Urging his audience to ramp up its awareness of the rapidly accelerating threats in healthcare to data security, nationally recognized healthcare data security guru Mac McMillan, CEO of the Austin, Tex.-based CynergisTek consulting firm, told attendees at the CHIME Lead Forum-Seattle on Aug. 17 that “knowing the enemy, knowing ourselves” is going to be the key to healthcare IT leaders’ making progress on data security in a rapidly changing world.
Speaking on the topic “What Is Cyber Security and Why is It Crucial to Your Organization?” McMillan provided the opening keynote to the CHIME Lead Forum-Seattle, cosponsored by the Ann Arbor, Mich.-based College of Healthcare Information Management Executives (CHIME) and the Institute for Health Technology Transformation (iHT2—a sister organization to Healthcare Informatics under the joint umbrella of the Vendome Group, LLC).
In his address to his audience, McMillan painted a landscape of rapidly accelerating threats to protected health information (PHI), data security, and the optimal functioning of patient care organizations across healthcare. Yet that landscape is one whose full measure of risk, he asserted, too few senior executives, even including senior IT executives, in healthcare yet appreciate.
An example of the menace, McMillan noted, is what’s going on nowadays around medical devices, as medical devices become increasingly fully integrated into the information networks of hospital organizations. “This is something that baffles me,” he said. “We now have definitive evidence that there are hacks taking advantage of weak networks, and yet we still have no real concrete action to create a standard for devices that connect to a network. Anyone who wants to can go out there in their garage and develop the next intravenous pump and take it to market, as long as it meets basic safety requirements of the FDA [the Food and Drug Administration]. We had devices sold on the market until the beginning of this year, that were based on the very first version of XP. And people bought them by the hundreds, knowing they were devices that were insecure and unsupportable.”
More broadly, McMillan said, “What’s really interesting to me is that this industry has absolutely embraced technology in the way that it supports care—in terms of medical and surgical procedures. We have all kinds of technology that assists us in terms of doing procedures, and yet we still don’t think of IT as a strategic asset. If we thought of it as a strategic asset, we would probably think we need to protect it better. And yet we spend less than half of what other industries spend on security.”
What’s more, all of the new threats—phishing attacks, commercially driven hacking and hacking to facilitate identity theft and fraud, hacking on the part of hostile foreign governments, and all the other threats—are taking place in the context of a patient care operations landscape in which more than 98 percent of all processes are automated, more than 98 percent of all devices are now networkable, and more than 95 percent of all patient information is digitized, McMillan emphasized. In addition, he said, “We have our supply lines extended incredibly compared to a few years ago. Ten years ago, there would be fewer than 50 people who would touch a patient record or information, today, there are more than 150 people who touch a patient record, and more than half do not work for the hospital. So the universe of folks touching our information has grown tremendously,” he said.
Awareness is increasing now, McMillan conceded. As evidence, he noted that 87 percent of respondents to a recent cyber security survey conducted by the Chicago-based Healthcare Information and Management Systems Society (HIMSS), reported that data security/cyber security has become a higher priority in their organizations, while two-thirds noted that they had experienced a significant data security incident recently.
McMillan spoke extensively about the need for the healthcare IT leaders at patient care organizations to begin to focus on proactive, automation-facilitated monitoring of the behaviors of individuals in patient care organizations, and the need to let go of the illusion that simply fulfilling federal compliance mandates will do the job. He cited as an example the fact that when professional-level hackers infiltrate hospital-based organizations’ networks, they are inevitably careful in not tripping wires around violating rules that are compliance-based. Instead, they are simply viewing patient records and sensitive information at far higher rates of volume than they should be doing, and only through automation-facilitated auditing processes, can such behaviors be identified, and criminals be unmasked.
Indeed, he said, the first thing that the hackers have done in all the most high-profile recent breaches of health plans and patient care organizations is to, once they infiltrated networks, immediately give themselves elevated data security privileges. He cited an example he said was really disturbing.
“I was at a hospital recently that had tens of thousands of elevated privileges, more than it had employees,” McMillan told his audience. “And I asked the question, how did you get there? And the answer was, nobody was minding the store. Community, Anthem, UCLA, all these breaches—what is the one thing the hackers got hold of after they breached those organizations? A set of elevated privileges, because that’s what they needed, to create real damage. So,” he asked the audience, “How many of us have two-factor authentication on top of our privileges? How any of us our vaulting those privileges to they’re auditable, but then later erasable? Or are we still just assigning service accounts within the network? How many of us actually are auditing? How much monitoring is really going on, period, inside the network?”
McMillan noted that on the Monday (July 20) immediately following the Friday (July 17) on which UCLA Health System in Los Angeles had publicly announced that it had experienced a data breach via a hack, that might have affected 4.5 million people, a class action lawsuit was filed against UCLA Health. And, he noted, that class action lawsuit “named the board of directors and executives fiduciarly responsible for the breach, and includes a claim that they failed to meet their fiduciary responsibility to protect the data. That is a different legal claim than the harm claim. The harm-based claims may go away and be settled,” he said, “but the fiduciary responsibility-based claim is one that is very much akin to the Sarbanes-Oxley approach. That’s another thing that boards are interested in, because that word is beginning to creep out, and boards are beginning to become worried.”
McMillan told Healthcare Informatics after his presentation that he believes that “C-suites and boards need to ask the tough questions. They need to hire a CISO [chief information security officer], and they then need to make sure that that CISO is empowered and is visible across the organization. And the CISO should not report to the CIO,” he stressed. “He or she should report to someone outside IT, and should be given prominence in the organization and the power to make changes.”
