Patients are a hospital's most important asset, not their data.
We recently concluded a study, www.ise.io/hospitalhack, at a variety of hospitals to determine the plausible impact of cyber threats against patient health. Our conclusion: they are very plausible. Part of what fuels this weakness is a long standing and ever increasing stride to protect patient health records rather than focusing on the asset that the healthcare facility was meant to protect in the first place: the patients' health.
Don't get me wrong. I value my privacy. It's just that I also value the health and well-being of my family, more than anything else. In our two years researching this problem, we began trying to drive the point home that the most important job of a healthcare facility is to protect its patients' health. We've made progress, but it never fails; even with our partners who we've worked with in healthcare for years and my colleagues in the security community who thoroughly understand the problem. When referring to patient records, you hear from healthcare professionals, more times than not, "and those are the most important assets at the hospital." Begin surgical procedure of removing smacked palm to forehead.
It tells me we have a long way to go. We can't even get the words right! When these slips, similar to the one mentioned above, are repeated by industry leaders, it leads me to believe there is a deeply ingrained directive that protecting patient records is of primary importance, and that patient health is secondary. We have to change this, and it might just start with our choice of words when talking about healthcare security objectives.
Next week I'll be at our IoT Sandbox, Paul Dant will be speaking at RSA USA 2016 conference, and our colleague, Geoff Gentry, will be presenting at HIMSS. Together we'll be conducting our own assessment of the number of booths still pushing products and services toward the wrong mission (securing only patient data) vs. the number of booths that are progressive, focused on the right mission (securing patient health), with offerings that reflect this focus. We will be sharing our results immediately following the conferences; stay tuned!
Readers interested in further details about this topic can reach us at: firstname.lastname@example.org