What’s the Ice Bucket Challenge Got to Do with the CHS Breach?

David-FinnTake My challenge. No cold water. No Ice.

By David Finn, Health IT Officer at Symantec
Twitter: @DavidSFinn
LinkedIn Profile

Let me start out by saying that I’m hot (it is Houston in September), need a vacation (my fault) and am cranky (a result of being hot and needing a vacation).

It all started Monday, August 18th. I was actually at one of our customers who spent about 10 minutes telling me that healthcare would not be a targeted industry. Our local account representative and I spent about 10 minutes going through the data, the reports, and the warnings. He responded by saying they had a good handle on security. About 5 minutes after leaving and really only a block or two down the road, I received the first ‘breaking alert’ on the CHS breach. I immediately forwarded that to him . . . still haven’t heard anything back. Later, that afternoon, at another hospital in the heart of the rural Midwest, a CTO told me that no one would ever hack a hospital in a sleepy, rural setting. Apparently, the bad guys had not heard of the Internet and connectivity so that made their hospital safe.

Since then I’ve been on the phone or email almost constantly to our healthcare team, to customers, to media, to industry leaders. A lot of them use the term “game changer”. OK, I’ll buy that but I’ll be damned if I know what game is changing . . . “You need to protect yourself and this is how” – – what has changed? And it isn’t just attacks – – it is the EMR with no failover; the laptops with no encryption; the mobile devices with no policy around them or tools to manage the policy; the out-of-date backup software or endpoint protection; the DLP that is improperly configured and no one knows how to use it, let alone manage it; the backups that never get verified until, well . . . too late.

The IT guys (that is a gender-inclusive term in IT) in healthcare get it (most of them). A Presidential Directive in 2003 made healthcare part of the National Critical Infrastructure and the Department of Homeland Security has told us that healthcare will be a target of attacks. The FBI didn’t just make this up this week. And forget the attacks – – do you know what Critical Infrastructure means? Let me make it simple, it means it has to be there.

So, here is my challenge. No cold water. No ice. No buckets. The challenge is just to do what you should have been doing, as a provider and an industry, for over a decade. Pretend you have had cold water dumped on you and it really woke you up. Here is what I’m looking for and this is the challenge:

Show me a healthcare CEO who will stand up and say: “Information and information technology is critical to our business and we must protect it”. Show me the hospital CFO who says: “Fixing this after the fact costs too much and the damage is done; we need to proactively pay for defense and protection of our patients, employees and their data”. Show me a COO from any Covered Entity who says: “This is far too disruptive to care, to business and we lose too many patients or customers when it does happen – – we cannot allow this to happen again”. Now, CEO, CFO, COO put the money, the time, the resources, and the organization’s focus on information and information technology.

I hear people both customers and vendors saying we’ve got to get smart. My message is not to get smart but to start doing what you were told to do in 2003, in 2005, in 2009 and in 2011. And in some headline story every week of the year since about 2009.

Bad stuff isn’t going to stop happening, it is going to accelerate – – and you are more dependent on the information and the information technology than ever before. Yes, you really have to spend time and money and resources and it is really a C-Suite issue not an IT issue – – because it is a business issue.

Healthcare isn’t different. Its just worse at IT risk management and slow to respond to things it doesn’t understand. I am hot and need a vacation and am cranky . . . But sometimes you really do get what you deserve. If this isn’t a wake up call, I shudder to think what it will take. Accept the challenge . . . or get out of the business.