Data breaches are a constant threat and especially costly for health care organizations. A recent study shows data breaches cost health care organizations an average of $6.5 million per incident—that’s more than 60% higher than other industries and the ninth consecutive year the health care sector has shouldered the highest financial burden for data breaches. That doesn’t begin to account for the toll breaches have on patients and their families.
Children’s Hospitals Today talked with Zafar Chaudry, M.D., M.S., MIS, MBA, senior vice president and chief information officer of Seattle Children’s Hospital to discuss what children’s hospitals should be doing to stay ahead of this threat.
What are you doing to address data security and to ensure patient data is safe?
In most cases, the biggest threat is typically internal. Employees may unknowingly move data around, and that may create more exposure than an attack from the outside. So, our efforts start with a massive educational program for our employees to keep them up to date as to what data security is all about, what's happening and what to look out for. At the same time, we challenge our staff by testing their ability to respond to potential questions and threats. People love to click on emails—that's usually where a lot of these problems start.
In addition, we're looking at leveraging ethical hackers. The only way to protect yourself from an attack or a data breach is by trying to get into the mind of the hacker, because no matter how much technology you have, those folks tend to find a way to tunnel into what you're doing. Frequent penetration testing—hiring an ethical hacker to look at your network and systems and give you a list of things they see as potential gaps—is important.
Data security is a concern for all industries, but what challenges do health care organizations face?
We’re sitting on a multitude of information. It's a great source for a hacker to get everything they need in one place. People who tend to attack hospitals can use that information to build fake personas, so it sells for more on the black market.
And the complexity in health care is how much value you can place on data security when our core mission is taking care of kids. These kids are sick, and some may even die. In the mind of the clinician, their focus is trying to keep these kids alive; data security isn’t always top of the list.
Similarly, your consumers—families of patients—probably aren’t thinking about data security, but it’s your responsibility to protect them.
Exactly. When we see parents, they are worried about their child and are willing to give us any information we may request. They have an expectation coming into a health care organization that anything they give us should be safe. I think there's a code of conduct that we should have a higher obligation than even the Amazons and the Microsofts of the world in terms of taking care of patient data—securing it and keeping it.
What we're seeing now is the people managing technology in health care must buy the next generation of tools that are doing more than just data protection. That 24/7 monitoring is a lot more challenging for hospitals because traditionally, IT shops at hospitals haven't run their own 24/7 security monitoring and threat detection systems.
What advice would you give to other hospitals?Get stakeholders engaged in a data-security committee and make sure it’s not full of technologists—get clinician and leadership input. This committee should meet frequently to discuss the threats the technologists are seeing and to plan for rehearsing different scenarios to make sure people are always prepared and to ensure that people have data security top of mind.
It’s also important to always be prepared for a data breach by having external forensics companies on retainer, because when something does happen—and inevitably it will—that's the worst time to seek help.
Bottom line: I believe that health care organizations need to partner with world-class leaders in a 24/7 security operation. Everything you see happening in your organization should be backed by a team of internal investigators with a constant audit and risk assessment process. Do spot checks on staff, see what they're doing, risk-assess those actions and then self-correct moving forward.