In this special Speaker Series, Becker's Healthcare caught up with Justine Bone, CEO of MedSec.
Ms. Bone will speak during the Becker's Hospital Review 4th Annual Health IT + Revenue Cycle Conference on "The Path to Achieving Cybersecurity Resiliency Within Healthcare Delivery Organizations," at 9:05 a.m. Saturday, Sept. 22. Learn more about the event and register to attend in Chicago.
Question: What do you see as the most vulnerable part of a hospital's business?
Justine Bone: Patient trust. Our dependency on technology to deliver trustworthy services makes the protection of technology — and those that use it — a priority. A cybersecurity incident — anything ranging from service downtime due to a ransomware attack, to the theft of health records, to more dramatic patient safety scenarios related to medical device operations — will all affect trust, and by extension, business.
Hospitals are increasing investments in cybersecurity programs, but we need to do more. Still today over one in 10 hospitals have no cybersecurity staff. This mean critical infrastructure remains unprotected. Take medical devices, for example. There are many mini-computers connected per bed, with hundreds of thousands throughout our hospitals. These are simply embedded computers that conduct specialized tasks. Many are running out-of-date software, and they are not maintained. Medical devices are only included on one third of hospital risk assessments, according to a 2018 Healthcare Information Management and Systems Society survey, and yet look at the impact a compromise of these devices would have on patient trust.
Q: What's one conviction in healthcare that needs to be challenged?
JB: This is a challenge that goes beyond healthcare: the conviction that cybersecurity is an IT problem. Cybersecurity budgets typically come from IT budgets, and as a result, staffing is then run out of an IT organization. The problem that comes from this is that the massive risk management challenge of cybersecurity does not gain exposure at a business management level where the attitude remains, "Is it fixed yet?" In fact, cybersecurity is a risk management function that is never complete. We have seen the results of this same scenario play out in other verticals, where C-level executives and board directors are now being held accountable for appropriate risk management as it relates to cybersecurity, but culturally, healthcare is far behind this approach.
Q: What's the biggest misconception about health IT?
JB: The misconception that security — confidentiality, integrity, availability — have all been addressed and built into our products and systems ahead of deployment. If we as users see a shiny black box, we want to think that every component of that black box is understood, has been tested and examined thoroughly, and that we can trust it to only perform the function that it was designed to perform. Unfortunately, the opposite is usually true and we are a very long way from “secure by default." As a result, we see a false sense of security across physicians, procurement staff and, unfortunately, patients. Our regulators and manufacturers are playing catch up. Yes, certain standards for new products must be met, but these requirements are just now emerging. Many of our medical devices have very long life spans — it's not like we swap out an MRI like we upgrade a phone every few months — and so we have legacy problems that must be retroactively addressed. When it comes to health IT, quality is not where we would like to convince ourselves it is.