In the recent post, Healthcare Security Lapses: No Signs of Slowdown, we discussed just how big the challenges are to securing healthcare data. To get a sense of what healthcare providers may be doing that are hampering their efforts, we turned to a long-time hospital chief information security officer, Eric W. Cowperthwaite. Cowperthwaite served at Seattle–based Providence Health & Services as its first Chief Information Security Officer for more than seven years. Cowperthwaite also served as the first Information Security Officer of Medi-Cal (California’s Medicaid program), where he established a formal information security program.
Cowperthwaite is currently managing principal at Citadel Services, a boutique executive consulting firm in Seattle. Eric is directly responsible for company operations and finances, as well as executive engagements with customers. Prior to Citadel, Cowperthwaite was the vice president, security and strategy for Core Security, headquartered in Boston, MA.
What do you see as the bigger challenges in the healthcare vertical today when it comes to security?
Cowperthwaite: I think the single biggest challenge in the healthcare vertical for security today is the fact that healthcare organizations, generally, think that security is a compliance program. This is fundamentally ingrained into how many of the leaders in these organizations think.
Until healthcare gets security out from under compliance, they're not going to improve security.
When you say that security is being run as a compliance program, did that come about because of HIPAA? And HIPAA became a tool in which to obtain budget?
In the medium term view, yes. The really long-term view is that a compliance regime in a hospital has been something that's existed for 20-plus years. This is primarily because of the nature of Medicare or Medicaid billing requirements, legal privacy requirements and such.
Hospitals for a long time, two decades or more, have had to manage huge compliance regimes.
When HIPAA first came on the horizon, because the first security effort in HIPAA was in the privacy rule, HIPAA was rolled up under hospital privacy compliance. The view that security is a compliance program is so engrained into hospitals that even if the security leader is not reporting to the compliance team, even if security is reporting to IT, it's still completely viewed as a compliance program.
What do you mean by security is being run as a compliance program?
Their focus is to “check the boxes.” They ask themselves “do we meet the security rule requirement?” Last year we saw all the big health insurance breaches, and I think that's the tip of the iceberg. As soon as these hospitals start really digging in, they're going to discover that they've got bad guys all throughout their networks. That's the other big challenge. I would say that many of these healthcare systems are already breached and don't even know it. They have no idea that they have an ongoing breach.
Just because hospitals operate much like retail and very similar to the hotel business, they want to keep all of their administrative overhead as tight and small as possible. They've already had large growth in compliance efforts, such as growth in the audit functions and lots of other overhead areas that add costs. Now is not the time for them to want to spend more on security overhead.
I imagine there are synergies in security and compliance, but if you want to become secure, you have to focus on things that reduce actual risks. How can security professionals help their healthcare organizations take that additional step?
You can build trust and help them by showing them ways to take what they've already in place and make it better from a security perspective. They've built this huge compliance regime, they've got this great big privacy shop and then they've only three people working on security. Without them having to completely reorganize everything, without them having to hire a bunch of security people, how can they take that compliance, privacy and security setup they've got and take advantage of it to improve security?
First, they have to realize that security is not a function of checking the boxes on the compliance checklist. You have to show them that isn’t enough to reduce the risk of intelligent attackers, and build in the processes that will help to reduce such breaches over time. That’s achieved when they trust you. It isn’t an easy challenge to overcome.
Do you think healthcare is getting on the right track? We've been seeing a lot of not only big healthcare breaches, but a lot of steady small breaches. It seems like every week some small medical facility somewhere had a breach.
The community hospitals, they're never going to get on the right track. There's no way because they've got one IT person. They will be what they are just like any other small business. What you end up with is these mid-tier players. They have like three to six hospitals in the company and there's probably about seven hundred and fifty or eight hundred of those across the country, as crazy as that sounds.
There are 6,000 hospitals in the United States, about 3,500 of them are organized into these three to six hospital organizations. I think that most of the CxO level executives in these organizations have woken up to the problem. The ideal thing for these organizations is to strategically outsource as much as they can to reduce risk. I don’t see them building the capability in-house.
I don't think this is a full strategy, by any measure, but a really solid strategy like leverage your compliance and privacy functions to meet certain security demands, leverage security services providers because adding the costs associated with full time employees just isn’t going to happen in these organizations right now. They need to leverage outsourcing, leverage technology, and security professionals have to train the organization how to think in terms of real risk reduction, and not just compliance checklists.