Is Healthcare IT Security on Life Support?

Friday, January 13, 2012

Rafal Los


Healthcare is an interesting animal when it comes to IT Security

While there is a constant need to stay cutting-edge, there is a requirement for keeping costs down for reasons I really don't want to get into here... 

The need to stay cutting-edge is rather obvious; the latest advances in technology can mean the difference between life and death to a critical patient. 

In healthcare, sharing information is both a blessing and a curse, with requirements for openness balanced requirements for confidentiality and security pushing and pulling at IT Security professionals creating incredible pressures.

There's a Dark Reading article that caught my attention because it has the subtitle:

"New study shows data breaches up and costing healthcare industry billions of dollars a year, with employees, mobile devices the weakest links"

The issue makes sense.  We can all agree that data breach costs are going up, and have been for a while at exponential rates.  The part of the headline I didn't expect to see is the B in billions.  Billions of dollars are being wasted on security.  Let me explain what I mean.

The Patient Loses, Twice

Looking strictly at all the money lost in the fines and lawsuits in healthcare the numbers are becoming staggering.  All that cash that could be spent saving lives, vanishing.  It's a shame that such waste happens in an industry which needs it so badly.  There is another appalling fact as well.

If you think about it, the way the penalty system works in most industries hurts the wrong people.  In the healthcare industry it's downright wrong.  Let's assume a hospital faces a lawsuit or fine from a violation or data breach which is never less than several hundred thousand dollars. 

Who do you suppose pays that fine?  The easy answer is the hospital... except you have to ask yourself where that money really comes from. If you dig deep, you realize it's not the administrators of the hospital that skirt good risk management or security advice that are penalized, but rather the hospital system in general. 

Ultimately, this cost ultimately gets passed down to either you, or our government... which then passes it back down to you.  How do you feel about that?  Personally, if I'm a victim of a privacy breach at a hospital where my personal information was lost, then the hospital has to pay a fine to some organization (and I see none of that money) I feel violated twice.

The first time painful part is that feeling that someone out there now has more information about my health and the very, very personal details I often don't discuss with even my closest friends... that's as personal as it gets. 

Now when the hospital network has to pay a million dollar settlement to some regulatory agency (and of course I see none of that money) the hospital network has to pay for it somehow... so they raise rates and I pay for it. 

I know it's not quite that simple because there are many indirect costs, and trickle-down issues, but in the end this is how it goes.  If you know for a fact that I'm wrong, please let me know, I'd love to tell everyone how wrong this is - sadly I think it's not.

And Now the Ugly Part

As costs pile up from data beaches, innovation suffers.  Ask someone who runs a hospital network - the true cost of innovation slow-down can almost certainly be counted in lives.  Maybe I'm being a little dramatic... but I suspect this is closer to reality than we'd like to admit to ourselves.

First there is the problem of being reactionary and overly-cautious.  After a serious breach an organization tends to go into what I refer to as turtle mode... that is, it retracts back into its shell. Technology adoption stagnates, and the appetite to take on new, maybe not completely proven tech, is minimalized. 

That new heart monitor may have been a good idea a few months ago, but now that hackers have ravaged your network - your administrators will think twice because that heart monitor uses WiFi, and we're wary of anything new now.  It's natural, but no less unfortunate.

In addition to the stagnation of technology adoption, security tends to overstep its boundaries.  My peers may hate me for writing this, but when things go south the security folks tend to get carte blanche ability to make changes and impact decisions. 

This isn't necessarily a good thing if they're not well versed in business, and don't understand what the organization is trying to do in healthcare. 

There are few things worse than trying to do your job in a police state (which is what IT turns into) where doctors, administrators, and nurses are constantly locked out of necessary functions, technology is limited, and security runs the show.  The best and brightest tend to get frustrated and leave quickly... this doesn't bode well for patients either.

Finding a Healthy Balance

There is a healthy balance that must be struck.  If I may be so bold as to offer some advice here -

  • Find a way to demonstrate the value of technology to healthcare, before the breach ... I know this sounds rudimentary and silly... but it's more important than you realize
  • Work towards accountability, so that the poor decision makers are held accountable for their trespasses and lapses in judgment, not the entire healthcare entity - this way patients suffer only once
  • Don't over-do on the security police state post-incident - take a deep breath, have a bit of sanity and make intelligent decisions not reactionary ones

Good luck, as a user of the US healthcare network, I look forward to intelligent reform, accountability, and better risk management.

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Healthcare Provider
breaches HIPAA Enterprise Security Budgets Risk Management HITECH Healthcare Innovation Rafal Los IT Security
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.