In late 2015, after a rash of healthcare cyberattacks, President Barack Obama ordered HHS to establish a task force to determine the state of cybersecurity in the industry and make recommendations to improve it. A report is due this March from the task force, which includes representatives from across the industry. Modern Healthcare reporter Adam Rubenfire recently spoke with a co-chair of the task force, Theresa Meadows, senior VP and chief information officer of Cook Children's Health Care System in Fort Worth, Texas. The following is an edited transcript.
Modern Healthcare: Your task force report is not finished yet, but what can you tell me about the state of healthcare cybersecurity?
Theresa Meadows: There's still a lot of opportunity in healthcare for us to be more prepared, and much of this has to do with the diverse nature of healthcare, where you have providers that range from single-physician practice to big pharmaceutical companies like Merck. And we all have equal risk. Healthcare is steadily becoming one of the highest-risk areas.
Healthcare information on the black market gets a fairly hefty price, so we have become a target for a lot of hackers. The diverse nature and the requirement for us to be able to share information freely make it very difficult to figure out the best mitigating strategies.
MH: The Healthcare Information Management and Systems Society has called on HHS to appoint a chief information security officer to establish national priorities for healthcare cybersecurity and respond to the large number of threats. What does the task force think?
Meadows: We tend to agree there needs to be someone, whether it's at HHS or in some other governmental agency, that helps oversee healthcare cybersecurity. As we look across some of the other industries, there are people that do review and keep an eye on security. So that's one of the things we are considering suggesting in our recommendations.
MH: Do you believe the healthcare industry has adequate standards today?
Meadows: From a HIPAA perspective, I think we're quite secure. Cybersecurity is much more than what we do to protect the privacy of our patient's information. So when we start talking about ransomware attacks, or malware or even someone who has the ability to connect to our medical devices and shut all of our medical devices down via our wireless network, that's much different.
I think we're far away from having a single industry standard that would regulate or give people a roadmap of what they need to do as far as cybersecurity is concerned.
MH: Healthcare cybersecurity professionals are usually paid less than their peers in other industries. As a CIO, do you find it hard to attract high-quality talent, and how do we fix this problem?
Meadows: I think that is changing because healthcare has recognized that cybersecurity is a very important risk. As far as recruiting, I think it's
not just healthcare: Finding security professionals in general is very difficult.
We have to find some creative ways to either encourage people that are currently not in security to move into security roles in healthcare, or we need to find some programs that specifically focus on getting professionals ready in a shorter period of time. Our challenge today is that to get a really skilled security professional, you need five, 10, 15 years of experience.
We have to look at other mechanisms such as shared resources that we can purchase versus each organization having their own professionals.
MH: Do you believe rural and safety net hospitals have the budget and staff to manage cybersecurity appropriately?
Meadows: In general, I would say no. That's one of the areas of focus that we've had on the task force: How do we provide high-quality solutions for these rural areas or safety net hospitals that cannot afford a security officer or cannot afford all of the software that you need to protect an organization? That's where some of these shared-services organizations will probably come in handy.