If done improperly, discussing cybersecurity can become a liability.
The last thing a healthcare IT, security or privacy officer wants to do is send an open invitation to hackers to infiltrate their systems. Yet that may be exactly what they are doing when discussing their security programs.
Across all industries, marketing and highlighting an organization's strong points and unique offerings are key — and common sense — to business practices and gaining market share. The same concept largely holds in the healthcare industry. Hospitals that acquire the latest technologies are sure to talk about them, for example.
However, this dynamic does not remain true in the world of healthcare cybersecurity, a growing landscape of highly valuable information mixed with hackers' desire to obtain and potentially misuse the information.
In healthcare, organizations walk a delicate line between marketing their capabilities — cybersecurity included — and creating an even greater security risk for patient data.
External communication
Healthcare data breaches are on the rise, and a new Ponemon Institute report found criminal attacks are the top cause of breaches, increasing by 125 percent over the past five years.
Internally, cybersecurity discussions are certainly top-of-mind for hospital and health system executives and privacy leaders, but talking about cybersecurity measures to the media or general public can be a liability to the organization, depending on how they are discussed.
"[Cybersecurity] absolutely is something [healthcare organizations] should be talking about, but there's an appropriate way to talk about it and an inappropriate way to talk about it that could potentially put you at harm," says Mac McMillan, co-founder and CEO of information security and privacy consulting firm CynergisTek and current chair of the HIMSS Privacy and Security Policy Task Force.
What not to do
The key, Mr. McMillan says, is to not speak in terms of the absolute, such as saying data at a healthcare organization is 100 percent secure or that individuals needn't worry about their data protection at a certain company. Doing so, Mr. McMillan says, sets healthcare organizations up for two issues.
First, making such a statement is essentially an invitation for a hacker to try to break into the system. The best case scenario, Mr. McMillan says, would be a hacktivist — someone coming after healthcare organizations not with the intention of stealing data but just to prove them wrong — successfully doing so. The worst case scenario would be an actual hacker who successfully infiltrates a system with a harmful agenda. "Now you've got a major breach on your hands that you have to try to explain when you just told everybody you were 100 percent secure," Mr. McMillan says.
Secondly, making a definitive claim like a network is entirely secure brings additional scrutiny onto your organization, including an intensified, watchful eye from the Federal Trade Commission. The FTC carefully monitors what claims companies voice to their consumers, and if a healthcare organization makes such a claim, it may face charges of consumer fraud, Mr. McMillan says.
"When you put on your website that your environment is 100 percent secure…or certify the network is HIPAA-compliant, basically what you've done is you've made a contract with the consumer, that if you fail to live up to it, it's essentially a consumer fraud issue," Mr. McMillan says. "You made a claim that wasn't true."
Additionally, statements guaranteeing security are inherently untrue, even if a healthcare organization believes it has all the best security measures in place. Healthcare threats change daily. New vulnerabilities are identified and new threats emerge.
"There's no such thing as a 100 percent secure solution or secure environment," Mr. McMillan says. "You can certify you're doing all the right things, that you're following a particular approach and you can certify that you use a certain methodology. But you cannot certify that you're secure."
Considerations for communication
However, like Mr. McMillan mentioned, healthcare organizations should discuss cybersecurity outside of their own four walls, largely as an affirmation to patients and consumers that the organization is dedicated to protecting information.
"What you can say, and what you should say — assuming it's true — is that you are trying to achieve a high level of security or you are doing the things you believe are responsible to protect information or that security is a high priority with your organization," Mr. McMillan says. "That says to the consumer what they want to hear, which is you care about security and you care about the protection of their information, but you're not making some bold claim that their information is 100 percent protected in your environment."
Andy Nieto, health IT strategist for DataMotion, a provider of secure data delivery solutions, agrees that data security should be something healthcare leaders discuss externally. However, he adds the caveat that strong security can be both an enticement and deterrent to hackers.
"Security is an active reality in that it combines the elements of a show of force, a show of strength and a show of power as well as not disclosing details about what that power is," Mr. Nieto says, illustrating his point with the example of Air Force One. "They describe it as being the most advanced aircraft with self defense measures ever made, but they never talk about what those self defense measures are."
In healthcare, Mr. Nieto says, hospitals should communicate that they are actively addressing security through programs, measures and solutions, with "active" being the key word, as it indicates a continuing evolution and a state of constant monitoring. Security is a constant concern. There is no end goal, and healthcare organizations should communicate this message with the public, he says.
Finding strength in numbers
Discussing cybersecurity can do more than just reassure patients that their privacy is a key priority and potentially deter hackers from trying to infiltrate a system. Talking about security threats with other industry members can actually help bolster an organization's defense.
Rick Kam, president and cofounder of ID Experts, a provider of data breach, incident response and resolution software and services, offers the example of the financial industry, which in the face of a string of attacks developed a coalition to share threat information. The financial services industry has long been the target of criminal attacks, "because that's where the money was," Mr. Kam says.
To mitigate threat risks and be proactive about security, the financial services industry started working with the Financial Services Roundtable, an advocacy organization for this sector, to freely share threat knowledge and information. FSR members include approximately 100 of the largest financial institutions, including banks such as Bank of America and Fifth Third Bank, credit card companies such as Visa and Discover, and payers including State Farm and The Hartford.
"That particular industry…made security a noncompetitive issue so they could share information freely about threats, attack vectors and all the things that are important to understand so you can defend yourself better," Mr. Kam says.
The healthcare industry is slowly moving in this direction. The House of Representatives recently passed two cybersecurity information sharing bills — the Protecting Cyber Networks and National Cybersecurity Protection Advancement acts — that provide legal protections for private companies to share cyber threat information and indicators with one another, as well as to the federal government.
Cyberattacks are a relatively recent threat to healthcare, Mr. Kam says, largely because cyber criminals previously did not perceive medical information to be as valuable as other types of information. That, however, has changed. Don Jackson, director of threat intelligence at PhishLabs, told Reuters that stolen health credentials are sold for 10 to 20 times higher prices than stolen credit card information, as hackers can use health data and insurance information to commit medical identity theft and medical fraud.
Given healthcare's recent entry into the threat radar, Mr. Kam says it is understandable that the industry hasn't yet made progress in this type of noncompetitive collaboration like the financial industry has. But, he says, the time has come to do so.
"We weren't under attack, but we are now," Mr. Kam says. He advises organizations to "band together, collaborate, implement best practices, share information around security as well as threat and attack vectors coming in against health systems."
The medium is the message
While the content hospitals and health systems communicate to the public is important, so is who says it. The words of certain individuals speaking on security programs carry greater weight than others.
"If you ask the CMO of a hospital, 'What do you think of our security?' and he says, 'We have a great security program here, our patients' information is absolutely protected,' that's much different than a CISO who's directly responsible for [security] and has intimate knowledge of the program saying the same thing," Mr. McMillan says. "The CMO is basically stating his opinion. He really doesn't know how good the program is."
The CISO or any other IT leader, on the other hand, is speaking from a position of inside knowledge, and such individuals should take extra care in the claims they make, according to Mr. McMillan.
"There's nothing more fun than to embarrass the CEO after he said he's perfect or a CISO who's bragged on his security or the job they're doing," Mr. McMillan says. "Let somebody else do the bragging for you."
More articles on cybersecurity:
Healthcare now spending billions to defend the IT systems it spent billions to install
Cyberattack exposes data of 1.1M CareFirst BCBS members: 6 things to know
13 statistics on the state of cybersecurity