By Mac McMillan, CEO, CynergisTek
Twitter: @mmcmillan07
Twitter: @cynergistek
At HIMSS16 I will have the pleasure of taking the stage with two healthcare CISOs who are passionate about their craft and working to make a difference in their organizations, Chuck Kesler of Duke Medicine and Jay Adams of Tallahassee Memorial HealthCare. We’ll be talking about two different, but related topics that are front and center with every healthcare organization today: HIPAA compliance and cybersecurity.
In 2005 the Office for Civil Rights, the organization responsible for HIPAA Privacy and Security Rule enforcement, coined the phrase, “Create a culture of compliance” to express the importance of adopting sound privacy and security practices to protect patient health information. It did not really mean just focus on compliance for compliance sake, but unfortunately many organizations have set its targets on compliance as opposed to adopting a security framework and controls capable of meeting today’s data protection needs. In hindsight, the environment in 2005 was a lot simpler than what we see today: Meaningful Use had not yet made EHRs a mainstay in most entities, medical devices were not yet networked, and clouds brought rain instead of hosting everything from infrastructure to software-as-a-service. We did not have ACOs, Health Information Exchanges, Big Data or Population Health. We were two years away from the iPhone, five years away from the iPad and the whole concept of implantables, wearables and ingestibles that communicated wirelessly were the stuff of Buck Rogers thinking. The HIPAA Privacy and Security rules were never intended to address every aspect of data security, and simple compliance will not deliver the level of information assurance needed by healthcare today. The time for focusing on a culture of compliance has long passed.
At the same time that we’ve had this explosive advancement in technology, we’ve also seen an equal evolution in threat. So much so that we coined a whole new set of terms; cyber thieves, cyber terrorism, cybersecurity. With the advent of the EHR and the digitization of the medical record healthcare became the only industry that combines all forms of sensitive personal information (PII, PCI, PHI, etc.) in a single database, making it a lucrative target for would-be hackers and thieves. This has resulted in the vaulting of healthcare to the top of the list of targeted industries and keeping it there for the last three years running. Prior to 2009, massive breaches were unheard of, consisting mainly of physical theft and numbering in the tens to hundreds to low thousands, while today we see breaches involving hacking that number into the tens of millions of patient records. In the meantime, the threat has also evolved in its ways of attacking, sophistication of attacks and whom it attacks. There is nothing that happens in any other industry that does not happen in healthcare, from straight up hacking, to extortion through ransomware, to manipulation of people through multiple social engineering approaches like phishing, water cooler attacks and impersonation. Nothing is off limits or immune in healthcare, which means systems that house and process patient information for clinical purposes like EHRs, decision support systems and medical devices are at risk — presenting both compliance and patient safety issues. That said, according to Verizon’s latest threat analysis report, more than 99.9% of the hacking incidents that were successful last year exploited a vulnerability that was more than a year old — meaning that they could have been avoided.
This leads us to the point of our HIMSS16 presentations; there are steps we can take to reduce our exposure to risk and enhance our ability to respond and recover when and if the inevitable incident strikes. Whether it is awareness, the blocking and tackling of network and system administration, the building of a more resilient architecture, the deployment of the right security technologies or understanding contingencies and response, we can and must do a better job in healthcare. The FBI has said that the threat knows healthcare is ill prepared and the former cybersecurity czar for the White House has said that every time security is mentioned in relation to healthcare you hear a chuckle. It’s time we prove both of them wrong.
About the Author: Mac McMillan is co-founder and CEO of CynergisTek, Inc., an authority in information security, privacy, audit and regulatory compliance in healthcare. He is the current Chair of the HIMSS Privacy & Security Policy Task Force. McMillan brings nearly 40 years of combined intelligence, security countermeasures and consulting experience from positions with both government and private sector positions and has worked in the healthcare industry since his retirement from the federal government in 2000. McMillan served as Director of Security for two separate Defense Agencies, and sat on numerous interagency intelligence and security countermeasures committees while serving in the U.S. government.
In January 2016 Mac McMillan participated on a HITECH Answers panel discussion on the topic of the impact of cybersecurity on healthcare. Other panelists included Iliana Peters, Senior Advisor for HIPAA Compliance and Enforcement at the HHS Office for Civil Rights, Lee Barrett, Executive Director of EHNAC, and Mark Eggleston, VP and Chief Information Security Officer and Privacy Officer for Health Partners Plans.The event was moderated by healthcare attorney Matt Fisher. You can view the video of this discussion on our YouTube Channel.