Clinical Innovation & Technology: Why do you think the healthcare industry has become a favorite target of hackers?
Mark Hollis: The statistics and incidences of hacking are so enormous that I think that it may or may not be accurate to say healthcare industry is the favorite prey. I think the reason for that it is an economic reason, for one. I think that the value of healthcare data on the black market is more than any other kind of data, particularly because the healthcare databases contain protected health information containing both personal identity with financial information. They can get much more money because they can use it more effectively in a variety of ways. Other reasons it may be the favorite prey is because it is so vulnerable, it seems to be so poorly protected and it is not very difficult for hackers to assess healthcare records. It's incredibly alarming but it is true. We’ve heard about banks, the [Democratic National Committee] and Sony, but healthcare seems easier to hack even when systems employ IT groups to protect data.
Why do you believe current patient security measures have failed?
I think going to the cloud is a way for hospitals or practices to escape the requirement of protecting data in their offices. It's a way of shifting the responsibility to someone else. In the case of private practices, they are shifting it to nameless, faceless persons based on the assumption that someone else could take care of this information and that it might cost less. However, as the threat of hacking increase, the price cybsersecurity is passed to the healthcare facility and consumers.
The safety measures that have been deployed are not effective because software vendors are not required to follow HIPAA. They also may not be required to divulge this information in advertising and marketing, so many vendors have software that does not encrypt data. Without this encryption of data, once hackers discover the password, they have access to all the healthcare information that may be stored in databases that are being used by every user of the software.
The security measures have failed because there is no consolidation of data in a centralized location. The design of software programs does not make this possible. I think it has also failed because it’s been so difficult to be able to use systems that do not have built-in encryptions.
Considering the pace of change in cybersecurity, how can healthcare organizations stay ahead of hackers/ransomware?
The key thing, in terms of preventing hacking and ransomware attacks, is to keep things simple. If you have data residing in one database while giving access through multiple computers, you only need to worry about protecting a single database. The key thing is to have a centralized deign of an application were everything can happen in one place. If we’re going to be successful, it’ll be by going back to basics. Having the temptation of having every application on every computer leads to the clicking of links and downloads that are harmful.
Healthcare systems have not been reporting some of the attacks they encounter, making the actual number inaccurate. Why do you think they are hesitant to report data breaches? What do they have to lose by delaying reporting attacks?
In a recent study, 50 percent of patients interviewed said that if their data was reported as having been exposed by their provider, they would no longer go to that provider. I think the bottom line is money. They don’t want to report the breach because of the fact they have been spending their time marketing against other hospital systems.
A security breach or ransomeware attack could mean you are reporting an inability to protect your patients' data. I think it’s completely understandable why you would do anything rather than report a breach, however you are obligated to report it.
How do you believe complying with HIPAA procedures prevent the exposer of protected health information?
If providers comply with HIPPA, hackers will be prevented from having access to patient data. If hackers are trying to steal data as it travels across networks or connected remotely, they will not be able to get that data if it is encrypted in motion as required by HIPAA. In terms of ransomware, the data could be encrypted within a physician’s office, with the database computer tuned off at the end of the day.