Topics
Reimbursement
Home health agencies get half a percent pay increase
Home health agencies get half a percent pay increase
Revenue Cycle Management
Mary Washington Healthcare latest to outsource revenue cycle 
Mary Washington Healthcare latest to outsource revenue cycle 
Strategic Planning
Two CFOs see promise of AI, but have yet to build a dedicated budget
Two CFOs see promise of AI, but have yet to build a dedicated budget
Capital Finance
HIMSSCast: Is private equity the bad guy in healthcare?
HIMSSCast: Is private equity the bad guy in healthcare?
Supply Chain
Feds shore up healthcare supply chain in wake of hurricanes Helene and Milton
Feds shore up supply chain in wake of hurricanes
Accounting & Financial Management
Hospital margins climb to 5.1% in September
Hospital margins climb to 5.1% in September
Budgeting
Health system operating margins declined in August
Health system operating margins declined in August
Quality and Safety
US healthcare system ranks last in equity, access
US healthcare system ranks last in equity, access
Billing and Collections
CFPB warns of illegal tactics by medical debt collectors
CFPB warns of illegal tactics by medical debt collectors
Claims Processing
Johns Hopkins Health Plans announces multi-payer portal
Johns Hopkins Health Plans announces multi-payer portal
Workforce
Elevance laying off 123 California employees
Elevance laying off 123 California employees
Operations
$47.5 million grant allows Rutgers to turn lab discoveries into practical healthcare
Rutgers to promote 'translational' science with $47.5M grant
Medical Devices
Healthcare chatbots may promote racist misinformation
Healthcare chatbots may promote racist misinformation
Hospital/physician relations
Hospitals, physicians submit opposing views to FTC ruling on noncompetes
Hospitals, physicians submit opposing views to FTC ruling
Construction & Facilities Management
Cleveland Clinic partnering with Cavaliers on new training center
Cleveland Clinic partnering with Cavs on new sports complex
Compliance & Legal
Elevance latest insurer to sue over Medicare Advantage star ratings
Elevance latest insurer to sue over Medicare Advantage star ratings
Policy and Legislation
What Trump's election means for healthcare
What Trump's election means for healthcare
Community Benefit
Nonprofit hospitals' charity care falling behind tax breaks, report shows
Report: Hospitals' charity care falling behind tax breaks
Accountable Care
ACO REACH changes more negative than positive, says participant
ACO REACH changes not positive, says participant
Acute Care
SDOH, tech key to advancing value-based care, says UHG
SDOH, tech key to advancing value-based care
Ambulatory Care
Cleveland Clinic and Amazon One Medical collaborate on primary care clinics
Cleveland Clinic and Amazon One Medical collaborate
Analytics
Interoperability in healthcare moving forward despite challenges
Interoperability in healthcare moving forward despite challenges
Business Intelligence
UnitedHealthcare expands ACA presence to 30 more states
UHC expands ACA presence to 30 more states
ICD-10 & Coding
Physician practices examine risk adjustment coding in wake of federal lawsuits
Practices keeping close watch on risk adjustment coding
Meaningful Use
Financial disincentives for providers who commit information blocking 
Financial disincentives for providers who commit information blocking 
Medicare & Medicaid
Elevance Health 'considering options' following star ratings hit
Elevance Health 'considering options' following star ratings hit
Patient Engagement
Patients see narrow networks in ACA marketplace plans, KFF finds
KFF: Patients see narrow networks in ACA marketplace plans
Pharmacy
Walgreens pays $100 million to settle class action drug case 
Walgreens pays $100M to settle class action drug case 
Population Health
Reproductive care, including abortion, facing challenges
Reproductive care, including abortion, facing challenges
Risk Management
UPMC for You partners to offer Medicaid redetermination coverage in laundromats
UPMC for You offers Medicaid redetermination coverage in laundromats
Telehealth
Teladoc posts $640.5 million in revenue, stresses virtual care improvement
Teladoc posts $640.5 million in revenue
Mergers & Acquisitions
Venture capital firm HATCo to buy Summa Health for $485 million
HATCo to buy Summa Health for $485M
View more
Nov 30, 2016 More on Workforce

Hospitals sorely lack cybersecurity workforce, need staff-wide engagement, experts say

Lack of protections, rising number of attacks, value of healthcare information to hackers, makes industry a ripe target.

Beth Jones Sanborn, Managing Editor

A widespread shortage of cybersecurity staff, along with measures to thwart hackers and protect sensitive provider and patient information, continue to converge and keep healthcare providers highly vulnerable to cyberattacks. But experts say that with total buy-in from all levels of staff, clear processes and asset awareness, victory is within the industry's reach.

A recent report by CSO Online said there are 1 million job openings among the cybersecurity workforce in 2016, and projected that number to climb to 1.5 million by 2019.

"All of a sudden something we've always known is important became very publicly important so now people are scrambling. So absolutely there's a shortage," said Kevin Johnson, cybersecurity expert and CEO of Secure Ideas, a cybersecurity firm.

Bob Chaput, CEO of healthcare cybersecurity firm Clearwater Compliance, agreed that healthcare is playing a serious game of catch-up when it comes to both the adoption and implementation of information technology, as well as information security. He said hospital budgets are often consumed by electronic health record projects, and the role of chief information security officer is non-existent in hospitals, often treated as a "collateral assignment" that falls to the chief information officer.

"While the CIOs intent is to safeguard this information, their resources are being consumed in other areas with other priorities," he said.

[Also: Trump will face cybercrisis in first 100 days, Forrester predicts]

Chaput also cited rampant changes in the healthcare landscape overall as a reason why adequate attention has not been paid to cybersecurity.

Everybody's got access

Whatever the reasons behind the shortage, the lack of effective protections, coupled with the rising number of attacks and value of sensitive healthcare information to hackers, makes the healthcare industry uniquely vulnerable.

For years, Johnson said, there was widespread disbelief that no cybercriminals were attacking hospitals. Beyond that, the need was there to recognize that the information healthcare has is sensitive from a cybersecurity perspective and valuable to hackers; they aren't just going after banks and credit cards. The third and most dangerous part is most healthcare organizations don't have a lot of control. Hospitals are perfect example, he said. In his experience, many hospital networks are accessed by vendors and contractors who are not hospital employees, from affiliated doctors right down to catering and cleaning staff who have access to machines that are on the network. He said in some hospitals he's worked with, as many as 75 percent of those accessing the hospitals network aren't employees. The lack of control over who has access and when, creates opportunity for misuse of network assets.

Chaput went so far as to call the healthcare industry the most attacked of all. In addition to the workforce shortage and lack of prioritization of cybersecurity, he highlighted the disparity between the speeding evolution of medical devices and technology versus the security they require so patients are protected. Patient safety isn't just about making sure the devices work. Proper protections need to be built into those devices, including the clinical applications, such that innovation isn't coming at the cost of security and privacy, Chaput said.

Both pointed out the need for healthcare organizations of all kinds to realize the value of medical information to cybercriminals, and how that value only makes the target painted on hospitals and providers that much more vivid.

"There's more healthcare data than there has ever been and it's all over and it's more visible and valuable than ever…all sorts of fraud can be committed with medical information."

Hackers are undeterred

After a year where ransomware and malware proved a constant and effective marauder of protected health information through numerous data breaches, Chaput and Johnson predict that trend will continue because, quite simply, it has proven successful and lucrative for hackers.

Johnson also believes those methods will become pivot points for more sophisticated attacks where hospital or provider breaches are launch points to invade bigger entities. For instance, a hacker might target a hospital who uses a certain EHR company, in order to gain access to that EHR company, to which the hospital in theory has access.

[Also: Appalachian Regional Healthcare back online after cyberattack cripples system for nearly 3 weeks]

"When you see the spread of malware, you then see spread of it pivoting into other realms," Johnson said.

Both experts said an efficient hospital/provider cybersecurity program starts with staff-wide engagement.

"You must have a program with key elements and capabilities that transcends time, transcends the threats and anticipates that there are new controls that are going to be developed and available to us over time," Chaput said.

For him, an effective cybersecurity program contains five key components. First is governance, and with that the realization that there is value in engaging the board and executives. Next is people, which includes having the right number of people with the right skill sets in the organization to build and operate the program. Third is process, which includes policies, procedures and people taking ownership of them and building practices around good information and risk management. Technology, of course, is important as well, he said. Lastly comes engagement. An overarching commitment to security must become part of the culture of the hospital or provider, as well as having it become second nature such that people are designing security into whatever solutions they are building.

"The organizations that don't do that have a workforce of liabilities. The organizations that do train, actively remind and actively test and monitor, end up turning their workforce into assets. They become sentinels for them," Chaput said.

[Also: Cybersecurity issues have healthcare executives on high alert, HIMSS survey says]

Johnson said there is flexibility, in that while everyone needs that help, they don't necessarily need the help full-time. Lots of organizations are using third parties for their cybersecurity and that's fine, as long as they educate the staff on their responsibilities.

For him, the most effective programs are hospital-wide. Staff, contractors, everyone must know they have critical role in protecting data. If you're not educating all users, the program is useless, he said.

Visibility and basic IT hygiene/cleanliness are also crucial. This means knowing all the systems that are running on or connected to the network, who is using them, when and why.

"If you can't manage your own servers, if you don't know what assets are on your network, if you don't know what systems are connecting to what systems and assets, I don't care how smart you are or what products you buy, you're failing at security."

Twitter: @BethJSanborn

News
Ending racism in healthcare often begins with medical education - and is the target of a new national project Ending racism in healthcare often begins with medical education - and is the target of a new national project Inequities can be found in every facet of the industry, but targeting medical students and residents can help stem the tide.