Is healthcare IT security on life support? Try 3 steps for a healthy balance

  Healthcare is an interesting animal when it comes to IT Security.  While there is a constant need to stay cutting-edge, there is a requirement for keeping costs down for reasons I really don't want to get into here...  The need to stay cutting-edge is rather obvious; the latest advances in technology can mean the difference between life and death to a critical patient.  In healthcare, sharing information is both a blessing and a curse, with requirements for openness balanced requirements for confidentiality and security pushing and pulling at IT Security professionals creating incredible pressures.

 

  There's a Dark Reading article that caught my attention because it has the subtitle:

 

"New study shows data breaches up and costing healthcare industry billions of dollars a year, with employees, mobile devices the weakest links"

 

  The issue makes sense.  We can all agree that data breach costs are going up, and have been for a while at exponential rates.  The part of the headline I didn't expect to see is the B in billions.  Billions of dollars are being wasted on security.  Let me explain what I mean.

 

 

The Patient Loses, Twice

 

  Looking strictly at all the money lost in the fines and lawsuits in healthcare the numbers are becoming staggering.  All that cash that could be spent saving lives, vanishing.  It's a shame that such waste happens in an industry which needs it so badly.  There is another appaling fact as well.

 

  If you think about it, the way the penalty system works in most industries hurts the wrong people.  In the healthcare industry it's downright wrong.  Let's assume a hospital faces a lawsuit or fine from a violation or data breach which is never less than several hundred thousand dollars.  Who do you suppose pays that fine?  The easy answer is the hospital... except you have to ask yourself where that money really comes from.

 

  If you dig deep, you realize it's not the administrators of the hospital that skirt good risk management or security advice that are penalized, but rather the hospital system in general.  Ultimately, this cost ultimately gets passed down to either you, or our government ...which then passes it back down to you.  How do you feel about that?  Personally, if I'm a victim of a privacy breach at a hospital where my personal information was lost, then the hospital has to pay a fine to some organization (and I see none of that money) I feel violated twice.

 

  The first time painful part is that feeling that someone out there now has more information about my health and the very, very personal details I often don't discuss with even my closest friends ...that's as personal as it gets.  Now when the hospital network has to pay a million dollar settlement to some regulatory agency (and of course I see none of that money) the hospital network has to pay for it somehow ...so they raise rates and I pay for it.  I know it's not quite that simple because there are many indirect costs, and trickle-down issues, but in the end this is how it goes.  If you know for a fact that I'm wrong, please let me know, I'd love to tell everyone how wrong this is - sadly I think it's not.

 

 

 

And Now the Ugly Part

 

  As costs pile up from data beaches, innovation suffers.  As someone who runs a hospital network - the true cost of innovation slow-down can almost certainly be counted in lives.  Maybe I'm being a little dramatic ..but I suspect this is closer to reality than we'd like to admit to ourselves.

 

  First there is the problem of being reactionary and overly-cautious.  After a serious breach an organization tends to go into what I refer to as turtle mode ...that is, it retracts back into its shell.  Technology adoption stagnates, and the appetite to take on new, maybe not completely proven tech, is minimalized.  That new heart monitor may have been a good idea a few months ago, but now that hackers have ravaged your network - your administrators will think twice because that heart monitor uses WiFi, and we're wary of anything new now.  It's natural, but no less unfortunate.

 

  In addition to the stagnation of technology adoption, security tends to overstep its boundaries.  My peers may hate me for writing this, but when things go south the security folks tend to get carte blanche ability to make changes and impact decisions.  This isn't necessarily a good thing if they're not well versed in business, and don't understand what the organization is trying to do in healthcare.  There are few things worse than trying to do your job in a police state (which is what IT turns into) where doctors, administrators, and nurses are constantly locked out of necessary functions, technology is limited, and security runs the show.  The best and brightest tend to get frustrated and leave quickly ... this doesn't bode well for patients either.

 

 

 

Finding a Health Balance

 

  There is a healthy balance that must be struck.  If I may be so bold as to offer some advice here -

 

  1. Find a way to demonstrate the value of technology to healthcare, before the breach ... I know this sounds rudimentary and silly ...but it's more important than you realize
  2. Work towards accountability, so that the poor decision makers are held accountable for their trespasses and lapses in judgment, not the entire healthcare entity - this way patients suffer only once
  3. Don't over-do on the security police state post-incident - take a deep breath, have a bit of sanity and make intelligent decisions not reactionary ones

 

Good luck, as a user of the US healthcare network, I look forward to intelligent reform, accountability, and better risk management.

Comments
Armorguy(anon) | ‎12-09-2011 04:29 PM

Raf,

 

This issue is not as simple as you make it...

 

Hospitals cannot "just raise prices" to cover fines and penalties.  The reality is that prices are, for the most part, set by the government.  Medicare/Medicaid sets prices for procedures that they pay for....and most health insurance carriers pick up on that pricing.  Kinda like a bad sitcom about buying jewelry - Nobody Pays Retail.

 

So what that does to security is make it much more like almost every other industry.  We protect data the best we can.  We build the best programs we can.  And, sometimes, we get breached.

 

Armorguy

 

(Full disclosure: I am the Director of Information Security for a large(ish) healthcare provider.)

Rafal Los (Wh1t3Rabbit) | ‎12-09-2011 04:43 PM

@Armorguy - So I'll concede that it's not that simple (I actually stated that, as I was pretty sure it was exactly the case) - but in the end the data breach costs don't get paid by the people who made the poor decision in the first place - which I guess is like any other industry.  I think healthcare is unique because it's fighting an interesting battle between government and private industry based on who pays, sets prices, etc ... so in the end I think my statement that the patient loses is accurate - do you agree?

 

/Raf

Armorguy(anon) | ‎12-09-2011 04:58 PM

Raf,

 

Does a patient lose if their records get swiped?  Of course.

 

Who else loses if records get swiped in a breach?  Tougher question.

 

In the for-profit healthcare world it's going to be shareholders.  Remember - pricing if fixed.  Unexpected expenses are a direct hit to profit and that affects shareholders.

 

In the not-for-profit healthcare world it's going to be the community at large.  Either through the local government having to subsidize the system, or the system having to reduce services to cover less money being available for operations, or (in the worst case) a system going under.

 

So - how do we fix this?

 

First - the Meaningful Use incentives to secure EHR systems (worth thousands of dollars per doctor) are one way.  The federal government has finally created (for a short time, at least) incentives aligned with desired outcomes.

 

Second - as an industry we have to force EHR vendors to create defensible systems.  My personal opinion is that too many of the EHR systems are weak and very open to compromise

 

Third - we realize that infosec in healthcare is not special.  It's different - to be sure - but the challenges are just like so many other industries.  

 

Your three suggestions are good ones - but they apply to everyone, not just healthcare.  Every infosec professional leader needs to be/know/do these things to truly be effective...

 

Cheers,

 

Armorguy

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
About the Author


Follow Us
Community Announcements
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation