Managing cyber security in a threatening environment

Baptist Health South Florida will soon have 9 hospitals and around 50 outpatient facilities with current annual revenues of USD 3 billion.

At the heart of their digital environment is the recently adopted electronic health record system Cerner.

The wake-up call

The risk management wake-up call for Lawson came in 1992 with Hurricane Andrew. The hospital was viewed as a community refuge with the resulting high occupancy leading to a water shortage by the end of the storm. Lawson vowed to never run out of water again and to build more robust facilities.

Managing risk became a matter of preventing rather than just insuring loss. They acquired a 150'000 ft2 data center built to withstand a category 3 hurricane, but hardened it to withstand 200 mph winds, and be self-sufficient for a full 7 days in case of emergency.

Costing cyber risk

The EIC Lifeguard allows physicians to remotely monitor all critical beds 24/7, with integrated cameras and speakers. Baptist Health has 2'460 cameras. A team of 30 monitor the feeds 24/7, and a further 30 people work on cyber security, with a budget of USD10 million. Oracle recently identified budget constraints to be one of the main factors limiting cyber security postures, yet Modern Healthcare estimates the cost of a serious breach at USD 402 per compromised record.

Owning the risk

Ralph Lawson’s philosophy towards risk is to own it, not expect the insurance or government to save you. This means preventing, detecting, then remediating cyber risk, and viewing and educating each employee as a risk manager.

The healthcare system in the United States is undergoing a massive transformation, moving towards a global capitation model with a finite payment to take care of a patient or population of patients. As hospitals become risk-bearing entities, the incentive for more robust information flow and sharing of information grows, which increases the risk of data breach or cyber risk.

The HITECH Act seems to be viewed as a source of income by the government. Last year 12 companies were fined over USD 22 million because of data breaches – tendancy rising! Although unfortunately some Baptist facilities are on the HITECH 'Wall of Shame', Baptist Health has never had to pay a fine or penalty for data breach because of good cooperation and high standards.

Tiered security

Baptist Health has a 2-tier information system. Tier One information is essential for business operations, containing both clinical and administrative information. This data is protected with the more costly SunGard, which has continuous back-up. In case of a serious attack it should only take a few hours to recover. Tier Two information is non-mission-critical, and other ways can be found to reconstruct the data. Internal IT security can handle breaches of up to 2,000 records, while Mandiant (owned by FireEye) is for handling larger data breaches. Outside experts monitor all incoming traffic, and external auditors review their incident response plans.

Source: ©Copyright Baptist Health South Florida

On top of that, all data is encrypted, even though this means another password that must be remembered. It’s not “if” a breach occurs, but “when”, which is why Baptist's focus is on having a response to big loss incidents.

Summary of the Centre for Global Dialogue's Transforming Healthcare event in February 2017. Summary by David M. Taylor.