Q&A ‘Health­care is steadily be­com­ing one of the high­est-risk ar­eas’

Modern Healthcare - - NEWS -

In late 2015, after a rash of

health­care cy­ber­at­tacks, Pres­i­dent Barack Obama or­dered HHS to es­tab­lish a task force to de­ter­mine the state of cy­ber­se­cu­rity in the in­dus­try and make rec­om­men­da­tions to im­prove it. A re­port is due this March from the task force, which in­cludes rep­re­sen­ta­tives from across the in­dus­try. Mod­ern Health­care re­porter Adam Ruben­fire re­cently spoke with a co-chair of the task force, Theresa Meadows, se­nior VP and chief in­for­ma­tion of­fi­cer of Cook Chil­dren’s Health Care Sys­tem in Fort Worth, Texas. The fol­low­ing is an edited tran­script.

Mod­ern Health­care: Your task force re­port is not fin­ished yet, but what can you tell me about the state of health­care cy­ber­se­cu­rity?

Theresa Meadows: There’s still a lot of op­por­tu­nity in health­care for us to be more pre­pared, and much of this has to do with the di­verse na­ture of health­care, where you have providers that range from sin­gle-physi­cian prac­tice to big phar­ma­ceu­ti­cal com­pa­nies like Merck. And we all have equal risk. Health­care is steadily be­com­ing one of the high­est-risk ar­eas.

Health­care in­for­ma­tion on the black mar­ket gets a fairly hefty price, so we have be­come a tar­get for a lot of hack­ers. The di­verse na­ture and the re­quire­ment for us to be able to share in­for­ma­tion freely make it very dif­fi­cult to fig­ure out the best mit­i­gat­ing strate­gies.

MH: The Health­care In­for­ma­tion Man­age­ment and Sys­tems So­ci­ety has called on HHS to ap­point a chief in­for­ma­tion se­cu­rity of­fi­cer to es­tab­lish na­tional pri­or­i­ties for health­care cy­ber­se­cu­rity and re­spond to the large num­ber of threats. What does the task force think?

Meadows: We tend to agree there needs to be some­one, whether it’s at HHS or in some other gov­ern­men­tal agency, that helps over­see health­care cy­ber­se­cu­rity. As we look across some of the other in­dus­tries, there are peo­ple that do re­view and keep an eye on se­cu­rity. So that’s one of the things we are con­sid­er­ing sug­gest­ing in our rec­om­men­da­tions.

MH: Do you be­lieve the health­care in­dus­try has ad­e­quate stan­dards to­day?

Meadows: From a HIPAA per­spec­tive, I think we’re quite se­cure. Cy­ber­se­cu­rity is much more than what we do to pro­tect the pri­vacy of our pa­tient’s in­for­ma­tion. So when we start talk­ing about ran­somware at­tacks, or mal­ware or even some­one who has the abil­ity to con­nect to our med­i­cal de­vices and shut all of our med­i­cal de­vices down via our wire­less net­work, that’s much dif­fer­ent.

I think we’re far away from hav­ing a sin­gle in­dus­try stan­dard that would reg­u­late or give peo­ple a roadmap of what they need to do as far as cy­ber­se­cu­rity is con­cerned.

MH: Health­care cy­ber­se­cu­rity pro­fes­sion­als are usu­ally paid less than their peers in other in­dus­tries. As a CIO, do you find it hard to at­tract high-qual­ity tal­ent, and how do we fix this prob­lem?

Meadows: I think that is changing be­cause health­care has rec­og­nized that cy­ber­se­cu­rity is a very im­por­tant risk. As far as re­cruit­ing, I think it’s not just health­care: Find­ing se­cu­rity pro­fes­sion­als in gen­eral is very dif­fi­cult.

We have to find some cre­ative ways to ei­ther en­cour­age peo­ple that are cur­rently not in se­cu­rity to move into se­cu­rity roles in health­care, or we need to find some pro­grams that specif­i­cally focus on get­ting pro­fes­sion­als ready in a shorter pe­riod of time. Our chal­lenge to­day is that to get a re­ally skilled se­cu­rity pro­fes­sional, you need five, 10, 15 years of ex­pe­ri­ence.

We have to look at other mech­a­nisms such as shared re­sources that we can pur­chase ver­sus each or­ga­ni­za­tion hav­ing their own pro­fes­sion­als.

MH: Do you be­lieve ru­ral and safety net hos­pi­tals have the bud­get and staff to man­age cy­ber­se­cu­rity ap­pro­pri­ately?

Meadows: In gen­eral, I would say no. That’s one of the ar­eas of focus that we’ve had on the task force: How do we pro­vide high-qual­ity so­lu­tions for th­ese ru­ral ar­eas or safety net hos­pi­tals that can­not af­ford a se­cu­rity of­fi­cer or can­not af­ford all of the soft­ware that you need to pro­tect an or­ga­ni­za­tion? That’s where some of th­ese shared­ser­vices or­ga­ni­za­tions will prob­a­bly come in handy.

Theresa Meadows, se­nior vice pres­i­dent and chief in­for­ma­tion of­fi­cer of Cook Chil­dren’s Health Care Sys­tem

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.