This week, HIMSS held its Privacy and Security Forum this week putting the focus on cybersecurity.

Richard Clarke, the former White House cybersecurity czar who served three presidents, opened the conference with details about the dismal state of IT security in healthcare.

IT security professionals need to get their leadership off the fixation that cybersecurity is just about protected health information, Clarke said. “I think your leadership believes that.” He said that when breaches happen and organizations offer the victims free credit monitoring, only 8 percent take the offer. That’s because “we have all become inured to the loss of [personally identifiable information]. Tell your leadership there are other things that could happen that have happened in other sectors. Those things inevitably will happen in healthcare.”

Tyler Moore, Tandy assistant professor of cybersecurity and information assurance at the University of Tulsa, said there is little incentive in healthcare to improve IT security. The traditional engineering approach to cybersecurity involved thinking the internet was insecure because there weren’t enough features such as encryption and authentication. So, engineers worked on providing better, cheaper security features but eventually realized that wasn’t enough.

Most people are better at appreciating a hospital’s new building over an increased IT security budget. “As a result, it’s not surprising for organizations to spend their money on things consumers can observe.”

The U.S. healthcare system also lacks robust cybersecurity incident data. Unless required by law, most companies choose not to disclose incidents which means they can’t calculate an accurate estimate of the likelihood of incidents or their costs. That then means they can’t allocate their defensive resources appropriately.

We'll have more coverage from the conference in coming days.

Beth Walsh

Clinical Innovation + Technology editor