As cyberthreats rapidly evolve and security issues continue to plague the healthcare industry, provider organizations are struggling to keep pace.
“In the provider space, we are protecting ourselves with fly swatters,” said Jigar Kadakia, Partners HealthCare Chief Information Security and Privacy Officer, during the preconference HIMSS/CHIME Cybersecurity Forum in Las Vegas on Monday. “Some folks are probably using their hand because they can’t afford a fly swatter. Others have big fly swatters and are able to handle more. But what we really need are a lot of reinforcements.”
Kadakia discussed the economic aspects of cybersecurity, saying that when he joined Partners four years ago, one of his main goals was to show a return on investment for cybersecurity.
“The financial people — the CFO and other folks — understand ROI and return of value,” Kadakia said.
Know Your Cyberthreat Landscape
Organizations must know exactly what’s at risk during a breach to be able to determine ROI for security investments, Kadakia said. Part of the appeal to healthcare system hackers is the industry’s large surface area, compared with other sectors. Another draw is that healthcare organizations use a lot of older technology.
“The hackers have figured out, ‘Hey, they’re ripe for getting hit,’” Kadakia said.
Jigar Kadakia, Partners HealthCare Chief Information Security and Privacy Officer. Photo by Dan Bowman
But a primary hurdle for provider organizations is finding and keeping cybersecurity talent, he added.
“People leave because they can go make two, three, four times their salary, and they get the cool Google environment, or Apple or those types of companies, and you just can’t compete with that,” he said. “So, we have to groom talent, we have to manage talent … and that takes time, which impacts the overall security of the program.”
But, Kadakia added, bringing in cybersecurity employees with minimal experience creates its own set of risks.
Another challenge, he said, is the perception versus reality with modernization efforts such as moving to the cloud.
“There’s this perception that when you move to the cloud, everything is A-OK,” Kadakia said. “But if you don’t have a good business continuity plan on-premises and your cloud goes away, what are you going to do?”
Understand Healthcare's Complex Financial Concerns
Findings published in Symantec’s third annual Healthcare IT Security & Risk Management Study support many of Kadakia’s points. The survey, published last week, found that despite an increase in cyberthreat activity and sophistication, 74 percent of healthcare providers dedicate only 6 percent or less of their budget to security. That’s compared with other industries, such as finance, that devote between 10 and 12 percent of their overall budget to security.
Axel Wirth, a healthcare solutions architect with Symantec, said in an interview with HealthTech that because hospitals typically run on fairly slim budgets, competing with other industries for security talent is difficult.
Another point that’s often overlooked is the complexity of healthcare compared with other industries, Wirth said. “There are many more specialized pieces of equipment and programs that fulfill a very specific purpose, which results in many more suppliers and vendors,” he said. “You’re dealing with more difficult platforms, making it harder to spend wisely in healthcare than in other industries. It’s much more difficult to manage and protect that complex infrastructure.”
Examine Indirect and Direct Data Breach Costs
Kadakia added that while some estimates have pegged healthcare data breach costs at roughly $380 per record, the total costs involved with such incidents are actually much harder to assess.
While there are direct costs — what companies spend to minimize the consequences of a data breach and assist victims — there also are indirect costs, such as the time spent investigating incidents and making data breach notifications. These add to the true total cost of a breach.
“This is the cost piece that the surveys can never figure out,” Kadakia said of indirect costs.