The following is a guest blog post by Randy Gunther, SVP Operations and Portfolio Management at Atos.
As HIMSS 2019 kicked off in February, I had the opportunity to discuss cybersecurity with two focus groups at CHIME. The focus groups were made up of 15 healthcare CIOs, CTOs, CISOs and IT Directors representing a strong cross-section of the healthcare provider market. Our goal for these focus groups was to better understand the priorities of cybersecurity within their organizations, the challenges they are facing and what they perceive to need from cybersecurity service providers.
It was interesting to hear that 50% of organizations represented in the focus groups had either experienced or believed they had experienced a security breach or cyber event. The good news is that 88% of them have a formal, structured cybersecurity strategy or program – or believe that they do.
With 67% of the group indicating that cybersecurity is a mid- or lower-level priority in their organization, it wasn’t surprising to hear that 60% felt that their senior leadership/Board only partially understands the risks and/or ramifications of inadequate cybersecurity.
Budget and Resources
One issue we hear about regularly from CIOs and CISOs in the healthcare market is the lack of a sufficient budget to invest in technologies and retain resources to develop and manage a robust cybersecurity defense for their organizations. With 91% of the group indicating that they don’t have enough staff, or that they can’t retain them, and 80% saying they don’t have enough budget for an effective cybersecurity defense, it appears many leaders in healthcare are treating cybersecurity the same way as patients who only visit their healthcare providers when they get sick, rather than for wellness visits; they are treating only the symptoms instead of the cause.
Cybersecurity Service Alternatives
100% of the group shared that they use third parties for cybersecurity risk assessments and penetration testing. Even more interesting, 73% of the healthcare organizations represented in the focus groups use five or more different vendors to create “end-to-end” cybersecurity solutions, with 7% not having an end-to-end solution at all, and 35% not having an enterprise-wide Incident Response Plan. When we asked if they thought there was value in working with a single cybersecurity vendor, 53% said no. Many shared that they felt this way based on their belief that no one single vendor existed who could provide one single end-to-end solution. However, 73% of the group stated that they would consider a managed service for cybersecurity.
What’s preventing cybersecurity from being prioritized and funded effectively?
While no organization wants to make headlines for suffering a cybersecurity breach, the groups shared this reality: leadership teams and Boards view the cost of a breach as less than robust prevention. This speaks volumes; thus, it wasn’t surprising to hear one CIO share that the best way for him to get more cybersecurity funding was to experience a breach.
A Carrot or a Stick?
The 2009 HITECH Act legislation provided the incentives (a carrot) designed to accelerate the adoption of electronic health record (EHR) systems by providers. Now that most providers’ records are electronic, the challenge has shifted to getting organizations to share that data for the patients’ benefit. With the U.S. Department of Health and Human Services (HHS) proposing rules to support seamless and secure access, exchange, and use of electronic health information, CMS issuing regulations to report providers or hospitals that participate in “information blocking,” using potential payment reductions to encourage providers to improve patient access to their electronic health information, and ONC promoting secure and more immediate access to health information for patients, the use of a stick is now being deployed to drive seamless data exchange that allows patients to obtain and share their health data securely and privately, even on smartphones and mobile devices. And, while proposed rules call for the industry to adopt standardized APIs to facilitate this outcome, the result will create more vulnerabilities for cyber criminals to take advantage of.
While cybersecurity may not be the highest of priorities right now and is therefore experiencing a lack of funding, cyber threats will continue to increase as healthcare organizations are forced to share more data outside of their networks. It might not be until then that healthcare leadership teams and Boards recognize that a breach can cost much more than an effective prevention program. While no single vendor may be able to provide one end-to-end cybersecurity solution, working with a company who can provide many of the components, from consulting to tools and managed services, can minimize costs and significantly reduce the number of vendors needed to expertly secure your organization from cyber criminals, threats and breaches.
About Randy Gunther
Randy Gunther is part of the Digital Health Solutions group in North America for Atos. With more than 30 years in the healthcare provider market, Randy has led many businesses including customer care and implementation services for healthcare EMR and practice management vendors, consulting, IT Outsourcing and Managed Services for global technology companies and strategic operations and technology adoption solutions for global service providers.
Atos is ranked by Gartner as a Top 5 Managed Security Services Provider globally.
Inbal Vuletich serves as the editor for Atos Digital Health Solution publications.
About Atos Digital Health Solutions
Atos Digital Health Solutions helps healthcare organizations clarify business objectives while pursuing safer, more effective healthcare that manages costs and engagement across the care continuum. Our leadership team, consultants, and certified project and program managers bring years of practical and operational hospital experience to each engagement. Together, we’ll work closely with you to deliver meaningful outcomes that support your organization’s goals. Our team works shoulder-to-shoulder with your staff, sharing what we know openly. The knowledge transfer throughout the process improves skills and expertise among your team as well as ours. We support a full spectrum of products and services across the healthcare enterprise including Population Health, Value-Based Care, Security and Enterprise Business Strategy Advisory Services, Revenue Cycle Expertise, Adoption and Simulation Programs, ERP and Workforce Management, Go-Live Solutions, EHR Application Expertise, as well as Legacy and Technical Expertise. Atos is a proud sponsor of Healthcare Scene.