can't change the way current regulations are written, they can modify the way they interpret and enforce them.

By tackling these root causes of subpar cybersecurity, rather than making vanity changes to their defense mechanisms, healthcare providers can prevent the most egregious errors. Even though truly dedicated attackers can penetrate almost any system, having robust security practices in effect can makes an organization a much less appealing target.

 

Sean Curran is a director in West Monroe Partners’ Security & Infrastructure Consulting Practice, based in Chicago. He has more than 20 years of business consulting large-scale infrastructure experience across a range of industries and IT domains, including extensive work in the areas of data and information security.

Will Hinde is a senior director in the West Monroe Partners’ Healthcare Practice and primarily focuses on health insurance organizations. He has more than 15 years of business consulting and technology experience and is currently responsible for strategy and delivery for healthcare insurance clients.