Healthcare information is harder to protect than financial information, according to Mayo Clinic Chief Information Security Officer Jim Nelms, who previously spent 14 securing financial information years at The World Bank.
Nelms, in an interview with the Wall Street Journal, says healthcare is 10 to 15 years behind other industries in its IT practices. He attributes much of the difficulty to the plethora of medical devices being used in hospital--they make up 40 percent of the technology there--and to doctors sharing information. There's less data-sharing in financial services, he adds.
Mayo Clinic has created a "threat intelligence group" to bolster its security capabilities, and Nelms says each quarter he produces a report for the hospital's board of directors on the risks and exposures Mayo faces. However, he adds that the ever-changing nature of threats means the facility could be in the 90th percentile of thwarting threats one day and in the 40th percentile the next day.
At the same time, he doesn't see new technologies being ready to substantially improve security.
"For the next period of time--I don't know how long--we are going to have to craft and use things that are going to be marginally successful. Information security in the last few years has changed from stopping things from happening to creating regular, positive change in the reduction of risk," he says.
The cost of a data breach to a company is $3.8 million, up 23 percent from 2013, the Ponemon Institute recently reported. And criminal attacks on healthcare organizations have increased 125 percent in the past five years and now are the leading cause of data breaches, it reported previously.
Veterans Affairs CIO Stephen Warren recently talked about the agency's approach to securing medical devices, describing a two-pronged "defense in depth" strategy that involves being clear about responsibility in security devices and addressing human factors that can create vulnerability.
To learn more:
- read the article (subscription required)