After spending billions migrating to electronic health records (EHRs), the health care industry is now spending billions to increase data security, Politico's Arthur Allen reports.
According to Allen, data breaches have compromised the health records of up to one in three Americans, with hacks of several major hospital systems and insurers exposing about 95 million records in the last year alone. A recent Ponemon Institute report estimates that data breaches cost the industry about $6 billion annually.
'The adversary is way ahead of us'
In April, the House of Representatives passed two bills that would increase data sharing on cybersecurity threats between private industry and government agencies. Sen. Mark Warner (D-Virginia) is also drafting legislation that would require companies to promptly notify patients when their records are exposed.
However, experts say defending against data breaches is extremely difficult. "The adversary is way ahead of us right now," says Jim Nelms, Mayo Clinic's chief information security officer.
According to the Ponemon report, most large health care organizations have already been hacked at least twice.
The government has established a network for industry to share information on cyber threats, but some hospitals say participating is too expensive. "For a lot of places, it's spend $1 million a year on uncompensated care, or spend it on security," observes Carl Anderson of the HITRUST Alliance, a cybersecurity firm. He says spending on cybersecurity is similar to a "tornado-resistant roof"—it might never be needed, but "if all you've got is a tarp and a storm comes, you're going to take a lot of heat for the damage to your house."
A cultural change
Mayo's Nelms notes it can be difficult to convince hospital staff that cybersecurity is necessary. When he implemented a stronger authentication system for the organization's network, "a lot of the response was, 'We live in a cornfield in the middle of Minnesota. Who wants to hurt us?" he says.
Lisa Gallagher—a cybersecurity expert from the Healthcare Information and Management Systems Society—says health care organizations should spend at least 10% of their IT budget on cybersecurity. Yet, the industry average is just 3%.
No easy solutions
Nelms says smaller organization may find it difficult to make significant recurring investments in cybersecurity. "It's one thing if you're a Mayo Clinic or a Kaiser or an Aetna, and another to be a small to medium hospital chain struggling with low profit margins," he says.
Allen says there are a growing number of firms offering cybersecurity services, and more organizations are hiring dedicated privacy officers.
Salaries also are increasing for such positions. While pay for a senior health care security positions used to average somewhere between $135,000 and $175,000, "the salary is now typically in the $200,000-$225,000 range," according to Bonnie Siegel, an attorney who helps health care organizations hire security experts.
Hospitals are becoming increasingly aware of their cybersecurity vulnerabilities as more devices connect to health care networks, according to Anthony Coronado, a biomedical engineering manager at Renovo Solutions. He says devices such as heart rate monitors and insulin pumps are new avenues for hackers to breach data systems.
Finding solutions to protect such systems will be difficult, Nelms says. "There's not a single solution that would stop the adversary we face," he explains, adding, "What we can do is use some techniques to protect critical information" (Allen, Politico, 6/1).
The takeaway: The health care industry is increasing its investments in cybersecurity following a series of breaches, but experts say not all organizations are doing enough and defending against new threats will be difficult.