Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Medical Device Security At A Crossroads

Posted on April 28, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

As anyone reading this knows, connected medical devices are vulnerable to attacks from outside malware. Security researchers have been warning healthcare IT leaders for years that network-connected medical devices had poor security in place, ranging from image repository backups with no passwords to CT scanners with easily-changed configuration files, but far too many problems haven’t been addressed.

So why haven’t providers addressed the security problems? It may be because neither medical device manufacturers nor hospitals are set up to address these issues. “The reality is both sides — providers and manufacturers — do not understand how much the other side does not know,” said John Gomez, CEO of cybersecurity firm Sensato. “When I talk with manufacturers, they understand the need to do something, but they have never had to deal with cyber security before. It’s not a part of their DNA. And on the hospital side, they’re realizing that they’ve never had to lock these things down. In fact, medical devices have not even been part of the IT group and hospitals.

Gomez, who spoke with Healthcare IT News, runs one of two companies backing a new initiative dedicated to securing medical devices and health organizations. (The other coordinating company is healthcare security firm Divurgent.)

Together, the two have launched the Medical Device Cybersecurity Task Force, which brings together a grab bag of industry players including hospitals, hospital technologists, medical device manufacturers, cyber security researchers and IT leaders. “We continually get asked by clients with the best practices for securing medical devices,” Gomez told Healthcare IT News. “There is little guidance and a lot of misinformation.“

The task force includes 15 health systems and hospitals, including Children’s Hospital of Atlanta, Lehigh Valley Health Network, Beebe Healthcare and Intermountain, along with tech vendors Renovo Solutions, VMware Inc. and AirWatch.

I mention this initiative not because I think it’s huge news, but rather, as a reminder that the time to act on medical device vulnerabilities is more than nigh. There’s a reason why the Federal Trade Commission, and the HHS Office of Inspector General, along with the IEEE, have launched their own initiatives to help medical device manufacturers boost cybersecurity. I believe we’re at a crossroads; on one side lies renewed faith in medical devices, and on the other nothing less than patient privacy violations, harm and even death.

It’s good to hear that the Task Force plans to create a set of best practices for both healthcare providers and medical device makers which will help get their cybersecurity practices up to snuff. Another interesting effort they have underway in the creation of an app which will help healthcare providers evaluate medical devices, while feeding a database that members can access to studying the market.

But reading about their efforts also hammered home to me how much ground we have to cover in securing medical devices. Well-intentioned, even relatively effective, grassroots efforts are good, but they’re only a drop in the bucket. What we need is nothing less than a continuous knowledge feed between medical device makers, hospitals, clinics and clinicians.

And why not start by taking the obvious step of integrating the medical device and IT departments to some degree? That seems like a no-brainer. But unfortunately, the rest of the work to be done will take a lot of thought.

Origami Inspired Medical Devices

Posted on April 7, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I recently came across some amazing technology that uses Origami to be able to make surgical tools so small that the incision needed for an operation could be much smaller. The work is being done by a group out of Brigham Young University in partnership with Intuitive Surgical, makers of the da Vinci Surgical robot. Here’s a video overview of the technology:

I love that the principles they used for NASA also apply to the medical field. Both fields want to take something that’s small and make it much larger. Although, the definition of “small” and “larger” are relative.

While we haven’t covered as many medical devices on this blog before, seeing inspirational things like this makes me think that maybe we should spend a lot more time learning about the innovations happening in this space.

Accessing Near-Real Time Patient Data In & Out of the Hospital with Alan Portela

Posted on March 15, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

UPDATE: If you missed the live video of this chat with Alan Portela, you can watch the recorded version below:

Accessing Near-Real Time Patient Data In and Out of the Hospital

On Thursday, March 17, 2016 at 3 PM ET (Noon PT) join us for a live video interview with Alan Portela, CEO of AirStrip. Alan is one of the most insightful people I’ve ever met in healthcare. He has a great mix of experience and vision for what’s happening in healthcare IT and where it needs to go in the future. Not to mention he understands some of the reasons it hasn’t gotten there yet. I always learn something when I talk with Alan and so I’m excited to share this live interview with the Healthcare Scene community.

The great part is that you can join my live conversation with Alan and even add your own comments to the discussion or ask him questions. All you need to do to watch live is visit this blog post on Thursday, March 17, 2016 at 3 PM ET (Noon PT) and watch the video embed at the bottom of the post or you can subscribe to the blab directly. We’ll be doing a more formal interview for the first 30 minutes and then open up the Blab to others who want to add to the conversation or ask us questions. The conversation will be recorded as well and available on this post after the interview.

We hope you’ll join us live or enjoy the recorded version of our conversation. You won’t be disappointed by Alan Portela’s insights into the world of near real-time streaming of health data to mobile devices. AirStrip has done some really amazing things in this regard and Alan has a deep knowledge of this industry.

If you’d like to see the archives of Healthcare Scene’s past interviews, you can find and subscribe to all of Healthcare Scene’s interviews on YouTube.

Patient Engagement Will Be Key to Personalized Medicine and Healthcare Analytics

Posted on February 16, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

When I wrote about personalized medicine solutions that are available today, I mostly covered the data aspects of personalized medicine. It’s a logical place to start since the basis of personalized medicine is data. In that post I highlighted the SAP Foundation for Health and the SAP Hana platform along with the work of ASCO and their CancerLinQ project. No doubt there are hundreds of other examples around health care where data is being used to personalize the care that’s provided.

It makes a lot of sense for a company like SAP to take on the data aspects of personalized medicine. SAP is known for doing massive data from complex data sets. They’re great at sorting through a wide variety of data from multiple sources and they’re even working on new innovations where they can analyze your data quickly and effectively without having to export every single piece of data to some massive (Translation: Expensive) enterprise data warehouse. Plus, in many cases they’re doing all of this health data analytics in the cloud so you can be sure that your healthcare analytics solution can scale. While this is a huge step forward, it is just the start.

As I look at the discussion around personalized medicine, what seems to be missing is a focus on creating a connection with the patient. Far too often, analytics vendors in healthcare just want to worry about the data analysis and don’t build out the tools required to engage with the patient directly. This leads to poor patient engagement in two ways: improving patient communication and collecting patient data.

Improving Patient Communication
As we look into the future of reimbursement in healthcare, it’s easy to see how crucial it will be to leverage the right data to identify the right patients. However, you can’t stop there. Once you’ve identified the right patients, you have to have a seamless and effective way to regularly communicate with that patient. As value based reimbursement becomes a reality, no healthcare analytics solution will be complete without the functionality to truly engage with the patient and improve their health.

Patient engagement platforms will require the following three fundamentals to start improving care: interaction between patient and caregiver, privacy, and security. No doubt we’re already starting to see a wide variety of approaches to how you’ll communicate with and engage the patient. However, if you don’t get these three fundamentals down then all of the rest doesn’t really matter. The basis of improved patient communication is going to be efficient communication between patient and caregiver in a secure and private manner.

Collecting Patient Data
Too many analytics platforms only focus on the data that comes from the healthcare providers like the EHR. As the health sensor market matures, more and more clinically relevant data is going to be generated by the patient and the devices they use at home. In fact, in some areas like diabetes this is already happening. Over the next 5 years we’re going to start seeing this type of patient generated data spread across every disease state.

Health analytics platforms of the future are going to have to be able to handle all of this patient generated health data. The key first step is to make it easy for the patient to connect their health devices to your platform. The second step is to convert this wave of patient generated health data into something that can easily be consumed by the healthcare provider. Both steps will be necessary for personalized medicine to become a reality in health care.

As we head into HIMSS 2016 in a couple weeks, I’ll be looking at which vendors are taking analytics to the next level by including patient engagement. While there’s a lot of value in processing healthcare provider data, the future of personalized medicine will have to include the patient in both how we communicate with them and how we incorporate the data they collect the 99% of their lives spent outside of the hospital.

SAP is uniquely positioned to help advance personalized medicine. The SAP Foundation for Health is built on the SAP Hana platform which provides scalable cloud analytics solutions across the spectrum of healthcare. SAP is a sponsor of Influential Networks of which Healthcare Scene is a member. You can learn more about SAP’s healthcare solutions during #HIMSS16 at Booth #5828.

The Value of Standardizing Mobile Devices in Your Healthcare Organization

Posted on February 10, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Before becoming a full time healthcare IT blogger, I worked doing system administration and top to bottom IT support (I am @techguy on Twitter after all). While that now seems like somewhat of a past life, it never ceases to amaze me how the lessons that applied to technology 10 years ago come around again 10 years later.

A great example of this is in the devices an organization purchases. I learned really early on in my technology career the importance of creating a standard set of products that we would support as an IT organization. This was true when ordering desktop computers, laptops, printers, and even servers. The benefits to doing so were incredible and most technology people understand the benefits.

You can create a standard image which you put on the device. If one device breaks you can easily swap it for a similar device or use parts from two broken down devices to make one that works. When someone calls for support, with a standard set of devices you can more easily provide them the support they need.

Another one of the unseen benefits of setting and sticking to a standard set of devices is you can then often leverage the vendor provided management tools for those devices instead of investing in an expensive third party solution. This can be really powerful for an organization since the device management software that’s available today has gotten really good.

What’s unfortunate is that the way mobile devices were rolled out in healthcare, many organizations forgot this important lesson and they’ve got a bit of a hodgepodge of devices in their organization. I encourage these organizations to get back to creating and sticking to a standard set of devices when purchasing mobile devices. No doubt you’ll get a little backlash from people who like to do their own thing, but the cost of providing support and maintenance for a potpourri of devices is just not worth it.

What’s been your organization’s mobile device strategy? Have you created and stuck to a standard device or do you have a mix of devices?

Securing Mobile Devices in Healthcare

Posted on February 8, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

This post is sponsored by Samsung Business. All thoughts and opinions are my own.

When you look at healthcare security on the whole, I think everyone would agree that healthcare has a lot of work to do. Just taking into account the top 5 health data breaches in 2015, approximately 30-35% of people in the US have had their health data breached. I’m afraid that in 2016 these numbers are likely going to get worse. Let me explain why I think this is the case.

First, meaningful use required healthcare organizations to do a HIPAA risk assessment. While many organizations didn’t really do a high quality HIPAA risk assessment, it still motivated a number of organizations to do something about privacy and security. Even if it wasn’t the step forward many would like, it was still a step forward.

Now that meaningful use is being replaced, what other incentive are doctors going to have to take a serious look at privacy and security? If 1/3 of patients having their records breached in 2015 isn’t motivating enough, what’s going to change in 2016?

Second, hackers are realizing the value of health data and the ease with which they can breach health data systems. Plus, with so many organizations going online with their EHR software and other healthcare IT software, these are all new targets for hackers to attack.

Third, while every doctor in healthcare had a mobile device, not that many of them accessed their EHR on their mobile device since many EHR vendors didn’t support mobile devices very well. Over the next few years we’ll see EHR vendors finally produce high quality, native mobile apps that access EHR software. Once they do, not only will doctors be accessing patient data on their mobile device, but so will nurses, lab staff, HIM, etc. While all of this mobility is great, it creates a whole new set of vulnerabilities that can be exploited if not secured properly.

I’m not sure what we can do to make organizations care about privacy and security. Although, once a breach happens they start to care. We’re also not going to be able to stem the tide of hackers being interested in stealing health data. However, we can do something about securing the plethora of mobile devices in healthcare. In fact, it’s a travesty when we don’t since mobile device security has become so much easier.

I remember in the early days of smartphones, there weren’t very many great enterprise tools to secure your smartphones. These days there are a ton of great options and many of them come natively from the vendor who provides you the phone. Many are even integrated into the phone’s hardware as well as software. A good example of this is the mobile security platform, Samsung KNOX™. Take a look at some of its features:

  • Separate Work and Personal Data (Great for BYOD)
  • Multi-layered Hardware and Software Security
  • Easy Mobile Device Management Integration
  • Enterprise Grade Security and Encryption

It wasn’t that long ago that we had to kludge together multiple solutions to achieve all of these things. Now they come in one nice, easy to implement package. The excuses of why we don’t secure mobile devices in healthcare should disappear. If a breach occurs in your organization because a mobile device wasn’t secure, I assure you that those excuses will feel pretty hollow.

For more content like this, follow Samsung on Insights, Twitter, LinkedIn , YouTube and SlideShare

Wearable Health Trackers Could Pose Security Risks

Posted on February 1, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Last October, security researchers made waves when they unveiled what they described as a 10-second hack of a Fitbeat wearable health tracker. At the Hack.Lu 2015 conference, Fortinet security researcher Axelle Apvrille laid out a method for hacking the wearable through its Bluetooth radio. Apparently, Aprville was able to infect the Fitbit Flex from as much as 15 feet away, manipulate data on the tracker, and use the Flex to distribute his code to a computer.

Fitbit, for its part, denied that its devices can serve as vehicles for infecting users with malware. And Aprville himself admitted publicly that his demonstration was more theoretical than practical. In a tweet following the conference, he noted that he had not demonstrated a way to execute malicious code on the victim’s host.

But the incident does bring attention to a very serious issue. While consumers are picking up health trackers at a breathless pace, relatively little attention has been paid to whether the data on these devices is secure. Perhaps even more importantly, too few experts are seeking ways to prevent these devices can be turned into a jumping-off point for malware. After all, like any other lightly-guarded Internet of Things device, a wearable tracker could ultimately allow an attacker to access enterprise healthcare networks, and possibly even sensitive PHI or financial data.

It’s not as though we aren’t aware that connected healthcare devices are rich hunting grounds. For example, security groups are beginning to focus on securing networked medical devices such as blood gas analyzers and wireless infusion pumps, as it’s becoming clear that they might be accessible to data thieves or other malicious intruders. But perhaps because wearable trackers are effectively “healthcare lite,” used almost exclusively by consumers, the threat they could pose to healthcare organizations over time hasn’t generated a lot of heat.

But health tracker security strategies deserve a closer look. Here’s some sample suggestions on how to secure health and fitness devices from Milan Patel, IoT Security Program Director at IBM:

  • Device design: Health tracker manufacturers should establish a secure hardware and software development process, including source code analysis to pinpoint code vulnerabilities and security testing to find runtime vulnerabilities. Use trusted manufacturers who secure components, and a trusted supply chain. Also, deliver secure firmware/software updates and audit them.
  • Device deployment:  Be sure to use strong encryption to protect privacy and integrity of data on the device, during transmission from device to the cloud and on the cloud. To further control device data, give consumers the ability to set up user and usage privileges for their data, and an option to anonymize the data.Secure all communication channels to protect against data change, corruption or observation.
  • Manage security:  Include trackers in the set of technology being monitored, and set alerts for intrusion. Audit logging is desirable for the devices, as well as the network connections and the cloud. The tracker should ideally be engineered to include a fail-safe operation — dropping the system down to incapability, safely — to protect against attacks.

This may sound like a great deal of effort to expend on these relatively unsophisticated devices. And at present, it just may be overkill. But it’s worth preparing for a world in which health trackers are increasingly capable and connected, and increasingly attractive to the attackers who want your data.

NIST Goes After Infusion Pump Security Vulnerabilities

Posted on January 28, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

As useful as networked medical devices are, it’s become increasingly apparent that they pose major security risks.  Not only could intruders manipulate networked devices in ways that could harm patients, they could use them as a gateway to sensitive patient health information and financial data.

To make a start at taming this issue, the National Institute of Standards and Technology has kicked off a project focused on boosting the security of wireless infusion pumps (Side Note: I wonder if this is in response to Blackberry’s live hack of an infusion pump). In an effort to be sure researchers understand the hospital environment and how the pumps are deployed, NIST’s National Cybersecurity Center of Excellence (NCCoE) plans to work with vendors in this space. The NCCoE will also collaborate on the effort with the Technological Leadership Institute at the University of Minnesota.

NCCoE researchers will examine the full lifecycle of wireless infusion pumps in hospitals, including purchase, onboarding of the asset, training for use, configuration, use, maintenance, decontamination and decommissioning of the pumps. This makes a great deal of sense. After all, points of network connection are becoming so decentralized that every touchpoint is suspect.

The team will also look at what types of infrastructure interconnect with the pumps, including the pump server, alarm manager, electronic medication administration record system, point of care medication, pharmacy system, CPOE system, drug library, wireless networks and even the hospital’s biomedical engineering department. (It’s sobering to consider the length of this list, but necessary. After all, more or less any of them could conceivably be vulnerable if a pump is compromised.)

Wisely, the researchers also plan to look at the way a wide range of people engage with the pumps, including patients, healthcare professionals, pharmacists, pump vendor engineers, biomedical engineers, IT network risk managers, IT security engineers, IT network engineers, central supply workers and patient visitors — as well as hackers. This data should provide useful workflow information that can be used even beyond cybersecurity fixes.

While the NCCoE and University of Minnesota teams may expand the list of security challenges as they go forward, they’re starting with looking at access codes, wireless access point/wireless network configuration, alarms, asset management and monitoring, authentication and credentialing, maintenance and updates, pump variability, use and emergency use.

Over time, NIST and the U of M will work with vendors to create a lab environment where collaborators can identify, evaluate and test security tools and controls for the pumps. Ultimately, the project’s goal is to create a multi-part practice guide which will help providers evaluate how secure their own wireless infusion pumps are. The guide should be available late this year.

In the mean time, if you want to take a broader look at how secure your facility’s networked medical devices are, you might want to take a look at the FDA’s guidance on the subject, “Cybersecurity for Networked Medical Devices Containing Off-the-Shelf Software.” The guidance doc, which was issued last summer, is aimed at device vendors, but the agency also offers a companion document offering information on the topic for healthcare organizations.

If this topic interests you, you may also want to watch this video interview talking about medical device security with Tony Giandomenico, a security expert at Fortinet.

Is Fitbit a Digital Health Solution?

Posted on January 6, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

As I’ve been making the rounds of Digital Health at CES (technically the show officially starts today), I’ve run into an extraordinary amount of digital health sensors and tracking devices. Some of them are me too copycats of the already flooded fitness trackers. Others are doing really incredible stuff around ecg, muscle mass, respiratory, heart rate, and much more.

One conversation that I’ve had multiple times is that Fitbit and Fitness trackers like it really aren’t a digital health solution. This isn’t really said as a knock to Fitbit. Almost always this statement is proceeded by a comment about how Fitbit has done some really great things. However, the question really revolves around whether Fitbit is a healthcare application or whether it’s just a fun consumer device.

There’s no argument that Fitbit has been extremely successful. It’s also created mainstream interest in tracking your health. As a consumer application it’s been a big hit. The numbers don’t lie. However, many would equate what it’s accomplished in healthcare to something like the Wii Fit as opposed to something that impacts clinical care like a medical device. It’s more of a game that provides some health benefits than it is a clinical device. I even heard one person take it as far as to compare it to running shoes. If you did a study, running shoes probably improve the health of many people since it makes it easier to exercise. Does that make it a health solution?

Like I said, I don’t think anyone is arguing that what Fitbit is doing is bad. I also can’t remember Fitbit ever really claiming to influence clinical care. It’s the rest of the world that’s drawing that conclusion for them. Countless are the number of articles that talk about a patient sharing their Fitbit data with their doctor.

In response to those articles doctors have generally responded, why do I care about their Fitbit data? I think the reason doctors react this way is because the Fitbit data is limited and really doesn’t affect the clinical care for most people. Maybe there’s some isolated cases, but for the majority of Americans it wouldn’t change the care they receive.

While this is true for Fitbit, there is a wave of other tracking devices that could (and I believe will) impact clinical care. It’s easy to see how a continuous ecg monitor that’s FDA cleared (ie. Doctors trust the data) could impact clinical care. This is actually true clinical data that doctors will care about seeing.

At this point I think it’s true that majority of doctors don’t want to get your Fitbit data. It’s not clinically relevant. However, that’s going to change rapidly as health sensors continue to evolve. Maybe Fitbit will find some clinical relevancy in the data they produce. If not, a wide variety of other vendors are going to create clinically relevant data that doctors will not only want in their EHR, but they’re going to demand it.

The only question I have now is, should we be building the highways for that data now so that we can easily turn on these new sources of clinically relevant data?

Side Note: I’ll be doing a Digital Health video blab from CES 2016 if you’d like to join.

Tiny Budgets Undercut Healthcare’s Cyber Security Efforts

Posted on January 4, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

This has been a lousy year for healthcare data security — so bad a year that IBM has dubbed 2015 “The Year of The Healthcare Security Breach.” In a recent report, Big Blue noted that nearly 100 million records were compromised during the first 10 months of this year.

Part of the reason for the growth in healthcare data breaches seems to be due to the growing value of Protected Health Information. PHI is worth 10x as much as credit card information these days, according to some estimates. It’s hardly surprising that cyber criminals are eager to rob PHI databases.

But another reason for the hacks may be — to my way of looking at things — an indefensible refusal to spend enough on cybersecurity. While the average healthcare organization spends about 3% of their IT budget on cybersecurity, they should really allocate 10% , according to HIMSS cybersecurity expert Lisa Gallagher.

If a healthcare organization has an anemic security budget, they may find it difficult to attract a senior healthcare security pro to join their team. Such professionals are costly to recruit, and command salaries in the $200K to $225K range. And unless you’re a high-profile institution, the competition for such seasoned pros can be fierce. In fact, even high-profile institutions have a challenge recruiting security professionals.

Still, that doesn’t let healthcare organizations off the hook. In fact, the need to tighten healthcare data security is likely to grow more urgent over time, not less. Not only are data thieves after existing PHI stores, and prepared to exploit traditional network vulnerabilities, current trends are giving them new ways to crash the gates.

After all, mobile devices are increasingly being granted access to critical data assets, including PHI. Securing the mix of corporate and personal devices that might access the data, as well as any apps an organization rolls out, is not a job for the inexperienced or the unsophisticated. It takes a well-rounded infosec pro to address not only mobile vulnerabilities, but vulnerabilities in the systems that dish data to these devices.

Not only that, hospitals need to take care to secure their networks as devices such as insulin pumps and heart rate monitors become new gateways data thieves can use to attack their networks. In fact, virtually any node on the emerging Internet of Things can easily serve as a point of compromise.

No one is suggesting that healthcare organizations don’t care about security. But as many wiser heads than mine have pointed out, too many seem to base their security budget on the hope-and-pray model — as in hoping and praying that their luck will hold.

But as a professional observer and a patient, I find such an attitude to be extremely reckless. Personally, I would be quite inclined to drop any provider that allowed my information to be compromised, regardless of excuses. And spending far less on security than is appropriate leaves the barn door wide open.

I don’t know about you, readers, but I say “Not with my horses!”