After years of budgetary indifference to health information security, and fresh off the worst year in history for healthcare data breaches, many healthcare organizations will be putting more resources into protecting their data, according to Modern Healthcare’s 26th annual Survey of Executive Opinions on Key Information Technology Issues.
An overwhelming majority of respondents indicated that the threat of cybersecurity breaches will have some (51%) or considerable (42%) impact on their organization’s IT security spending this year.
And 3 out of 4 provider leaders surveyed indicated their IT security spending will increase in 2016, with only 25% indicating there would be no spending changes. No one indicated they would be making cuts in IT security spending.
The median spending range for security as a percentage of their organizations’ overall IT budget was 2.1% to 3% in 2015, according to the survey. The median spending range will rise to 3.1% to 4% this year, provider leaders reported.
More than half (53%) of all providers this year say their organizations are encrypting personally identifiable data in storage, so-called “data at rest.” Encrypting data for transmission has been standard practice for years.
Cyber and data security ranked No. 3 when providers were asked to name their top three hot-button health IT priorities. A number of respondents made it their top priority.
Looking out a bit into the future, provider leaders still foresee the need to address security risks, the survey shows. Security also ranked No. 3 among executives asked to pick their top health IT priorities over the next 24 months.
What’s finally driving all this heightened interest and increased spending on health IT security?
A sizable majority of respondents—81%—indicated they expect the number of cybersecurity attacks this year will exceed those in 2015, a record year for healthcare data insecurity.
Several IT leaders who took the survey this year were reluctant to talk publicly about their security issues, preferring the safety of the herd with so many cyber predators on the prowl.
One survey respondent, a chief information officer for three decades, agreed to speak only if granted anonymity. His midsize Midwestern community hospital will be spending a bit more on security in 2016, but “we’re still not spending the level of budget we’re going to need,” he said.
“Up to 20% of my time is now spent in this (security) area, where three or four years ago, it was 2%,” he said. His hospital is creating an IT security department, has added security monitoring to the duties of a compliance committee that reports directly to the hospital board, and “there’s talk about having a separate cybersecurity committee at board level,” he said.
“We’re getting constant attacks from the outside,” the CIO said. “Although we’ve not had a breach or something that’s taken hold, the time and training (for security) has taken a significant amount of our focus. The folks trying to break in are getting very sophisticated. We’re doing everything that we can at this point” to stop them.
The current IT cybersecurity threat level will have a “considerable” impact on IT security spending this year at 189-bed Lawrence (Mass.) General Hospital, said Michael LeBlond, its senior director of information systems and technology.
It’s a disproportionate-share hospital that operates a busy emergency room and trauma center and multiple outpatient services in the community, LeBlond said.
On the survey, LeBlond listed security and compliance as his No. 1 hot button IT priority.
His hospital’s spending, already at an above-average level in 2015—3.1% to 4% of IT’s budget—will rise to the 4.1% to 5% range in 2016.
LeBlond said his IT department has 29 full-time staff members. There’s only one security officer, added a couple of years ago, but a second is on the way, he said. “I’ve always been fortunate security has always had the attention at the board level here,” he said. “We’ve been a little ahead of the curve knowing this stuff is out there going on.”
LeBlond said the hospital relies on in-house staff and outsourced security technology and services, particularly for monitoring “that I can’t afford people to have staffing 24/7.”
“We’re a small community hospital and have to balance what we can put toward security and keeping all the other IT things running,” he said.
Of the 1,470 major breaches on the “wall of shame” website kept since 2009 by HHS’ Office for Civil Rights, only 11% are attributed to hacking incidents.
But those relatively few hacks led to the exposure of 115.6 million individuals’ medical records. And nearly 97% of those exposures were from hacking incidents reported in 2015. Four of the five largest healthcare data breaches in the history of the list were Anthem, 78.8 million individuals; Premera Blue Cross, 11 million; Excellus Health Plan, 10 million; and the University of California at Los Angeles, 4.5 million, all in 2015.
This year, healthcare officials have seen the re-emergence of the ransomware threat. Hollywood (Calif.) Presbyterian Medical Center saw its electronic health-record system held hostage for about a week until it forked over $17,000 in ransom, paid in the hard-to-trace bitcoin cybercurrency.
CIO Richard Mohnk of two-hospital, 326-bed Bayhealth, based in Dover, Del., has a full IT agenda, overseeing the IT needs of a replacement hospital under construction in Milford, Del. But a security update ranked No. 3 on Mohnk’s hot button IT punch list.
Consultants have looked at all of the systems’ security policies and practices as well as all monitors and other clinical electronic equipment. “We wanted to identify our risks,” said Mohnk, a health IT veteran who has just six months on the job at Bayhealth. Security was moved into the IT department and a security training program is underway across the hospital.
Mohnk plans to augment a five-person security department. “We’re building from within just because there are only enough security professionals to cover about 60% of the available spots.”
A couple of years ago, Bayhealth sent out a test batch of phishing e-mails to employees to see whether people would open them. Hospital officials wanted to know had the e-mails actually come from a hacker, how many employees would have put the hospital in jeopardy. “Unfortunately, it was way more successful than we wanted it to be,” Mohnk said, since a number of workers opened the e-mail.
“We’ll probably do another one of those in the next two to three months and really focus on it as an educational opportunity,” he said. Like most survey respondents, Mohnk indicated 2016 would be worse for cyberattacks than 2015.
“I came from the University of Massachusetts Health System in July,” he said. “We’ve already had three cyberattacks” since then. “I hadn’t had one in the previous 14 years at UMass. Everywhere you look, they’re up. I think we’d all be foolish if we didn’t think it’d be on the rise.”