Cybersecurity has passed from being a buzzword in healthcare to being an integral part of an organization's business strategy.
After insurance giant Anthem suffered a massive cyberattack in early February that compromed nearly 80 million individuals' medical records, many healthcare executives scrambled to ensure that their data was safe. Premera Blue Cross suffered another attack in March which compromised 11 million patient records, spurring the conversation again.
We asked healthcare executives at the HIMSS15 Annual Conference & Exhibition in Chicago to recall the few days following the Anthem and/or Premera hack. What was their organization's response? Any special meetings or follow-ups?
Note: Responses have been edited for length and clarity. Continue to check back throughout the conference for more responses.
Joel Vengco, Vice President and CIO, Baystate Health (Springfield, Mass.): "We've been ramping up to this point. [The attacks] really helped us continue to make our case. Over the last year, we've been focusing on cybersecurity, not because of these hacks initially but because we are starting to share more data to providers for analytic purposes. We're also looking to share more data with patients. We're opening up the capabilities for multiple stakeholders across the comunity to access data. These have obviously touched our board members and executives teams. It's made a beneficial impact for our case to focus more on cybersecurity because it's unsexy, it's behind the scenes. Cybersecurity is only interesting when you have things like Sony and Anthem happen. All these collective things have opened up communication channels for us to continue to grow in cybersecurity."
Mac McMillan, Chairman, CEO and Co-Founder, CynergisTek: "The first thing that came to my mind was once again we need to focus on the basics. When you look at hose breaches and how they happened — they ended up becoming sophisticated attacks, but at their beginning they were very simple. [The hackers] took advantage of something that wasn't configured properly or took advantage of the user who clicked on a phishing email; things that could absolutely have been avoided if we just did a better job of doing the fundamentals. Making sure are systems are well built from a security perspective. Making sure we're testing on a regular basis. Making sure somebody credible is monitoring our environment. Making sure we've deployed the right kinds of technologies that give us the ability to detect and avert the breach on the back end.
We need to get back to basics, pay more attention to and educate users. We also need to step up our game and realize we are not boxing with our little sister anymore. We are boxing with the guy that's going to knock us out of the freaking ring. So we need to step up our game. We need to invest in the right technologies and services that give us a fighting chance to stay in there. Until we do, they are going to win."
Ed McCallister, Senior Vice President and CIO, UPMC (Pittsburgh): "I didn't do anything out of the ordinary; [security is] always front of mind. We talk about the future of analytics and big data and what we have — we don't talk as much about security, but it's always at the forefront for UPMC. We have a very ramped up security team that looks at it 24/7. We have penetration testing we perform. It's unfortunate what happened with Anthem, but it's becoming more and more prevalent not only in healthcare but other industries. We just need to prepare for it. I see the need to prepare for it rather than just react to a specific situation. I think a lot of artificial intelligence will be needed. [Threats are] constant. They're not going away any time soon. Security is always at the forefront — it has to be part of the conversation every time."
Dick Daniels, Executive Vice President and CIO, Kaiser Foundation Hospitals and Health Plan (Oakland, Calif.): "Security is something we take very seriously. We do try to learn. What happened with these other organizations, we can incorporate those learnings. We learned how those breaches took place and scanned our systems to ensure we didn't have the same vulnerabilities. We really try to make sure we're learning and incorporating those learnings to protect the information we have responsibility for."