Information technology security leaders can help hospital CFOs identify investments that reduce cybersecurity risks.
In this interview, Lee Kim, director, privacy and security for the Healthcare Information and Management Systems Society (HIMSS), offers strategies for finance leaders to help disarm cybersecurity threats.
On the cost ramifications of breaches. Although data breaches from lost laptops still occur, new threats like ransomware and aggressive cyberattacks by sophisticated hackers have put healthcare organizations on guard. Under the Health Information Technology for Economic and Clinical Health (HITECH) Act, the Office for Civil Rights (OCR) can wage hefty monetary penalties for major breaches. For example, a recent HIPAA settlement cost one South Florida health system $5.5 million.
“Unfortunately, a lot of healthcare organizations may not understand what HIPAA requires of them, and if OCR finds they are deficient in some way, they may need to enter into a settlement and face a massive fine,” Kim says.
Beyond OCR fines, breaches can be costly because they require notifying patients and redirecting employee hours to oversee an audit following a breach. According to the Ponemon Institute, the average cost of a breached medical record is $158.
Kim also views data breaches as a litigation risk. “Lawsuits can be costly to defend, even if they do not go to trial,” she says.
Breaches also can be extremely damaging to an organization’s brand and reputation, which can have an economic impact if the hospital is involved in a merger or acquisition and their potential partner gets cold feet.
Fortunately, finance leaders can help IT security teams protect against these unforeseen costs. “It stands to reason that if your organization has a plan of action that accords with your type of breach, you will likely have less downtime, less chaos, and fewer mitigated costs compared with an organization that is dealing with breaches ad hoc,” she says.
To help organizations develop effective plans to protect against and manage privacy and security threats, HIMSS provides monthly cybersecurity reports as well as other resources for those outside of IT security.
On “spear phishing” scams targeting finance departments. “Nowadays, everyone with a mobile phone or access to e-mail can be a gateway to a potential breach or data leakage,” Kim says.
She recommends finance leaders become educated on business e-mail compromise, imposter e-mail that often targets finance departments and has cost the United States more than $3 billion during the past few years, according to the Federal Bureau of Investigation. In these scams, also known as “spear phishing,” an attacker masquerades as a customer or CEO in an e-mail message and asks for money to be wired to an account.
She suggests that all employees receive regular training, such as on an annual basis, to help recognize these scams and investigate a request before moving funds. They might also receive training during National Cyber Security Awareness Month, which is observed in October. HIMSS offers guides and tips that can be used for staff education.
On procuring financial software. “With any computer software or mobile-enabled device, there is always a chance that there is some bug or vulnerability that can be exploited,” Kim says. When considering new financial software, she recommends that finance leaders work with their IT security teams to help determine the best, most secure solution for the specific objective. “They may help save your organization a lot of grief by preventing a potentially weak solution from being implemented,” she says.
This is true even for products or devices you buy off the shelf or those in the “cloud,” she says. “You always need to keep security in mind, because every product has its vulnerabilities and is capable of being exploited,” she says. “Even if that financial product is limited to a narrow function, the danger with any software is that it may be hacked and allow a hacker to connect to other computers and hosts on the network.”
On the timeliness of reporting breaches. Kim believes some of the recent OCR decisions have helped providers recognize that they need to report breaches quickly. “Under the HIPAA breach notification rule, you have to report a breach no later than 60 calendar days [after the breach] and without reasonable delay,” she says. “In some of the recent cases, OCR has sent the signal that waiting until the 59th day to report your circumstances might not be reasonable for your case. So providers cannot sit on their hands when there is a breach. They need to report it quickly to the U.S. Department of Health and Human Services as well as to the media.”
On investments to protect against breaches. “Unfortunately, it is frequently the case that organizations do not have enough to invest in proper IT security solutions because their budget is restricted,” Kim says. “A finance leader may want to sit down with the top security person in their organization and ask what they need to stay ahead of cybersecurity attacks.” By doing this, they can identify and budget for the right IT security tools.
Finance teams also should ensure that IT departments have the budgets to allow for annual employee training on cybersecurity prevention. Annual penetration testing, which tests the IT system for potential vulnerabilities, also should be funded.
Another budgetary issue is staffing. “It’s not uncommon for some large, established healthcare organizations to have a fraction of the staff they need,” she says. “For example, an organization may have a ratio of one cybersecurity professional to 1,000 users, but in this day and age, you may need to up your ratio.” Although Lean organizations may be able to maintain cybersecurity with this ratio, others may need to double the number of cybersecurity staff.
Beyond FTEs, finance should help IT leaders retain good employees, who are typically paid more in other industries. “At the very least, you should revisit your allocation of salaries and whether it is enough to get your good people to stay,” she says. “Otherwise, you will be training new people every few years because your good people are leaving for better opportunities.”
On collaboration with IT. “It is important for finance leaders to connect with their cybersecurity counterparts and learn how these specialists can support their efforts,” Kim says. “Cybersecurity isn’t simply the security staff’s problem. It’s everyone’s concern.
Interviewed for this article:
Lee Kim, JD, FHIMSS, is director, privacy and security, Healthcare Information and Management Systems Society.