Security is a board-level, business issue; yet in most healthcare organizations it is delegated to a team or individual without direct audience to the CEO or board.
Ted Harrington, executive partner, Independent Security Evaluators
Berger noted that it is, “inherently difficult to safeguard. It is a real balancing act. Too many controls and you might prevent doctors from accessing information they need to treat a patient; too few controls and that same information could end up in the wrong hands.”
Scott sees the same conflict. He said the problem is a combination of, “a lack of cybersecurity, a lack of cyber-hygiene, and the value and utility of the data. Many medical professionals ignore basic cybersecurity precautions like encryption because it slows down their patient response time or because their resources are dedicated elsewhere.
“Healthcare entities also have a high number of nurses, doctors, and other users physically or remotely accessing sensitive data and systems, which inevitably leads to poor security and in some cases, insider threat,” he said.
Finn said another problem is how quickly the industry adopted Electronic Health Records (EHR), from less than 10 percent in 2009 to 97 percent in 2014. “Unfortunately, that rush of implementation left security behind,” he said.
Another problem: Even though annual national health care spending is a staggering $3.35 trillion, many organizations are using badly outdated equipment. According to McAfee, some medical workers are using systems with Windows 95. Microsoft discontinued support for that OS in 2001 – several lifetimes in the world of technology.
Harrington attributes that to security not being an investment priority, in part because, “there is insufficient executive buy-in and understanding of the security mission. Security is a board level, business issue; yet in most healthcare organizations it is delegated to a team or individual without direct audience to the CEO or board,” he said.
According to Scott, it sometimes simply comes down to the reality that it may be, “more cost effective for hospitals to operate outdated equipment and assume potential risk than to replace antiquated equipment.”
Wirth said that reality is complicated by interdependencies. In many cases, “a system upgrade would require a number of other costly software and hardware updates,” he said.
“A lot of medical systems and software are very specialized and are upgraded infrequently, especially medical devices, which have a long development cycle and a long, useful life in the hospital.
It makes no sense, he said, for a hospital, “to buy a new $500,000 MRI scanner just to replace the end-of-life operating system.”
Given those realities, experts say there are still basic cybersecurity “hygiene” steps organizations can and should take to guard patient data. Most of it comes down to what is recommended for any organization – good cyber hygiene and layered security. That includes:
Sign up for Computerworld eNewsletters.