With stricter HIPAA audits on the horizon, the threat of the Federal Trade Commission also cracking down on breaches and the notorious Heartbleed bug looming, you would think the healthcare industry--and provider organizations, in particular--would take any measures necessary to ensure, or at least improve, privacy and security.
That, however, does not appear to be the case, if news reported within the past few months is any indication.
Let's start with the results of the planned cyber attack simulation, CyberRX, conducted by the Health Information Trust Alliance and the U.S. Department of Health & Human Services on April 1. That exercise revealed, among other things, that healthcare organizations don't engage their stakeholders enough in security preparedness plans, and aren't as open as they should be to adopting industry-wide best practices.
The simulation also revealed that a generic national cybersecurity framework for critical infrastructure is insufficient for supporting healthcare.
Next, let's look at warnings issued to the healthcare industry by, of all entities, the Federal Bureau of Investigation. On April 8, the FBI, in a private industry notice, said that the industry is "not as resilient to cyber intrusions" as its financial and retail brethren. In the notice, the FBI brought attention to several reports on the industry's vulnerability, including one published in February by The SANS Institute that called the status of healthcare security "alarming." That report pointed out that cybersecurity strategies have fallen behind.
Finally, let's look at the results of the most recent data breach investigations report published by Verizon this month. Report co-author Suzanne Widup, speaking with MedCity News, said that as the report relates to the healthcare industry, she has not "seen much in the way of leadership … for advocacy in this area."
"We have been trying to work with professional associations, but we have not had much success there," Widup told MedCity News.
That last bit of information, especially when placed in the context of the other two pieces of news, is particularly troubling. Despite constant warnings that security efforts by healthcare organizations need improving, what it indicates is that the industry continues to turn a blind eye to a very real threat.
Despite the fact that, according to the Ponemon Institute, criminal attacks on healthcare systems have risen 100 percent since 2010, the industry seems to be almost indifferent.
While plenty of organizations, no doubt, take privacy and security seriously, apparently more consider such efforts to be worthy of back-burner status.
But in an age where cyber attacks--such as those waged against Boston Children's Hospital earlier this month--are ever increasing and hold the potential to directly alter patient care, that simply should not be the case. - Dan (@Dan_Bowman and @FierceHealthIT)