Health Care Organizations Underfunding Cybersecurity Efforts
June 4, 2015 in News
After spending billions of dollars migrating to electronic health records, the health care industry now is looking to beef up its spending on data security, Politico reports.
According to Politico, data breaches have compromised the health records of up to one in three U.S. residents, with hacks of several major hospital systems and insurers exposing about 95 million records in the last year alone. A recent Ponemon Institute report estimates that data breaches cost the industry about $6 billion annually.
However, experts say defending against data breaches is extremely difficult.
Jim Nelms, chief information security officer at the Mayo Clinic, said, “The adversary is way ahead of us right now.”
Weighing the Cost
The government has established a network for industry to share information on cyber threats, but some hospitals say participating is too expensive.
Lisa Gallagher — a cybersecurity expert from the Healthcare Information and Management Systems Society — said health care organizations should spend at least 10% of their IT budget on cybersecurity. Yet, the industry average is just 3%.
Carl Anderson of the HITRUST Alliance, said, “For a lot of places, it’s spend $1 million a year on uncompensated care, or spend it on security.” He said that spending on cybersecurity is similar to a “tornado-resistant roof” — it might never be needed, but “if all you’ve got is a tarp and a storm comes, you’re going to take a lot of heat for the damage to your house.”
According to Nelms, smaller organizations could find it particularly difficult to make significant recurring investments in cybersecurity. He said, “It’s one thing if you’re a Mayo Clinic or a Kaiser or an Aetna, and another to be a small to medium hospital chain struggling with low profit margins.”
According to Politico, there are a growing number of firms offering cybersecurity services, and more organizations are hiring dedicated privacy officers.
Salaries also are increasing for such positions. While pay for a senior health care security positions used to average somewhere between $135,000 and $175,000, “the salary is now typically in the $200,000 to $225,000 range,” according to Bonnie Siegel, an attorney who helps health care organizations hire security experts.
Anthony Coronado, a biomedical engineering manager at Renovo Solutions, noted that hospitals are becoming increasingly aware of their cybersecurity vulnerabilities as more devices connect to health care networks. He said devices such as heart rate monitors and insulin pumps are new avenues for hackers to breach data systems.
According to Nelms, it will be difficult to find solutions to protect such systems. He said, “There’s not a single solution that would stop the adversary we face,” adding, “What we can do is use some techniques to protect critical information” (Allen, Politico, 6/1).