Security threats on the healthcare industry will never fully go away, but the risks can be managed, especially though threat detection, according to panelists at the eHealth Initiative's annual conference in the District of Columbia on Thursday.
At some point, cybersecurity controls will fail--employees will get phished and malware is going to find its way in, Andy Neller, chief information security officer of Wellmark Blue Cross Blue Shield, said at the event.
But what prevents an event from becoming a breach, he said, is how an organization responds and reacts to it.
"You can curtail and minimize that damage before it gets to the level where you have a bad threat actor in your environment for 205 days," he said. "As an industry as a whole, we need to get better at this … and leveraging the tools and expertise to start raising the tide of all ships in the healthcare industry."
Terry Rice, assistant vice president of risk management and chief security officer at pharma company Merck, echoed that point.
"No one is going to be perfect in prevention … having [detection] mechanisms in place for when preventive controls fail" will be key moving forward, Rice said.
In fact, 81 percent of executives at providers and payers saw a cyberattack in the past two years, according to a KPMH Healthcare survey released in August. The rise in attacks on health insurers is clear, with Anthem, Premera Blue Cross and CareFirst all seeing security events in the past year.
There also is no silver bullet to prevention and protection of data, Neller said. Encryption especially is a point of focus on security that is not a be-all, end-all, he said.
"I'm not saying you shouldn't encrypt bits of information; however people need to focus on what type of threat they're trying to prevent against. … As you start integrating data in pharma and medical devices, you really need to focus in on how you implement security controls," he said.
There's fundamental ways the industry can improve security that aren't costly, but it comes down to operational expertise and having the discipline to communicate it up to the organization's board, he added.