The Magnitude of Cybersecurity Problems in United States Healthcare

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 required covered entities to protect the privacy of protected health information. However, there was no encryption requirement. Enforcement of the law was non-existent for over a decade. Therefore, a very lax culture developed and became the norm in the healthcare industry.

When the HITECH Act of 2009 came along it was a game changing event for several reasons. First it provided massive infusion of federal incentive funds for strategic technology investments in electronic health records (EHRs) through an incentive program called Meaningful Use – the goal was to provide any healthcare provider complete and accurate information about the patient. These EHRs were required to adhere to certain interoperability standards (groundwork for these standards were established in 2004). Interoperability would allow the secure exchange of electronic health records between providers through health information exchanges (HIE) at the state level.

These innovations and investments were designed to improve patient outcomes and reduce costs and begin a movement towards quality and results based payments for medical care rather than the quantity based payment system (regardless of result) which has existed in the industry for decades.

As I visited conference after conference and heard stories from the doctors themselves it was clear to me that both doctors and patients were excited about the errors that were reduced and the lives that were saved through the use of electronic health records. In addition, artificial intelligence, derived from the work of the highest quality doctors, suddenly provided doctors with the ability to glean through large volumes of data on the patient and arrive at higher quality decisions.

However, half of the US healthcare industry continued to suffer from an anachronism dating back from the 1980s. In these organizations the Chief Information Officers (CIO) and the IT departments continued to report to the Chief Financial Officer (CFO) or other comparable executive. Thus CIOs in these organizations are not empowered to make the right decisions related to technology and cybersecurity -- because they do not report to the CEO. They serve under an organizational structure which views them as a cost center instead of an investment and a business driver.

Whenever diligent CIOs developed plans to comply with the encryption requirements of the HITECH Act and also wished to enable their organizations to participate in health information exchanges, the typical conversation in the regressive organizations went like this:

CFO, “I see you want 4 servers. Can you do with 1?”

CIO, “If I could do with 1 why would I ask for 4?”

CFO, “Don’t get defensive. I need to know how the money is being spent.”

CIO, “I thought I am in charge of planning the IT and cybersecurity strategy ...”

CFO, “Yes you are. But I am in charge of the money.”

CIO, “So are you saying you cannot afford this?”

CFO, “No I am not saying that – just wondering why 4? Okay how about 2? Can you do with 2?”

CIO, “Ok let’s ask the same question differently. If there is a cybersecurity breach are you willing to take the blame?”

CFO, “Of course not. That is why I hired you. It is your job to make sure we are secure. You are the Chief Information Officer.”

CIO, “Right. But you keep overruling me all the time.”

CFO, “I am in charge of making sure our money is spent wisely. By the way, I am not even sure that HIPAA requires encryption.”

CIO, “It is a requirement of the HITECH Act of 2009”

CFO, “Oh one of those Obamacare things … ?”

CIO, “No this has nothing to do with health insurance exchanges …”

And thus these circular conversations persisted. Many CIOs resigned out of frustration. Many felt it would be career suicide to be prevented from doing the right thing and then be blamed for lack of due diligence in the event of a breach. Several major healthcare organizations decided they could do without a CIO for several years. Some even decided a healthcare executive could perform the role. Today about one-third of US healthcare organizations do not have a Chief Information Security Officer and one-fifth do not plan to have one anytime soon.

Without the right IT and cybersecurity strategist in place, healthcare organizations may not maintain compliance with the appropriate laws, rules and regulations. They may not implement controls and software to monitor unusual user behavior. They may have no controls to prevent data loss or unauthorized data access. If a single user account is sucking out 80 million records they may never know until it is too late. They may never analyze logs. And more dangerously, they may not invest in appropriate technology to manage and monitor privileged user accounts or engage in cybersecurity governance and leadership as well as continuous innovation and improvement or user training – a key requirement for cybersecurity.