Issue link: https://beckershealthcare.uberflip.com/i/534828
82 Health IT T he recent wave of healthcare data breaches and their extremely high recovery costs has reinforced the urgent need to invest in protect- ing the digital patient medical records healthcare organizations have spent billions of dollars to install. According to a report from Politico, healthcare data breaches come at an ex- ceptionally high cost. • One healthcare record can be exchanged for up to $50 on the black market, 10 times as much as a stolen credit card number. • Legal costs and credit protection could amount to $20 for each hacked patient record. • Hacks already cost the healthcare industry approximately $6 billion a year. • It is estimated that $2 billion worth of health-related cyber insurance was sold on the black market last year, and the market is experiencing 20 to 25 percent growth per year. Even with the passage of two bills intended to increase the sharing of cyberse- curity threat information among government agencies and across the health- care industry, legislation alone cannot tackle the problem. The shrewdest hackers will continue finding ways to breach protected data systems no mat- ter what bills Congress passes or how much the healthcare industry spends on protecting its data. Indeed, criminal attacks on healthcare organizations have risen 125 percent since 2010 and are now the leading cause of data breaches in healthcare, ac- cording to research from the Ponemon Institute. Unfortunately, most health- care organizations are still unprepared to address this rapidly changing cyber threat environment and lack the necessary resources and processes to protect patient data. "The adversary is way ahead of us right now," Jim Nelms, chief information security officer at Rochester, Minn.-based Mayo Clinic, and who previously held the same position at the World Bank, told Politico. Pain points for hospitals and health systems Hospitals and health systems face a myriad of challenges when approaching the issue of cybersecurity. First, despite the fact that data breaches are largely regarded as an imminent threat, nearly three-quarters of C-level executives do not believe chief information security officers should be part of an orga- nization's leadership team, according to a survey by ThreatTrack Security, a cybersecurity solutions developer. The survey gathered responses from 203 C-level executives about the CISO's role. Even more incongruent, 55 percent of respondents said the CISO should assume responsibility for data breaches, but just 46 percent said they should be responsible for cybersecurity purchas- ing decisions. Second, although the government has helped create threat-sharing networks for the healthcare industry, many health systems don't participate because they can't afford the costs associated with enhanced security. According to Lisa Gallagher, a cybersecurity expert at HIMSS, healthcare or- ganizations should be spending at least 10 percent of their IT budgets on security, and up to 40 percent for companies that are just starting out, added Michael Garvin of Symantec. However, the current industry-wide average is just about 3 percent. Additionally, there are no guaranteed, concrete benefits for healthcare orga- nizations to make these costly investments, as health systems will seemingly never outsmart hackers. However, the risk of not investing in digital health information is enormous. "You might pay for the best tornado-resistant roof and never need it," Carl Anderson of the HITRUST Alliance told Politico. "But if all you've got is a tarp and a storm comes, you're going to take a lot of heat for the damage to your house." Hospitals may inadvertently expose themselves to increased risk of attack While hospitals may be tempted to highlight and market their capabilities of the latest technologies, doing so is essentially advertising the value breaching private information to hackers — talking about cybersecurity measures to the media or general public can be a liability to the organization, depending on how they are discussed. "[Cybersecurity] absolutely is something [healthcare organizations] should be talking about, but there's an appropriate way to talk about it and an inap- propriate way to talk about it that could potentially put you at harm," Mac McMillan, co-founder and CEO of information security and privacy consult- ing firm CynergisTek and current chair of the HIMSS Privacy and Security Policy Task Force, told Becker's Hospital Review. According to Mr. McMillan, the key is not to speak in absolutes, such as by promising patients their data is 100 percent secure and that they needn't worry. Making such statements is essentially an invitation to hackers to try to break into the system. Furthermore, making a definitive claim that a network is entirely secure would likely incur closer scrutiny onto an organization, in- cluding a more watchful eye from the Federal Trade Commission. Finally, such claims are inherently untrue, even if an organization believes it has all of the best security measures in place. Filling in the gap Hospitals that need to bulk up their security teams but don't necessarily have the resources to do so are increasingly turning to outside experts for help. Security experts are rushing into the healthcare industry to offer consult- ing services for organizations that don't have the bandwidth to create their own security teams. There is also significant demand for the role of privacy officers, whose duties may include cybersecurity and legal compliance. Ac- cording to Politico, the International Association of Privacy Professionals, launched just under a decade ago, is experiencing 25 percent growth year- over-year and has 20,000 members. Some academic medical centers that realized the risks of data hacking years ago have been spending millions of dollars in investments on staff, technol- ogy and consultants. According to Bonnie Siegel, an attorney and headhunt- er for cyber experts for the healthcare industry, said these professional have found a "seller's market" in healthcare. "Top healthcare security positions used to average $135,000 to $175,000, but the salary is now typically in the $200,000 to $225,000 range, and I know people earning $300,000," she told Politico. n The Money Pit: Healthcare Spends Billions to Defend the IT That Cost Billions to Install By Tamara Rosin, Akanksha Jayanthi and Kelly Gooch