Providers must treat cybersecurity as strategic priority

May 1, 2016


Each week, it seems, there's a new alarming headline on hospital cybersecurity breaches:

"MedStar hospital chain hit with cyber attack."

"Hackers seek ransom from two San Bernardino County hospitals."

"Hollywood hospital pays $17,000 in bitcoin to hackers."

Health care providers are amassing and digitizing vast amounts of prized data, and hackers are drawn to that cache.

To protect the integrity of health care data, providers must recognize the great risk that cyber threats pose, and they must make cybersecurity a top strategic priority. That is according to James M. Kaplan, a partner with the global cybersecurity practice at McKinsey & Company, a management consulting firm. In the book Be-yond Cybersecurity: Protecting Your Digital Business, Kaplan and his co-authors at McKinsey cite regulatory and legal exposure related to the release of stolen medical data as a potential top threat for health care providers.


Kaplan will address cybersecurity concerns for health care during an innovation forum session at the Catholic Health Assembly in June. He spoke with Catholic Health World about the cyber-vigilance imperative for hospitals and health systems.

Will the cyber threats to health care providers continue to escalate?
Absolutely. Attackers can be quite rational, and health care institutions have a combination of very rich data which can be monetized in a number of ways and often fewer resources to protect themselves than some other types of institutions, like large financial institutions.

Why is health care such a ripe target?
There are a couple of reasons, the first of which is the health care sector of the United States especially is relatively fragmented, so you have fewer institutions with the scale required to build appropriate capabilities (in cybersecurity). And, then, also, digitization and the strategic use of IT has lagged in health care as compared to other sectors. And we have this perfect storm of lots of data, and it is becoming increasingly important to digitize in order to meet quality of care objectives and having increasingly sophisticated and determined attackers, which requires health care institutions to fundamentally up their game.

What are health care systems and facilities doing right?
At least from our experience (at McKinsey), which granted is skewed toward some of the larger institutions, you see people doing a good job of putting basic protections in place — they're understanding they need to patch servers, encrypt certain types of data, undertake penetration testing, which is all terrific. The thing that is not happening is that most institutions are still treating cybersecurity as a control function — they're not really building security equally in their technology business operating model so that applications are being written in a secure way the first time, and infrastructure is being deployed in a secure way the first time or so that their users fully understand the value and the risks associated with the data they touch.

How can providers begin to remedy this?
I would say step number one is to understand what their most important risks are. Second, I think it's really critical to get a really rich view on their current level of capabilities. And, third, I think they really need to lay out an aspirational future state and put some options around that.

What role should the governance team have in cybersecurity?
There is a critical role for board members. They need to demand a sufficient time on the board calendar to talk about cybersecurity. I think board members have an obligation to educate themselves. I think they need to ask the hard questions around things like: How good are you? How do you compare with others? What are the biggest risks? Are you just doing the obvious technical things in order to protect yourself? And, this will require patience from the board members because the answers to these questions are not necessarily sound bites.

Why must providers get cybersecurity right?
The digitization of health care is absolutely critical to objectives I think we as a society have around health care efficiency, health care quality, what have you. And this digitization is utterly dependent on two things: the first of which is patients and clinicians having confidence in the confidentiality and integrity of the health data, and second, patients and clinicians being comfortable that they can access that data without undue inconvenience. If you get either one of those two things wrong — either by not protecting enough or protecting in the wrong way so it's a hassle to get into the (computerized physician order entry) environment — then you're going to slow down digitization. This will have not only cost impacts but also will attenuate the mission of many important organizations.

What could be the reputational cost of cyberattacks to providers?
I think that is still being sorted out, but fortunately the worst case hasn't happened yet, in terms of health care cybersecurity. That is to say, yes, hospitals have been inconvenienced, and in some cases some data has been exfiltrated. However, we have not had public releases of very sensitive patient data. We haven't had catastrophic impacts to care as yet. So, I think the critical thing is for hospital networks to be vigilant in minimizing the risk of those types of highly damaging attacks in order to limit the chances of catastrophic impacts.

Will patients keep trusting systems that have been hacked?
It depends on the nature of the attack. If your credit card number is exfiltrated from a retailer, your exposure is capped by the credit card company. On the other hand, if incredibly sensitive medical details about your health care were made publicly available on the Internet, that would change things. That would change the way you thought about your health care provider. So I think the consumer behavior is highly dependent on the nature of the harm.

What are some emerging threats to providers?
The thing that is not yet on the radar screen … is politically motivated attacks, which could be created by hackers that want to do harm to the United States. Obviously, the nation's health care network is critical infrastructure. This is something that banking has thought about a lot and something that health care will start to think a lot about in the not-too-distant future. I think you may see more politically motivated attacks for embarrassment purposes, and I think we've seen that potentially with this law firm down in Panama, where either an outsider or an insider starts to embarrass an institution for political reasons. (Last month, the International Consortium of Investigative Journalists leaked a trove of 11.5 million confidential documents tied to the Panamanian law firm Mossack Fonseca, called the Panama Papers, exposing secretive financial dealings and tax shelters of world leaders and others.)

Why should ministry providers prioritize cybersecurity?
All health care institutions have a mission imperative to protect the privacy of their customers' data as well as to protect the integrity of their patients' care, which is dependent on data. Cybersecurity is an incredibly important part of that. So I think cybersecurity is a critical part of the mission for all health care institutions including not-for-profit ones.


Copyright © 2016 by the Catholic Health Association of the United States
For reprint permission, contact Betty Crosby or call (314) 253-3477.

Copyright © 2016 by the Catholic Health Association of the United States

For reprint permission, contact Betty Crosby or call (314) 253-3490.