Competing Needs in Cybersecurity in Healthcare Organization.

Competing Needs in Cybersecurity in Healthcare Organization.

Introduction

Health care data breaches are a growing threat to the health care industry, causing not only data loss and monetary theft but also attacks on medical devices and infrastructure . Hospital data security breaches in particular have the potential to cost a single hospital as much as US $7 million, including fines, litigation, and damaged reputation. A data breach has a combined estimated effect on the health care industry of about US $6 billion . Meanwhile, the health care industry lags behind other industries in securing its data, and in response, health care organizations must invest considerable capital and effort in protecting their systems.

However, this is easier said than done, given the complexity of health care organizations. Hospitals are extraordinarily complex organizations with many typical organizational characteristics dialed up or down to extremes  such as

• Technology saturated environment: similar to other organizations, they struggle to manage an array of devices ranging from legacy information technology (IT) to connected medical devices; unlike other organizations, they have orders of magnitude more of them, procured not by a single IT department but purchased ad hoc by clinicians, or given for free by medical device companies .Competing Needs in Cybersecurity in Healthcare Organization.

• Internal politics: they deal with the same internal politics that other large organizations do but complicated by the complexity of functions contained within the organization: finance, IT, and human resources, just like other organizations; unlike other organizations, they also must support radiology, cardiology, and pediatrics among others . The degree of specialization is high. Each department requires totally different equipment, caters to different patient needs, has different workflows, and employs a highly specialized labor force that requires years to train.Competing Needs in Cybersecurity in Healthcare Organization.

• Regulatory pressures: similar to other organizations, they must abide by the regulations imposed on them by state and federal government; but in the United States, health care data is considered to be particularly sensitive, and thus, is protected under additional specific data protection laws .

• Patient-centered care: like all organizations in the United States, hospitals care about their ability to generate positive net revenue for survival, but unlike other organizations, their first mission is to care for their patients, even when they are for-profit .Competing Needs in Cybersecurity in Healthcare Organization.

It is interesting to consider what the systemic effect of these characteristics might be on a single hospital’s ability to remain robust to cyber breaches. But now consider the range of possible differences among these entities, eg, a rural community hospital has dramatically different priorities than a large, urban research hospital. Specific to IT, outsourcing services is more common in smaller or more rural hospitals, with transcription services being the most commonly outsourced function . The decision to outsource interacts with the tendency of these hospitals to make symbolic rather than substantive IT security investments—see Angst and Kelley  for more discussion.Competing Needs in Cybersecurity in Healthcare Organization.

Furthermore, significant variability in cybersecurity as a priority has been observed throughout the hospital industry—in the United States, 70% of hospital boards include cybersecurity in their risk management oversight, and only 37% of hospitals perform annual incident response exercises . Similar vulnerabilities in hospitals are also observed in other countries . Specifically, pressure from the board of directors appears to be essential in creating substantive cyber resiliency, as research shows that hospital management support is essential for user compliance with information security policies, which in turn are written by health care IT security professionals .Competing Needs in Cybersecurity in Healthcare Organization.

The importance and complexity of cybersecurity capability development at hospitals raise critical questions: how do the inter- and intradynamics of hospitals interact to form a system of hospital cybersecurity in the United States? Does this leave the health care infrastructure of the United States vulnerable as a whole? As data interoperability becomes an imperative, driven by Affordable Care Act requirements and payment reform, will hospitals with lower cyber capabilities leave all patients vulnerable?Competing Needs in Cybersecurity in Healthcare Organization.

To answer these questions, we interviewed chief informat