The Current State of Privacy and Cybersecurity in Texas Healthcare Organizations
Health IT has come a long way since the HITECH Act was introduced almost 10 years ago. Technology availability and accessibility has also increased dramatically in that time frame. While better connectivity has revolutionized healthcare, it has also opened the door to cyber risks.
Testimony before the Texas Health Services Authority Board at the Texas State Capitol on Friday, October 4 reinforced recent headlines that cybersecurity is a persistent problem; one that will require greater resources at all levels of healthcare and healthcare governance. Representatives from the Texas Attorney General’s Office, the Texas Medical Board, Texas Medical Liability Trust, University of Texas, and Cynergistek, along with Third Rock CEO, Robert Felps, took turns presenting data and observations on the “current state of cybersecurity and privacy in Texas healthcare” from their professional perspectives. Though some gains have been made in recent years, key points across the presentations made clear that Texas healthcare organizations – and the supporting governing bodies – still have work to do to safeguard patient data. Here are the key takeaways:
- Available data indicate that Texas healthcare organizations remain extremely vulnerable to cyber threats.
- In 2017, TMLT received reports of 600 data privacy and security incidents, or breaches. There have only been 103 incidents so far in 2018 (Jan-Sept), but that’s still an average of 11.4 incidents/month.
- Mac MacMillan, CEO of Cynergistek, reported that his firm is notified of at least one security incident a day by one of their 1500 hospital clients, which includes 70 academic medical centers.
- Both formal and informal reports indicate that healthcare organizations have an incomplete approach to cybersecurity and HIPAA compliance.
- In 2016, the OCR Random Audit Program evaluated 63 Covered Entities. Of the audited organizations, 13 had not attempted to perform a Security Risk Assessment (SRA). Of the 50 organizations that had completed an SRA, none satisfied the OCR’s requirements.
- MacMillan also reported that fewer than half of Cynergistek's client organizations meet the NIST requirements for cybersecurity; a situation he attributed to a lack of both human and financial resources.
- Too many healthcare organizations are financially unprepared for a cyber event.
- 70% of healthcare organizations report having no cyber insurance.
- The combination of legal fees, penalties, increased administrative costs, and loss of business resulting from an information security incident can potentially put a healthcare organization out of business.
- There is a significant shortage of adequately-trained cybersecurity personnel.
- According to MacMillan, there are currently about 780,000 cybersecurity employees and approximately 350,000+ cybersecurity job vacancies. By 2021, labor experts are predicting 3.5 million cybersecurity job vacancies.
- When he visits a client hospital and asks "Who's taking care of ‘x’ cybersecurity technology?" he is often referred to an IT employee with no cybersecurity experience.
- Enforcement responsibility for healthcare data privacy and security is distributed across multiple state agencies, resulting in incomplete data and inconsistent enforcement.
- At the state level, responsibility for enforcing HIPAA and HB300 falls to the Texas Medical Board, Texas Board of Nursing, Dept of Health Services (DHS), Office of the Attorney General and others.
- Agencies report aggregate numbers to the Office of the Attorney General of complaints received and of incidents resulting in disciplinary action. However, specific cases are only referred to the Attorney General’s Office when the Agency believes an incident warrants civil or criminal penalties that only the AG’s office can impose.
- Information security incidents negatively impact patients – both directly and indirectly.
- Healthcare records are worth substantially more on the black market than credit card or even social security numbers, making healthcare records a prime target for cyber criminals.
- A security incident resulting in identity theft can take years, and thousands of dollars, for an affected patient to correct.
- A ransomware attack can bring care delivery to a standstill, freezing infusion pumps and other medical devices, putting patients at risk.
Are you cyber confident? Can you afford no action? Third Rock makes it simple and affordable.
Protect your patients, protect your practice, protect yourself