The drum beat of hospital PHI breaches marches on. Every day there seems to be another news article on a hospital being hit with a ransomware attack.
Hospital CEO's and Boards are placing ever increasing demands on their CIO's to pour technology and resources into preventing these perimeter attacks. Who can blame them, as they don't want to have to appear before the media and explain why the attack wasn't prevented given the current high threat environment, how many patients records were affected and how they will deal with the aftermath of the breach.
Even though these perimeter attacks are no doubt high profile, there is a larger threat that is not being given high enough attention by CEO's or their Boards, and certainly not the same level of technology and resources to deal with it. Of course, I am talking about privacy and "insider" borne threats. According to a recent study by Clearswift1, 58% of all security incidents can be attributed to insider threats (employees, ex-employees and trusted partners). The primary causative factors were identified as inadvertent human error and lack of awareness or understanding. Only 26% of organizations are confident they can accurately determine the source of the incident. There are plenty more statistics to throw around, but suffice to say, insider threat is a major problem and represents a large part of hospital breaches even though they do not routinely get the same level of media coverage.
Let's take a quick review of what the hospital landscape looks like in terms of dealing with insider threat today. Most privacy staff are very small, usually about 2 people. They are charged with the responsibility of identifying potential breaches, investigating those identified potential breaches to determine actual breaches, interfacing with department heads, internal and regulatory reporting on actual breaches, putting together a breach reaction plan, assisting with staff education and preventing future breaches. With a typical 400 bed hospital exceeding five million EHR transactions per day, all of which need to be reviewed, any reasonable person would conclude that is a very high set of expectations for such a small staff.
Well, what about technology to assist with these efforts? The vast majority of hospitals continue to use inferior, outdated technology because of severe budget limitations that are applied to the privacy function, while tens of millions of dollars are spent on perimeter defenses. The capabilities of these systems are very limited and basically dump tens of thousands of audit logs entries into excel spreadsheets that need to be reviewed by the privacy staff. Cutting edge behaviorally based systems with advanced search engines, deep insight visualization and proactive monitoring capabilities are available, but not regularly adopted.
How does hospital top management currently view privacy/insider risk factors? Based upon many conversations, privacy/insider threat is primarily viewed as a compliance issue. Many hospital CEO's and Boards justify giving low priority and resources to this area by looking at the potential fines that OCR will levy if their hospital's PHI is breached. In fact, the fines are relatively low, breaches have to break the 500 record threshold (although OCR recently announced an effort to delve into breaches below this threshold), you have to be found guilty of not doing reasonable due diligence and you are given multiple chances at correcting bad practices prior to fines being assessed. Combine this with an overreliance on cyber risk insurance and you have a potential for disaster.
The actual risk profile should start first and foremost with loss of hospital reputation. A hospital brand takes years and millions of dollars to build. One privacy breach can leave it in ruins. The second risk is patient loss and the associated costs of replacing those patients. A recent poll by Transunion showed that nearly 7 in 10 respondents would avoid healthcare providers that had a privacy breach2. The third major risk is lawsuits, legal costs and settlements. Settlement costs are large and juries generally rule against institutions and for the damaged plaintiff. Forth would be compliance.
There also seems to be a misunderstanding of cyber risk insurance. Like other insurance, it will not reward bad practices or flawed due diligence on behalf of the policyholder. Insurers will do a pre-audit to make sure that the risk they are undertaking is understood, that proper prevention technologies are in place and that best practices are being documented and followed. Once a breach has been claimed, they will generally send out another team of investigators to determine if the items mentioned above were in place and best efforts were maintained during the breach. If they weren't, this could lead to a denial or at least a prolonged negotiating process. Premium costs will also be reflective of level of preparedness and payouts generally do not cover anywhere near the full costs of the breach.
Prior to coming back to the hospital industry, I spent six years in the disability insurance industry, where top management and Boards take both insider threat and the actual risk matrix of PHI breach very seriously. I believe the hospital industry can learn a valuable lesson from the disability industry. This lesson can be summarized as
1. Take the real risk matrix seriously
2. Put the proper amount of technological and human resources in place in alignment with the actual risk profile
3. Buy the best technology available, update it as frequently as possible and get proactive rather than reactive
4. Educate and remind your staff constantly of proper behavior and the consequences of improper behavior (up to and including being terminated)
5. Don't overly rely on cyber risk insurance
6. Review the CISO's reporting structure (avoid natural conflicts of interest with the CIO) and have them report to the Board for an independent assessment of privacy/insider threat status on a regular basis.
As difficult and expensive as hospital data security is, it is both mandatory to protect patients and part of the price of admission to the market. Although we are in a constant battle to stay one step ahead of the bad guy, we often find ourselves one step behind. That, I'm afraid, is the nature of the beast. Let's place privacy/insider threat on an equal footing with the real risks associated with it. It simply makes sense to do so, from the patients, risk, financial and fiduciary perspectives.
1. http://pages.clearswift.com/rs/591-QHZ-135/images/Clearswift_Insider_Threat_Index_2015_US.pdf
About the Author
Robert B. Kuller is currently Chief Commercial Officer for Haystack Informatics, Inc., an EHR based immersive analytics firm co-founded by The Children's Hospital of Philadelphia (CHOP) CMIO Dr. Bimal Desai and serial entrepreneur Adrian Talapan, with participation from both DreamIt Ventures and CHOP. He has a thirty year background in healthcare industry, working for firms such as Solvay, Siemens Medical Systems, T-Med Group, Liquent and FastTrack RTW Services & Solutions. He is also a faculty member at the University of Phoenix Graduate School of Business. He holds Bachelors and Masters Degrees in Microbiology from Brooklyn College and MBA's in Finance and Management from Fordham University.
The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.