[BreachExchange] Cybersecurity rising as health IT concern

Audrey McNeil audrey at riskbasedsecurity.com
Mon Feb 29 19:24:37 EST 2016


http://www.modernhealthcare.com/article/20160227/MAGAZINE/302279878

After years of budgetary indifference to health information security, and
fresh off the worst year in history for healthcare data breaches, many
healthcare organizations will be putting more resources into protecting
their data, according to Modern Healthcare's 26th annual Survey of
Executive Opinions on Key Information Technology Issues.

An overwhelming majority of respondents indicated that the threat of
cybersecurity breaches will have some (51%) or considerable (42%) impact on
their organization's IT security spending this year.

And 3 out of 4 provider leaders surveyed indicated their IT security
spending will increase in 2016, with only 25% indicating there would be no
spending changes. No one indicated they would be making cuts in IT security
spending.

The median spending range for security as a percentage of their
organizations' overall IT budget was 2.1% to 3% in 2015, according to the
survey. The median spending range will rise to 3.1% to 4% this year,
provider leaders reported.

More than half (53%) of all providers this year say their organizations are
encrypting personally identifiable data in storage, so-called “data at
rest.” Encrypting data for transmission has been standard practice for
years.

Cyber and data security ranked No. 3 when providers were asked to name
their top three hot-button health IT priorities. A number of respondents
made it their top priority.

Looking out a bit into the future, provider leaders still foresee the need
to address security risks, the survey shows. Security also ranked No. 3
among executives asked to pick their top health IT priorities over the next
24 months.

What's finally driving all this heightened interest and increased spending
on health IT security?

Fear.

A sizable majority of respondents—81%—indicated they expect the number of
cybersecurity attacks this year will exceed those in 2015, a record year
for healthcare data insecurity.

Several IT leaders who took the survey this year were reluctant to talk
publicly about their security issues, preferring the safety of the herd
with so many cyber predators on the prowl.

One survey respondent, a chief information officer for three decades,
agreed to speak only if granted anonymity. His midsize Midwestern community
hospital will be spending a bit more on security in 2016, but “we're still
not spending the level of budget we're going to need,” he said.

“Up to 20% of my time is now spent in this (security) area, where three or
four years ago, it was 2%,” he said. His hospital is creating an IT
security department, has added security monitoring to the duties of a
compliance committee that reports directly to the hospital board, and
“there's talk about having a separate cybersecurity committee at board
level,” he said.

“We're getting constant attacks from the outside,” the CIO said. “Although
we've not had a breach or something that's taken hold, the time and
training (for security) has taken a significant amount of our focus. The
folks trying to break in are getting very sophisticated. We're doing
everything that we can at this point” to stop them.

The current IT cybersecurity threat level will have a “considerable” impact
on IT security spending this year at 189-bed Lawrence (Mass.) General
Hospital, said Michael LeBlond, its senior director of information systems
and technology.

It's a disproportionate-share hospital that operates a busy emergency room
and trauma center and multiple outpatient services in the community,
LeBlond said.

On the survey, LeBlond listed security and compliance as his No. 1 hot
button IT priority.

His hospital's spending, already at an above-average level in 2015—3.1% to
4% of IT's budget—will rise to the 4.1% to 5% range in 2016.

LeBlond said his IT department has 29 full-time staff members. There's only
one security officer, added a couple of years ago, but a second is on the
way, he said. “I've always been fortunate security has always had the
attention at the board level here,” he said. “We've been a little ahead of
the curve knowing this stuff is out there going on.”

LeBlond said the hospital relies on in-house staff and outsourced security
technology and services, particularly for monitoring “that I can't afford
people to have staffing 24/7.”

“We're a small community hospital and have to balance what we can put
toward security and keeping all the other IT things running,” he said.

Of the 1,470 major breaches on the “wall of shame” website kept since 2009
by HHS' Office for Civil Rights, only 11% are attributed to hacking
incidents.


But those relatively few hacks led to the exposure of 115.6 million
individuals' medical records. And nearly 97% of those exposures were from
hacking incidents reported in 2015. Four of the five largest healthcare
data breaches in the history of the list were Anthem, 78.8 million
individuals; Premera Blue Cross, 11 million; Excellus Health Plan, 10
million; and the University of California at Los Angeles, 4.5 million, all
in 2015.

This year, healthcare officials have seen the re-emergence of the
ransomware threat. Hollywood (Calif.) Presbyterian Medical Center saw its
electronic health-record system held hostage for about a week until it
forked over $17,000 in ransom, paid in the hard-to-trace bitcoin
cybercurrency.

CIO Richard Mohnk of two-hospital, 326-bed Bayhealth, based in Dover, Del.,
has a full IT agenda, overseeing the IT needs of a replacement hospital
under construction in Milford, Del. But a security update ranked No. 3 on
Mohnk's hot button IT punch list.


Consultants have looked at all of the systems' security policies and
practices as well as all monitors and other clinical electronic equipment.
“We wanted to identify our risks,” said Mohnk, a health IT veteran who has
just six months on the job at Bayhealth. Security was moved into the IT
department and a security training program is underway across the hospital.

Mohnk plans to augment a five-person security department. “We're building
from within just because there are only enough security professionals to
cover about 60% of the available spots.”

A couple of years ago, Bayhealth sent out a test batch of phishing e-mails
to employees to see whether people would open them. Hospital officials
wanted to know had the e-mails actually come from a hacker, how many
employees would have put the hospital in jeopardy. “Unfortunately, it was
way more successful than we wanted it to be,” Mohnk said, since a number of
workers opened the e-mail.

“We'll probably do another one of those in the next two to three months and
really focus on it as an educational opportunity,” he said. Like most
survey respondents, Mohnk indicated 2016 would be worse for cyberattacks
than 2015.

“I came from the University of Massachusetts Health System in July,” he
said. “We've already had three cyberattacks” since then. “I hadn't had one
in the previous 14 years at UMass. Everywhere you look, they're up. I think
we'd all be foolish if we didn't think it'd be on the rise.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160229/584691a5/attachment-0001.html>


More information about the BreachExchange mailing list