Hacking's next frontier
the U.S. healthcare industry is under cyberattack — and fighting back with security projects
It's a stat sure to make hearts skip a beat: The number of people affected by medical records hacked in the U.S. rose more than 6,000 percent from 2014 to 2015. These aren't small data breaches, either: Each hack costs a hospital an average of US$2.1 million.
“Cyberattacks in the healthcare industry will only get more diabolic and creative as time goes on,” says Barry Runyon, research vice president—healthcare providers, Gartner, Little Canada, Minnesota, USA. Hollywood Presbyterian Medical Center in Los Angeles, California lost use of its own computer systems earlier this year after a hacker seized control of them. The hospital ended up paying the hacker about US$17,000 in ransom to get access back.
In response to such cyberattacks, there's been a significant increase in privacy and security spending among healthcare providers, Mr. Runyon says.
Nearly 90 percent of CIOs and chief information security officers have reported increased security IT budgets, according to a 2015 survey by Southern Methodist University.
The surge in projects follows a perfect storm of factors: U.S. healthcare organizations are under increasing regulatory pressure to make health data available to patients and other organizations. Doing so creates security vulnerabilities—and cybercriminals have caught on that medical records often contain valuable personal information like credit card and Social Security numbers.
Many healthcare organizations have already recognized the need to double down on security IT projects. Finding qualified staff, however, has been a problem: More than one-third of healthcare providers said they put an IT project on hold or scaled it back because of a shortage of qualified talent, according to a survey from Healthcare Information and Management Systems Society, a U.S. nonprofit. To cope, providers are beginning to look to independent software vendors to develop more creative security solutions. “We're also seeing an increase in the number of chief information security officers at healthcare provider organizations,” says Mr. Runyon.
Medical Cybersecurity by the Numbers
Up to US$2,000
Value of a complete medical record on the black market
Amount U.S. health insurer Anthem plans to spend over two years on cybersecurity after a 2015 breach
U.S. residents affected by medical record breaches in 2015
BREACH BY CAUSE:
Hacking or related IT incident
Lost or stolen employee devices or other
Sources: Financial Times, Bitglass Healthcare Breach Report 2016
At the South Carolina Department of Health and Human Services, the government agency's portfolio of security initiatives is larger than ever.
“There was a time when you could talk about security compliance once a year in the C-suite, but that's no longer true,” says James Brown, chief information security officer, South Carolina Department of Health and Human Services, Columbia, South Carolina, USA. “Within the realm of security, there's no such thing as a finish line.”
In order to streamline the implementation of projects, Mr. Brown teamed up with the agency's project management office (PMO) to fine-tune an online workflow management tool. “That's where we're able to identify—based on level of risk and degree of strategic importance—which projects need to be addressed next,” says Jim Coursey, deputy director of the Office of Information Management and CIO, South Carolina Department of Health and Human Services, Columbia, South Carolina. “We have a means to ensuring hundreds of projects are managed in a disciplined way, but we're also utilizing a central repository for capturing all of the gated requirements of the project methodology for historical reference. Future project teams can then easily go back and see what others did at a particular phase.”
While the fervor around healthcare security might tempt some project teams to jump to action, Mr. Brown says that careful upfront planning around portfolio prioritization and knowledge capture are the only ways that organizations can hope to implement multiple initiatives with limited budgets. Leveraging PMOs is also vital, adds Mr. Coursey. “In addition to dedicating project management resources to the security effort, we leverage the agency PMO to keep the effort coordinated with other projects at South Carolina Department of Health and Human Services.”
Elsewhere across the United States, project teams at organizations big and small are launching security projects. A team at Children's Healthcare of Atlanta recently implemented new safeguards for patient information, decreasing inappropriate access to records by 98 percent. Blue Cross Blue Shield of Illinois, Texas, New Mexico, Montana and Oklahoma implemented a project that uses big data visualization solutions to detect cyber threats.
Each hack costs a hospital an average of US$2.1 million.
“The integration between the IT strategy and the enterprise strategy never before has been greater,” Harold Wolf, health IT strategist for The Chartis Group, told Healthcare Informatics magazine early this year. Organizations can no longer “look at projects as strictly IT projects, as these are actually all business projects that are supported by IT and are critical to the success of the enterprise.” —Kate Rockwood
PM NETWORK MAY 2016 WWW.PMI.ORG
MAY 2016 PM NETWORK