Fighting the Good Fight
By MELANIE KILGORE-HILL
Fortified Health Security Arming Healthcare Systems in the Cybersecurity War
If the thought of a cybersecurity breach to your bank is terrifying, imagine the fallout for a healthcare organization tasked with protecting the financial, personal and medical information of millions of patients.
Cyber attacks can make or break a health system, shaking the confidence of patients and providers. That's where Fortified Health Security comes in. Founded in 2009, the Franklin-based company is quickly becoming an industry leader, partnering with more than 100 health systems and hundreds of hospitals in 35 states.
"Cybersecurity is a battle, and it's one that requires continuous engagement," said Dan Dodson, president of Fortified Health Security. "Our healthcare clients need a partner that understands healthcare and cybersecurity, because there's a uniqueness in healthcare that other industries don't face."
Dodson said a common misconception among healthcare executives is the perceived and actual value of their security program. Every day, a healthcare system gets hacked. Once detected, administrators typically drop big money on exceptionally pricey technology aimed at preventing future attacks. Problem is, it's rarely used to its full potential.
"Oftentimes, the technology is so advanced that no one really knows how to run it," Dodson explained. "The perceived value of that investment and actual value is astronomically different, and that's a gap we have to bridge."
He encourages executives to stop thinking about the next shiny box and instead make sure their investment in security technology is being maximized. Fortified staff members work with an organization's existing technology to maximize results and walk alongside IT staff to provide training and ongoing support. "We're an extension of the security team, as our role is to make sure people are leveraging expertise and best practices, and making sure the person on the ground is informed and making the best decisions for the healthcare organization," he said.
When it comes to securing healthcare systems, complications can arise from a number of natural restraints. In any other industry, systems might be shut down briefly for updates. In a 24/7 hospital, temporary shutdowns can impact patient care and disrupt operations. Dodson said that not understanding how to manage temporary halts to clinical workflow creates a serious challenge for many big box security companies.
Staffing poses an additional challenge, as healthcare companies compete to attract, train and retain IT talent. Dodson estimated 20 to 50 percent of a hospital's IT staff are using the position as a career stepping stone, while the rest are in it for the long haul. Fortified works with IT leaders to train and increase retention rates among IT personnel.
Another obstacle is the evolving dynamic among the physician, healthcare organization and patient. That's because today's patient-as-a-consumer model demands complete access to online health information. Likewise, physicians now access patient data on all their own devices - a tremendous cybersecurity concern that Fortified has worked to successfully tackle. The company recently won awards for addressing the unique technical challenges associated with securing medical devices, which requires technology, people and processes unique to healthcare. Outsourced billing - not often found under the same security umbrella - creates yet another threat.
"As an administrator, you don't want to restrict your physicians and mess with their workflow because they can go somewhere else, as can your fee-for-service patients," said Dodson. "You have to understand how to make changes technically but also transform the organization's culture through new processes."
For many companies, that lesson is learned too late. Data shows hospitals that go public after compromising patient information in a data breach can lose up to 40 percent of their patients - a trickle-down effect impacting physicians, as well. That's because today's patient has a choice in where he or she receives surgery, radiology and imaging services - the moneymakers for most health systems.
"Executives have to ask, can I afford a 40 percent drop in patient choice for high revenue and profitability areas?" Dodson asked. "Most can't even afford a three percent drop."
For hospitals, it's not about if a breach will occur, but when. Fortified Health Security recently released their Mid-Year Horizon Report, which examines the state of cybersecurity in healthcare. According to their findings, "2018 has seen attack momentum increase and new hacking groups formalize with greater sophistication and focus than ever before."
A key finding was that provider organizations have been compromised more in 2018 than health plans. It also found that most healthcare organizations aren't allocating enough capital to keep up with the attackers, given tight budgets, competing internal priorities and overall financial pressures. The report states that, "According to the U.S. Department of Health and Human Services Office for Civil Rights (OCR), this has been the case since 2009.
The OCR Wall of Shame highlighted that in the first week of 2018, there were four major breaches containing more than 500 patient records. This is the same number of breaches reported in the first week of 2017, but the momentum has increased from there. Through the first five months of 2018, there have been 149 breaches reported with over 2.8 million patients impacted, as compared to 134 breaches impacting 2.0 million patients during the same period in 2017. This represents an 11 percent increase in the number of entities impacted by a breach and a 35 percent increase in the number of individuals affected.
While provider organizations appear to have been more heavily targeted so far in 2018, that doesn't' mean health plans have been left alone. Through May of 2018, health plans reported 24 breaches versus 15 in the same time period last year. Similarly, business associates reported 12 breaches in the first five months compared to seven breaches during the same time period in 2017.
The report also addresses benefits and critiques of the FDA's Medical Device Safety Plan, as well as the National Institute of Standards and Technology's Version 1.1 of its Cybersecurity Framework. Both plans were released in April. (A link to the downloadable Fortified Health Security mid-yeaer report is available online at NashvilleMedicalNews.com.)
Dodson co-authored the mid-year report and noted email continues to be a key launching point for attacks. "The sophistication of attackers is unbelievable, because they can outsmart technology and rules to make themselves look like the organization," he said. "For health systems, it's a difficult challenge to keep up with it all, as you're always working to educate employees as well as patients."
Dodson regularly hears from frustrated chief information officers that administrators simply don't understand cybersecurity risks ... or why throwing high-dollar technology at the problem won't solve it. He challenges administrators to consider how management of cybersecurity risks is interwoven into every hospital initiative. "They need to start managing cybersecurity risks no different than they would clinical risks," he said. "It takes proactive measures, and administrators need to look at the issue holistically."