From the April 2015 issue of HealthCare Business News magazine
UPMC relies on security frameworks. It is a member of the Health Information Trust Alliance, or HITRUST, an industry organization that offers a framework that can be used to certify organizations that handle personal health and financial information.
An equally serious challenge for the industry is the question of having adequate resources to prepare against cyber threats. Health care is an environment of haves and have-nots in terms of security resources, Houston says. “Securing the environment is expensive, and the amount of money you need to spend on security isn’t necessarily directly proportional to your revenue.”
Nonetheless, it’s money that needs to be spent, he says. Identity theft is one of the chief reasons that people steal patient data, which is comprehensive and makes for an attractive target, he says. Russell P. Branzell, president and CEO of the College of Healthcare Information Management Executives, or CHIME, agrees with Houston’s assessment. “In health care, the overall threat to the value of medical identities is significant, because of what you can do with that information,” he says.
That includes the Medicare and Medicaid fraud environment, where numerous expenses are processed electronically through both commercial insurers and government insurers before a pattern of illegal activity reveals itself. He says health care is significantly less secure than other industries, in part because of “the complexity of trying to protect so much of a large automated environment, compared to a fairly small section of vulnerability in the very well-secured financial banking.”
Yet despite being behind the curve, the percentage of the operational budget spent on IT security in health care is small compared to other industries, Branzell says. He notes that in health care, cyber security spending is at best about 3 percent above the net operating budget for IT. By comparison, some big banking organizations spend in the double digits just for security, he says. Of course, banking is a different business model than health care, but he adds that health care organizations will be called on to spend more of their IT budgets on security in the future. That will put a financial strain on many institutions.
One way health care organizations can increase their cyber security readiness is through collaboration with other health care organizations, Branzell says. To that end, CHIME launched a new organization, the Association for Executives in Health Information Security, last year. The aim of the group is to help organizations defend against average threats. It serves as a platform in which instances of access by hackers can be shared among colleagues quickly.