Present in the neonatal intensive care unit of Cook Children’s Hospital in Fort Worth, Texas is a father rocking his baby attached to a heart monitor. There are doctors roaming across the halls trying to prevent infection but Chief Information Officer Theresa Meadows is worried about another kind of virus.
“The last thing anybody wants to happen in their organization is have all their heart monitors disabled or all of their IV pumps which provide medication to a patient disabled,” Meadows says.
Meadows is in charge of managing IT and cybersecurity for over 7000 employees at more than 50 locations in Texas. She says that there is a lot of improvement needed after co-chairing an evaluation of hospital cybersecurity across the United States.
Dr. John Halamka, CIO for Beth Israel Deaconess Medical center in Boston, also agrees, stating, “Health care has traditionally under-invested in information technology,” Halamka says.
Halamka, who has been a CIO since the 1990s, has stated that a decade ago, pretty much all health records were paper. Then, in a matter of few years, hospitals switched to electronic records. But the security of digital health has not kept up with its growth. Other industries, like financial services and the federal government, have devoted more than 12 percent to their IT budgets to cybersecurity. Health care has the average of just half of that.
Also, at around the same time, the cost of mitigation has soared with an average breach costing $355 per stolen record for health care organizations. Furthermore, hackers have started becoming ore creative. Halamka says back in 1997, the threats he faced were students trying to hack the network, but in 2017, the threats are state-sponsored cyberterrorism, organised crime and hacktivism.
It is also much more lucrative to work in other industries. According to Burning Glass Technologies, the average pays for health care cybersecurity positions is 25 per cent lower than in finance.
“Plus you’re on the line every minute, not just for keeping someone’s social media profile working, but for keeping them alive.”
Meadows also states that a good CIO is familiar with complex medical devices and comfortable with software and complicated regulations. Also, a CIO needs to keep the hospital staff educated on the latest available software and added threats. Meadows hence, conducts regular phishing exercises paired with educational campaigns.
The average costing for a breach in health care is estimated to be over $2.2 million, and not to mention reputation damage. According to Meadows, the price of recruiting a cyber security leader might seem high, but leaving the job open is an invitation for trouble.