Play Live Radio
Next Up:
0:00
0:00
0:00 0:00
Available On Air Stations

Hospitals Face Growing Cybersecurity Threats

Patient information can be vulnerable when health care facilities are the focus of cyberattacks.
Eric Audras/Onoky/Getty Images
Patient information can be vulnerable when health care facilities are the focus of cyberattacks.

In the neonatal intensive care unit of Cook Children's Hospital in Fort Worth, Texas, a father is rocking a baby attached to a heart monitor. While doctors roam the halls trying to prevent infections, Chief Information Officer Theresa Meadows is worried about another kind of virus.

"The last thing anybody wants to happen in their organization is have all their heart monitors disabled or all of their IV pumps that provide medication to a patient disabled," Meadows says.

Meadows manages IT and cybersecurity for nearly 7,000 employees at more than 50 locations in Texas. After co-chairing an evaluation of hospital cybersecurity across the U.S., she says there's a lot to improve.

Dr. John Halamka, chief information officer of Beth Israel Deaconess Medical Center in Boston, agrees. "Health care has traditionally underinvested in information technology," Halamka says.

Halamka, who has been a CIO since the 1990s, says just a decade ago, pretty much all health records were paper. Then, in a period of a few years, hospitals switched to electronic records. But the security of digital health data has not kept up with its growth. Other industries, like financial services and the federal government, have devoted more than 12 percent of their IT budgets to cybersecurity. Health care averages just half that.

At the same time, the cost of mitigation has soared, with the average breach costing $355 per stolen record for health care organizations. And hackers have gotten creative. Back in 1997, Halamka says, the threats he faced were students trying to hack the network.

"In 2017, what threats do I face? State-sponsored cyberterrorism, organized crime and hacktivism."

It's no wonder demand for cybersecurity talent in health care has exploded. But it's not that easy to recruit.

Digital health care consultant Drexel DeFord jokes that he's a "recovering CIO. CIOs are overly stressed with everything from security to regulation," he says. "When I talk to them about maybe coming into health care, the answer I usually get is 'No way, it's too complicated. It's way simpler to do banking or oil and gas.' "

It's also much more lucrative to work in other industries. According to Burning Glass Technologies, the average advertised pay for health care cybersecurity positions is 25 percent lower than in finance.

Plus you're on the line every minute, not just for keeping someone's social media profile working, but for helping keep them alive.

Meadows says a good CIO is familiar with complex medical devices and comfortable with software and complicated regulations. Also, a CIO needs to keep the hospital staff educated on the latest threats, sometimes by running mock cyberattacks. Meadows conducts regular phishing exercises paired with educational campaigns.

The average cost of a health care breach is estimated to be more than $2.2 million, not to mention the reputation damage. Meadows says the price of hiring a cybersecurity leader might seem high, but leaving the job open is an invitation for trouble.

Copyright 2020 KERA. To see more, visit KERA.

Lauren Silverman is the Health, Science & Technology reporter/blogger at KERA News. She is also the primary backup host for KERA’s Think and the statewide newsmagazine Texas Standard. In 2016, Lauren was recognized as Texas Health Journalist of the Year by the Texas Medical Association. She was part of the Peabody Award-winning team that covered Ebola for NPR in 2014. She also hosted "Surviving Ebola," a special that won Best Long Documentary honors from the Public Radio News Directors Inc. (PRNDI). And she's won a number of regional awards, including an honorable mention for Edward R. Murrow award (for her project “The Broken Hip”), as well as the Texas Veterans Commission’s Excellence in Media Awards in the radio category.