Not too long ago, medical records were kept on paper. That information — patient records, medical histories, etc. — later had to be translated to digital formats via painfully slow processes. With no national standard regulating what or how information would be transferred, meaning a smattering of administrative personnel and other industry workers were charged with completing the process, human error laid the foundation for the industry's cyber security issues today.
During the digital boom in the '90s, industries slowly transitioned their data to digital form. But the healthcare industry was slow to adapt. The lack of security standards, disparate systems, and the overall cost made the transition to digital records move at a snail's pace. The healthcare industry saw cyber security as a IT problem, and treated it as such. It failed to recognize that cyber security is outside the scope of the usual IT department functions, as well as how important experts, equipment, software and training really are.
Though the majority healthcare organizations are now allocating a percentage of their budgets on Cyber security, according to Healthcare Informatics, the site also reports on a recent HIMSS survey that shows 60 percent of healthcare organizations surveyed are spending around three percent of their budgets on cyber security, that’s still less than half of what some in the financial industry are spending.
Years of indifference have led to the current rise in data breaches. The Ponemon Institute estimated that the average cost of a breach in healthcare facilities to be million dollars, in its most recent report. Though the cost of breaches is down from previous years, Ponemon notes the average size of the breaches has increased.
The list of breaches for 2017 includes Bronx-Lebanon Medical Center, which exposed tens of thousands records due to a vendor's misconfigured backup. The National Health Service in England and Scotland was hit by the WannaCry ransomware, disabling the systems that workers needed to access to treat patients. And another ransomware attack on ABCD Children’s Pediatrics in San Antonio affected more than 55,000 patients' social security numbers, insurance billing information, dates of birth, medical histories and more.
A lack of cyber security investment results in costing millions of dollars per breach instead, something the healthcare industry now sees as a reason to pay attention cyber security. Progress is being made, but a lot more is needed. Lives are on the line.
Addressing this problem won't be easy. Health care facilities around the country have to modernize their computer systems across the board, getting rid of legacy systems for more protection against malware attacks. Training for industry professionals from the top down, and recruiting cyber security experts to the industry is needed as well, not only to create another line of cyber defense, but to change the culture and approach to cyber, ergo, patient security. This all means a dramatic increase in focused spending — expensive, but not as expensive as the cost of a real breach.
Some healthcare facilities are starting to move in this direction. Risk frameworks and assessments are increasing with organizations adopting the National Institute of Standards and Technology. But without a momentous change in the way the healthcare industry approaches cyber security, the problem will get worse. It's already a matter of life and death.
Thomas Russell is a high school information technology teacher and retired Army Signal Corps soldier. He is the founder of SEMtech (Student Engagement and Mentoring in Technology) and an Advisory Board Member of Educating Children of Color. His hobbies include writing, photography and hiking. Contact Thomas via Russell’s Room on Facebook, or email at email@example.com, and his photography at thomasholtrussell.zenfolio.com.