By Nick Giannas
There has been an explosion in the demand for cybersecurity and the recruitment of Chief Information Security Officers (CISOs), especially in vulnerable and data-rich industries like healthcare and academic medicine. This demand results from a perfect storm of events and trends that have increased information security risk like never before:
- The continued proliferation and mass utilization of technology − Going digital comes with consequences for any organization, as anything that is “networkable” can come under attack.
- The need to access and share data and information − In healthcare, this need is being driven by forces such as accountable care and population health. In this and other industries, there is a great thirst for analytics, mobile technology, and anything that sheds light on operations and furthers market knowledge.
- The dramatically increased value of data − This is especially true in healthcare, where patient records can be worth a lot more on the black market than, for example, credit card information. A white paper by the Institute for Health Technology Transformation labelled 2014 a “year of healthcare data breaches,” and the value of protected health information (PHI) seems like it will only increase.
- Institutions’ lack of preparation against cybersecurity threats − In the annual benchmarking report from BitSight, the only sector listed as less prepared for cyberattacks than healthcare was education.
“Many executives are declaring cyber as the risk that will define our generation,” proclaimed a recent report by PwC. Accenture predicts that U.S. health systems could stand to lose a total of $305B in the next 5 years from coordinated cyber attacks.
Questions for Health IT Leaders
What does it all mean for IT leaders in healthcare? The following are key questions that these leaders – and their CEOs and executive colleagues – must be asking and answering:
What cybersecurity/information security program do you have in place? How mature do you feel your security operation is to support the cyber-threats that will take place in the coming years?
In your organization, who does your chief security leader or CISO report to? Does that appropriately reflect the position’s value and importance within the organization?
How often do you update your board of directors on information security?
How robust is your internal training program on information security?
Does your organization have the appropriate security framework in place, including the right executives? (In a recent PwC cyber survey, 91% of respondents said their institution has adopted a security framework, or an amalgam of frameworks.)
If cybersecurity efforts will help define healthcare’s future, it is critical that executives are asking the right fundamental questions.
Nick Giannas is a consultant in Witt/Kieffer’s Information Technology practice.