MH: A lot of people want to steal medical records. What are you doing to protect them? How much are you investing? How serious a problem is this?
I wish I could tell you any of the details, but my chief information security officer told me not to.
It’s fair to say that over the past three years we’ve doubled security budgets, because the nature of the threats is far different than ever before. It used to be MIT freshmen. Now, it’s cyberterrorists, organized crime and hactivism. Why? I have 2 million Social Security numbers.
I spend about 2% to 2.2% of the operating budget of the organization on IT. Fidelity spends 35% of their operating budget on IT. So, if you’re Willie Sutton and you want to steal Social Security data, are you going to go after Fort Knox or papier-mache? The answer is, you’re going to go where no one spends money on security.
Of course we’re doing our very best. It’s a huge focus. But the threats are real and increasing. The one message I’d give you is that your people are your worst enemy, because you’re as vulnerable as your most gullible employee.
True story: I sent the following email to the Harvard faculty, “You now password change,” and gave them the URL, “Change my password dot Nigeria.” (Laughter) You know what percentage of the Harvard faculty clicked? Thirty-one percent.
We spend about 7% of our IT budget on IT security. That’s up from zero six years ago when it was password management, identity management. That’s all we did for security. Six years ago we had two people involved in IT security. Today we have 50.
We take it seriously. We’re a soft target compared to financial services or some of these other organizations. But we’re trying to stay on top of it. As an industry, I love the awareness that’s come up over the past three years. Boards are talking about it. Management teams aren’t arguing about it. They understand that we need to make the expense. But we’ve got a long way to go to catch up.
Our experiences are quite similar. It’s a board-level discussion and we’ve had similar growth and similar additional investment. I get the unique pleasure of sitting with our chief security officer and talking about our cybersecurity with the audit and compliance subcommittee of our board.
They see the Yahoo breaches. They hear about the Target and the Home Depot breaches. Their question is, “Are we safe?” Well, no. We’re never safe. I mean, getting out of bed is a gamble, right? But, we do have a certain amount of investment and we treat our patients’ records with an abundance of caution. But I agree that the weakest link is people.