A report from cybersecurity software company Protenus last month revealed that the number of affected patient records—spanning across all disclosed health data breaches—has continued to climb each quarter in 2018—from 1.13 million in Q1 to 3.14 million in Q2 to 4.4 million in Q3.
But despite this continuous troubling trend, there still are indicators that healthcare organizations are simply not doing enough to defend themselves and stop preventable attacks. To this point, a recent survey from CHIME (the College of Healthcare Information Management Executives) revealed that about 70 percent of responding patient care organizations said they do not have a comprehensive security program in place. CHIME defines “comprehensive security program” as doing all of the following: reporting security deficiencies and security progress to the board; having a dedicated CISO (chief information security officer) and cybersecurity committee; providing security updates to the board at least annually; and having a board-level committee that provides security oversight.
Meanwhile, another cybersecurity report—this one from advisory firm Ernst & Young—found that while only 18 percent of healthcare companies are very confident that they would be able to detect a sophisticated attack on their organization, respondents did report they are willing to invest in better defense strategies: 66 percent of those surveyed plan to spend more on cybersecurity over the next 12 months.
The EY Global Information Security Survey 2018-19 did come to the core conclusion that cybersecurity—across various sectors—is continuing to rise up the board agenda, but organizations still need to take far more action. Healthcare Informatics recently spoke with Liz Mann, Ernst & Young’s U.S. cyber health leader, about some of the report’s healthcare-specific findings, how mature providers’ and payers’ cyber defense strategies are in this moment, and much more. Below are excerpts of that interview.
What were some of your core takeaways from this year’s survey as it relates to healthcare cybersecurity?
Ernst & Young is a founding sponsor of H-ISAC (the Health Information Sharing and Analysis Center), and one of the stories that came out in this report, as well as in conversations I had at the H-ISAC Fall Summit, is around the notion of embedding security by design—bringing security closer to the front end of the discussion about what health companies are trying to do.
When we think about health in general, it’s difficult to generalize because the way we see cybersecurity being addressed in the provider world versus the payer world versus the pharmaceutical word versus the medical device world clearly differs. In the provider space, we are looking at this notion of doing more and better about embedding security into the process early to protect individual information about patients who are interacting with providers. And then it’s also about prioritizing the medical device security for the diagnostic equipment in the hospitals.
Looking at payers and providers, the payer space is advancing a bit faster in cybersecurity maturity because they have access to so much data. And they are increasingly involved in significant transactions, such as the Cigna-Express Scripts and CVS-Aetna mergers, so the transaction market, the consolidation of giant organizations, and the increased amount of data that they house, is creating an environment where cybersecurity and resilience have become increasing priorities for them.
In the survey, we saw that organizations are operating with somewhat limited resources in the areas of cybersecurity and resilience, yet they are increasingly recognizing how important they are to the health and growth of their businesses. Looking at the limited cyber budgets, but then the [desire] to be resilient, is concerning because there’s a big disconnect. There is an understanding of importance, but a limitation on resources. And part of that is about a limit in talent in the market, but it’s also about how the health business is increasing its focus in this area, and looking for ways to embed security into their business processes so that it’s not a standalone expense that needs to be identified and focused upon as an afterthought.
As we see health companies increasingly embracing digital technology and greater consumer experiences—as they interact with both payers and providers—that digital transformation is bringing cybersecurity closer to the front end of the cycle. By embedding [security] as a function of how they transform, it allows companies to protect their data and services, and then they see a little bit of a shift on where the budget and the attention comes from.
Some of these recent surveys that have come out have troubling statistics, such as just 18 percent of healthcare companies feeling very confident that they would be able to detect a sophisticated attack on their organization. What are the biggest barriers that exist today between being able to protect your organization and actually doing so?
One of the opportunities for the health sector to do a better job with protection and the resiliency in the face of a problem is by having transparency across the industry. You see organizations of such varied sophistication with respect to what they can do and how they can execute, and one of the answers we see is improved collaboration at an industry level so people don’t have to create and identify the same solution over and over.
The [cybersecurity] themes that come out of this sector are protect, optimize, and grow. Optimizing is an interesting concept because health companies are often now being challenged to figure out what is the most important thing to protect and how to optimize in a way that utilizes limited resources.
As the industry matures in cybersecurity, you can’t go from 0 to 100 overnight. It’s a marathon, not a sprint. So the smart path is to look inside and figure out what those few things are that you can’t tolerate or comprise, and them decide how to optimize your resources, internally and externally, to apply defenses to those most important targets. And these targets could be the crown jewels, the digitally important assets they have in the network, the supply chain they rely on, or the protection of private information for their customers.
I had a recent conversation with a security leader who once commissioned a study to understand where the most important and highly-valued data on his organization’s network was. So he examined the data elements on the network and the results indicated that something like 75 percent of the data was in that most highly-valued category. One of lessons learned is that we have to be smart about what we ask for, so if we are asking for a classification of the data on the network, we better have a class of data that’s likely to yield 15 percent of the data on my network so that I have a fighting chance to protect that. Maybe in the next round, I go protect the next 15 percent, but I can’t protect 75 percent of my data [at once].
How much are organizations, in your estimation, prioritizing cybersecurity in that they have a dedicated and comprehensive security program in place, and have a dedicated CISO, etc.?
In the health space, there is increasingly someone designated as the head of cybersecurity. But if you look at the results of [our] survey, 47 percent of the organizations said that the CIO has the ultimate responsibility. But what I see as an increasing trend is that CIOs will be focusing more on digital transformation, meaning that the CISO or chief security officer is the person responsible for security. Health organizations are increasingly looking to have their security leadership align to someone who is visible on the business side of the organization as well, such as a chief data officer.
You cannot modernize [digitally] without a CISO or someone responsible for security. If you go forward, and you transform and deliver direct-to-consumer types of communications and apps, but engagement models and security have not been infused from day one, you’re in big trouble. You will create new risks instead of mitigating risks that already exist. Your classic CISO cannot do that, but your contemporary one can.
What are your thoughts on certain federal healthcare cybersecurity efforts, such as HHS’ rebuilding of a Health Sector Cybersecurity Coordination Center, in this broader picture?
The interaction between the federal government and the private sector will be important for everyone’s success. We see better collaboration coming out on the sector side because we see key leaders in commercial institutions embedded into the HHS program to drive a more realistic understand of what companies are battling with. That’s a good thing. This idea of having transparency on lessons being learned is critical, and the other element coming forward from an audit/compliance industry perspective is improving the kinds of reporting and attestations that could be available to companies around cybersecurity.
A healthcare CISO recently told me that people in his ecosystem were preparing to do some sort of an attestation around cybersecurity—providing a more consistent way to evaluate the maturity of an organization’s cybersecurity. His comment to me was that if he sees folks preparing to do this, even if they don’t do the attestation and don’t fare that well, the fact that they are taking a structured examination of their own organization gives him some level of confidence that they are prioritizing cybersecurity appropriately. And in the payer space, a lot of the payers have such limited budgets that being exposed to these industry level efforts will help them stay in line, learn, and understand the threats that are headed their way.
