Reflections on HIMSS Discussions

Meeting HCO security needs on a budget

In the month since this year’s HIMSS conference no less than three data breaches involving the exposure of patient information have made the news. Though the methods by which the hackers gained access to this critical data varied – in one instance a malware attack, while data storage error and employee email were allegedly implicated in the others – the fact remains that healthcare organizations (HCO) are facing an increasingly uphill battle in securing the right technology and talent to avoid becoming tomorrow’s next headline.

While each HCO has a unique set of considerations and priorities, when it comes to data security nearly all are facing some version of the same challenge: finding the talent and technologies to meet both needs and budgets. Smaller organizations whose resources are often more limited seem to be struggling in particular. At HIMSS, a security analyst from a more modestly sized hospital shared with me that though he would like help there wasn’t the money to make hires, and even if the budget did exist he’d face the further difficulty of finding the right talent to fill positions.

The biggest challenge: staffing

In multiple conversations with HIMSS attendees, insufficient staffing was consistently noted as the biggest challenge to improving cybersecurity posture. This mirrors results detailed in our study ‘The State of Cybersecurity in Healthcare Organizations in 2018’, conducted in partnership with the Ponemon Institute and released immediately following the conference. According to 74 percent of respondents, the lack of in-house expertise and security leadership makes it more difficult to reduce risks, vulnerabilities and attacks. As a result, organizations are looking to help augment the staff they do have with technological solutions. 

Among solutions gaining prominence with HCOs looking to improve security without breaking the bank are identity and access management tools. Affordable and unobtrusive, multi-factor authentication is proving popular for preventing password fraud, specifically among remote and privileged access users. Organizations have also seen luck implementing security information and event management (SIEM) solutions that aggregate data produced across networks, servers, databases, applications and devices.  But monitoring and managing SIEM data can be complex and time consuming, often requiring one or more dedicated staff depending on an HCO’s size. And finding the necessary expertise to quickly identify weakness and threats to IT infrastructure could prove problematic, with nearly 80 percent of Merlin study participants finding it difficult to recruit IT security personnel.

The affordable technological solution

According to the HIMSS participants with whom I spoke, the perfect technological solution would provide a 360-degree view of their cybersecurity with analytics and AI layered on top,  something we at Merlin are working to deliver.  In the meantime, our research shows there are plenty of lessons to be learned from high-performing healthcare organizations in significantly reducing cyber attacks. High performing organizations are more likely to have an incident response plan and a strategy for the security of medical devices (a looming and largely unaddressed threat, according to HIMSS presenters).  These organizations are also proactively investing in employee awareness about cybersecurity risks – conducting audits and assessments, providing regular training and incentives, and conducting phishing tests, for example –   and ensuring third-parties safeguard patient information.  Implementing any one of these practices would improve cybersecurity posture critical to patient safety.

You don’t need to be a healthcare information and technology professional to recognize that HCOs are facing constant, increasingly destructive and costly cyber attacks.  Doctors will tell you that even small changes can deliver positive results to overall health. That advice could just as easily apply to cybersecurity. Only through the incremental implementation of both new technology and best practices can we protect patient data and access to essential care, and improve our overall IT health.