Given the sensitive nature of healthcare information, and the fact that we have an overarching regulation, HIPAA, that dictates how that data is handled, it would seem safe to assume that cyber security has been established as an ongoing top priority.
Yeah, well, about that…it seems that healthcare continues to lag behind most other industries in securing its data, hampered by non-action that belies a landscape littered with established and potential threats.
For instance, despite being one of the industries hardest hit by last year's WannaCry ransomware attack, which targeted machines running Windows 7, healthcare is the slowest industry when it comes to upgrading to Windows 10. That means many organizations are running aging and vulnerable operating systems, which are inherently more attractive to attackers.
Consider that some healthcare providers are still running unsupported operating systems such as Windows Vista or XP, and many others are still on Windows 7, for which Microsoft is ending support in 2020, and you start to get an idea of just how much risk the sector is assuming.
But it's not just inaction that's leading to such lapses; a lack of funding plays a large role, too. A recent survey from Black Book Market Research found that cyber security spending by hospitals has dropped to just three percent of overall IT spending. The study found that cyber attackers are targeting healthcare organizations more frequently, with more than 90 percent of survey respondents having experienced a breach in the last two years, and more than 180 million records having been stolen since 2015. What's more, 96 percent of the nearly 2,500 IT pros surveyed agreed that attackers are outpacing medical enterprises, putting the industry at a significant ongoing disadvantage.
Much of the attention in healthcare security has focused on patient data, as the alarming number of stolen records cited in the Black Book Market survey indicates it should. But there's another serious business cost to the industry's cyber security woes: lax security is staining a scorching hot merger and acquisition landscape.
M&A activity is particularly hot in healthcare, where providers are looking to consolidate, lower their tax burdens, and bring together key innovations that can improve care, thereby increasing business value. But many of these deals are being soiled by security issues, typically in the acquired company.
In fact, a recent report from M&A consultancy West Monroe Partners found that 58 percent of survey respondents said they'd discovered a cyber security issue at an acquired company after the deal was completed. Nearly half (49 percent) of surveyed health care pros said they were dissatisfied with the level of cyber security due diligence their companies had performed during M&A deals, up from just 16 percent who felt that way a year earlier.
The implications of finding out about a major security issue after acquiring a company are not unlike those of a homebuyer discovering that a purchased home has been ravaged by dry rot, and that inspectors missed it. Suddenly the asset isn't as valuable and the new owner has little choice but to bite the bullet.
With security issues affecting so many areas of healthcare, it's no wonder that Washington is starting to take a serious interest in the topic. Earlier this month, the House Energy and Commerce Committee's Subcommittee on Health held a hearing to consider the Pandemic and All-Hazards Preparedness Reauthorization Act of 2018, which essentially seeks to beef up the original 2006 version of the legislation, and healthcare cyber security is a major component of that discussion.
Congress clearly wants to see the state of the sector's cyber security get a serious boost. But doing so requires it to first make sense of the status of the Healthcare Cybersecurity and Communications Integration Center. HCCIC is a year-old initiative of the Department of Health and Human Services that's intended to serve as a collaborative information analysis center for dispensing cyber security insight to the industry in real time. It was modeled after a similar national security facility operated by the Department of Homeland Security and in recent months, it's been shrouded in controversies ranging from a revolving door of leaders to whether it has engaged in contractual irregularities.
A bipartisan group of U.S. Senators and Representatives wrote a joint letter earlier this month to HHS Secretary Alex Azar to voice concerns and seek clarification.
It's easy to see from all of this what a multi-layered mess the current state of healthcare cyber security is. From a fledgling national cyber watchdog down to the individual bytes of patient data, cyber security is a giant question mark for the industry from top to bottom.
The bitter truth is that there's no easy fix. It's going to take a concerted, ongoing effort by hospitals, healthcare practitioners, contractors, legislators and even patients themselves, to ensure that the future of healthcare data is a secure one. It sure seems like it's worth the effort.