Mac McMillan: Health IT security compliance does not equal safety

It seems every day there's news about another lost or stolen laptop, a contractor who exposed patient health information or--increasingly--hospital IT systems that get attacked by hackers or infected by malicious code, like the Heartbleed bug.

Case in point: Earlier this week, news broke that Franklin, Tennessee-based Community Health Systems, which operates 206 hospitals in 29 states, had been attacked by hackers based out of China who gained access to the provider's computer network. The personal information for roughly 4.5 million patients was compromised.

FierceHealthIT recently spoke with Mac McMillan (pictured), chair of the HIMSS Privacy & Security Policy Task Force and CEO of IT security consulting firm CynergisTek, about the current state of healthcare security. In part 1 of this exclusive two-part interview, McMillan discusses what he thinks hospital CIOs need to focus on.

FierceHealthIT: We've heard warnings from the FBI and other organizations about the security vulnerabilities in healthcare, yet many hospital CIOs will tell you they think they're doing a pretty good job. Is there a disconnect there?

McMillan: Yes. I think there's a difference in how they interpret the question. When healthcare organizations say, "Yes, I'm doing what I need to be doing," they're referring to the HIPAA requirements rather than what they need to be doing to secure the environment properly. A lot of folks in healthcare are way too focused on compliance and not focused enough on security.

Compliance and security are two different animals. You can have a totally compliant program and still have vulnerabilities.

A lot of folks say, "I did my risk assessment, so I'm doing what I need to be doing." Yet the breaches keep coming. We've seen a higher incidence of breaches in the first six months of this year than in the past. They don't always lead to a reportable situation, but we've had hospitals suffer outages, been hacked, that have been victims of social engineering attacks. And that's how the FBI and the Department of Homeland Security see the threats. It's a difference in conversation--are we talking about compliance or are we talking about being really secure?

FHIT: What should healthcare organizations do differently to focus on security rather than just compliance?

McMillan: Let's just take auditing and monitoring what goes on in the environment. If I'm auditing just for compliance, there really is no definition of what's necessary, how much auditing is enough. If I'm auditing for security or integrity purposes, I need to be a lot more proactive than most healthcare organizations are today.

Those processes should be automated. We need more automation in auditing and monitoring both the network as well as what users are doing in the environment.

Some hospitals have implemented a monitoring tool, but they're not really using it because they don't have anybody dedicated to managing that system or reviewing what that system tells them. We see that over and over again in our risk assessments. If you are actively monitoring, you learn about stuff before something bad happens. But most of our healthcare organizations are extremely reactive when it comes to auditing and monitoring.

Another example is encryption. Encryption in the HIPAA rule is still addressable, so folks are making decisions, when you look at them from a reasonableness and appropriateness perspective, you have to scratch your head. When you have mobile devices or removable media with protected health information on them, you need to be encrypting it. The rule may say you can think about alternative means of addressing the matter, but the fact is we need to encrypt those devices. Why they don't make that a requirement is beyond me.

FHIT: Where else should healthcare organizations focusing their attention?

McMillan: One area is the insecurity of medical devices. There are two issues with that. The first is the device itself and the risk to the network and to the patient from a safety perspective. When people think about that, they think about the implantable devices--the defibrillators implanted in somebody's chest, the insulin pump that somebody wears on their hip.

Probably even more important than that--more dangerous than that--are all the hundreds of medical devices in the hospital itself. We have just a boatload of devices that were built on or implemented on insecure or unsupportable platforms.

I talked to a gentleman recently who was lamenting that his hospital had just implemented hundreds of pumps in patient rooms that were running on the zero version of XP. That means those pumps are vulnerable to anything and everything that comes across the wire.

What he's concerned about--and he's absolutely correct--is a hacker who finds a weakness in the network and is able to get in, then finds one of these devices running the zero version of XP that can be used by the hacker as a platform to run other attacks against their databases, their finance system or whatever. When hackers do that, there's a high likelihood that they're going to affect the performance of that device and that can affect the safety of the patient.

I'm not exaggerating when I say there are hundreds of those devices in every hospital in America. Every single one of those devices is a platform for a disaster.

Editor's note: This interview has been edited for length and clarity.