Why information security should be every hospital CEO's No. 2 priority (at least right now)
Health systems have been underinvesting in information security for a decade, some even longer, but the threat landscape has now reached a critical point. Hackers, cybercriminals and nation states are increasingly sophisticated, and have access to the same cutting-edge machine learning technologies that security teams use to protect their data. Malware has been weaponized. Grimly, there’s no end in sight.
But how to get from today’s underfunded and risk-filled reality to a more secure future state in short order?
It starts with moving infosec higher up on the CEO’s agenda – something that will in all likelihood be a difficult maneuver, but a transformative one.
Information security: Why make it priority No. 2
Crafting plans for a new robotic surgery facility? Splurging on modern imaging systems or creating an artificial intelligence command center? Exciting, but you might want to backburner those projects – yes, even ones with a clear path to ROI – and, instead, apply enough resources to finally strengthen your information security posture first.
"Security is important enough to be above everything else," said David Chou, a veteran hospital executive who is currently VP and principal analyst at Constellation Research. "Healthcare clients want to feel safe. Look at Facebook and Marriott. People don’t feel safe. So take this opportunity now to make them feel safe, especially when you’re in a vertical that is about saving people’s lives."
Indeed, information security is about more than just avoiding data breaches; it’s a patient safety issue, and a social responsibility. Both are increasingly common refrains in cybersecurity discussions these days.
Richard Staynings, Chief Security Strategist with Security Associates and a HIMSS Cybersecurity Committee member, agreed that patient safety must be a top priority for CEOs.
"Cybersecurity is, like it or not, a primary component of patient safety now," Staynings added. "Forget confidentiality breaches. That battle is already lost several times over, the new battle lines are over availability – resiliency to withstand an attack – and the integrity of health data."
That said, Chou recognizes that most CEOs are going to rank sustaining a dominant position or growing market share above infosec, with the third priority being to find a new operational model for the era of consumerism.
Indeed, getting infosec into that second slot is exactly where things get complicated.
CEOs will need to be persuaded of this idea
The CEO and board of directors may have a different perspective than the CISO or legal and compliance teams.
"Frankly, cybersecurity ranks nowhere near number 2 at the CEO level. Nor should it," said James Doulgeris, CEO of Osler Health. "That responsibility belongs to the CIO or CTO. It should be their number 2 or number 1. The only time something like that hits a CEO’s top five is if the person responsible is not doing their job."
And when a cyber incident does reach the top, it’s expensive. Last month, for instance, after it was discovered that 4.5 million patient records of UCLA Health had been breached, the system settled for $7.5 million – $2 million for class action claims and $5.5 million it will invest to improve network security.
“It really comes down to do they get a breach and detect that breach and suddenly discover how much exposure they have by having not putting in place a robust security program?” said Adam Greene, a partner at the law firm Davis Wright Tremaine.
Just don’t expect fear to convince many chief executives. Despite the nearly constant stream of data breaches and multi-million dollar fines, not to mention damage to a brand’s reputation as well as soft and human capital expenses incurred, that tactic rarely works.
"Security leaders must engage from a business perspective, not fear of what could happen or what just happened to the guy next door," said Marin General CISO Jason Johnson. "Fear by itself is no longer motivating spending around infosec. Those days are gone."
That business perspective can come through, however, when CEOs have little choice but to pick one priority over another if only because a single budget cycle could go a long way to advancing security work.
Turning the culture upside down
Since security is only one among many agenda items, even for CIOs, CTOs and CISOs, the first place to focus in the near-term is human behavior.
"To beef up your security program, you have to solve the human behavior problem," Chou said. "That means turning the culture upside down and thinking about security as aggressively as many hospitals focus on handwashing. That same effort has to be there for every employee."
[RSA 2019: An insider's look at the premier cybersecurity conference]
The pressing need for CEOs to prioritize security now is about mastering the fundamentals. Staynings pointed to network segmentation and moving away from controls-based risk analysis to asset-based risk analysis as NIST SP800-30 specifies to better understand actuarial risk within IoT, medical devices, and hospital building management systems, as two clear examples.
Which is not to suggest that the problem will ever be entirely solved.
"It is a constantly moving target that requires consistent monitoring, refinement and investment," Johnson said.
All the more reason CEOs should ratchet it up on their to-do list today.
What will persuade CEOs to prioritize infosec?
"Our patients can't be worrying about how secure their information is when they're walking through our doors needing medical attention," said Marin General’s Johnson. "It should be the last thing on their mind."
Yet, healthcare as an industry suffers what Staynings described as a major mismatch between patient safety and effective security controls available today to protect against infosec threats.
Much of that stems from underinvesting on security and looking at it as a cost center or expense avoidance, instead of as an enabler of innovation that can help hospitals advance patient experience and safety.
Indeed, that sort of forward-looking vision means CEOs will have to retool today’s list of immediate needs to fortify their security posture by working with and cultivating ideas from security, IT and operations executives alike.
"Security needs to be better prioritized across healthcare but it may take a few patient deaths before CEOs wake up and smell the coffee that patient safety and cybersecurity are now inextricably linked," Staynings said. "Give doctors secure IT systems to diagnose and treat patients today."
Read more Innovation Pulse columns from Healthcare IT News.
Twitter: @SullyHIT
Email the writer: tom.sullivan@himssmedia.com
Healthcare IT News is a HIMSS Media publication.