Last week, the Brookings Institute published a very well-written report that accurately illustrated the current threat environment and identified the specific issues that seem to continue to plague healthcare in its efforts to fight cyber incidents. The shame of it was there was no ‘new’ news. In fact, this week seemed like deja vu as Larry Ponemon published his sixth annual report on healthcare cybersecurity, which unfortunately, reflected a lot of the same issues as last years, or even the last several years, for lack of any significant change. Moreover, I attended the Spring HIMSS Privacy & Security Forum in Los Angeles this week where these exact issues were discussed with plenty of acknowledgement that while healthcare may have made some progress in some areas, overall the industry continues to lag in this very important area of managing its business. The prevailing feeling expressed by attending thought leaders was the current predicament is directly related to lack of priority by leadership. This, of course, presents a formidable challenge as it is leadership that sets organizational priorities, provides required resources and sets the tone for an overarching culture.
As the survey noted, 38 of healthcare organizations and 26 percent of business associate organizations are aware of medical identity theft cases affecting their own patients and customers. Despite the known risks, 64 percent of healthcare organizations and 67 percent of BAs offer no protection services for victims whose information has been breached. What’s more, 58 percent of healthcare organizations and 67 percent of BAs have no process in place to correct errors in victims’ medical records. “When we first started doing this survey and asked about medical identity theft, people would shrug their shoulders and say what is that?” Ponemon said, in releasing the results of the survey. “At least it is now on the radar screen, but that doesn’t mean they have a plan in place to help the victim. Medical ID theft seems to be an increasing issue, and someone has to be accountable for it.”
In taking a closer look at the results in the aggregate, you quickly realize that we are still hovering between 40 and 60 percent in almost every category assessed, which means we still have nearly half the nation’s health systems falling farther and farther behind as threats to security continue to evolve.
There were, however, some bright spots in my conversations this week, as more CIOs and CISOs reported that their boards are taking a much more active approach to trying to understand the organization’s cyber risk. We are beginning to hear of boards that are seeking security expertise on the board itself, or making security a standing reportable item or inviting the CISO to present regularly. Many board members have expressed concern for not knowing enough or understanding fully the cyber issues facing their organization. In fact, one of my recent stops was to meet with a board of a New England health system that has strongly supported a revitalization of that organization’s privacy and security programs and that is very much involved in the process.
This is probably one of the biggest challenges facing healthcare today, and leadership is sorely needed. The best security cultures are created from the top down.