Hospital and healthcare software security can always be marginally improved, but if we want to lower the risk of healthcare security breaches, we need to take a very different approach.
Ron AvignoneIn February 2016, Hollywood Presbyterian Medical Center in Los Angeles was struck by hackers that shut down the hospital IT system for over a week.
The hackers initially asked for $3.7 million in ransom to unlock encrypted files, but eventually they reduced their demands to 40 bitcoins, or about $17,000. As incredulous as it may sound, the hospital decided to pay the ransom.
More technology news: EHRs are ruining the physician-patient relationship
“The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key,” said Allen Stefanek, chief executive officer of the medical center explained.
On March 24, 2016, Methodist Hospital in Henderson, Kentucky also became a victim of a ransomware attack. The hackers infiltrated its computer network and they are now holding encrypted data hostage for 4 bitcoins, or roughly $1,600.
Hospital and healthcare software security can always be marginally improved, but if we want to lower the risk of healthcare security breaches, we need to take a very different approach. Only marginal improvements can be made by investing more of the same resources in the problem, and the ROI has diminishing marginal returns. A better approach is to understand the root causes at the core of healthcare security breaches.
Network and HIPAA application security is unlike other endeavors in IT. If you want to build a secure HIPAA compliant network or an application, you assemble a group of engineers with the required talent. Anybody with the right skills and HIPAA knowledge can build technology, but can they do it with high security?
Further reading: Tips to improve cyber security and protect practice finances
People who build networks and HIPAA applications such as help desk and customer service software should obviously be aware of security risks. However, there needs to be a new process built into network and HIPAA software development that specifically focuses on white hat hacking.
Today, it is generally accepted that coding and quality assurance (QA) are separated in software development. One team codes the application and another team tests for bugs. Most of the QA process is focused on whether the software simply functions and generally less on whether it is secure and will pass HIPAA compliance. Also, QA teams are typically comprised of less technical personnel.
Healthcare software security is very complex and too difficult to consider in the traditional development and QA processes.
A new paradigm should be introduced into traditional software development, which is performing an “ethical hack” after the QA process is completed. The new healthcare and hospital software development paradigm should be coding, QA and then an ethical hack cycle, which all together is an iterative process.
In order to begin this new paradigm, I propose that we make ethical hacking a more important part of our national educational system. Today, there is no degree program offered in ethical or so-called ‘white hat hacking.’
Popular on MedicalEconomics.com: Physician income is actually improving
I recommend a new approach to produce a highly trained generation of experts in IT security for the healthcare industry. In short, we need a curriculum in ethical hacking to complement all the major technical engineering programs in hardware and software development.
Today, there are conferences and certifications dedicated to ethical hacking and even some workshops specifically for young people. I recommend a ratio of 5:1-for every five engineers creating hardware and software, our country needs one ethical hacker.
Physicians go through medical school and then gain experience as a hospital resident to apply their book knowledge. A typical physician with 10 years of experience has ten times the expertise that of a first year resident.
Ten years of healthcare IT security experience does not create the same expertise, as the possibilities are nearly endless with millions of lines of code or complex networks. One needs to know where to look; a decade of “experience” can actually be a liability. The human brain can get “stuck;” biotech scientists who work for too long on a problem become dogmatic and prematurely rule out novel approaches.
Retail giant Target was hacked in November 2013 and lost 40 million credit cards and personal data on 70 million customers. The ringleader for the hacking operation is alleged to be a 22-year old Ukrainian. Often the best hackers are very young, rebellious and have something to prove. These are perfect qualities to cultivate and direct into a career in ethical hacking.
Ethical hacking could be an enormous source of new jobs for young people with open minds and little knowledge of the past. Not understanding what “cannot” be done is an asset. This can also be an opportunity for women and minorities to be more involved in technology. Performance can be measured objectively, based on how many security flaws are identified and fixed. Ethical hackers can work remotely, making the gender and race of an ethical hacker irrelevant.
I propose that the private sector set up a “hacking fund” modeled after open source foundations that will provide significant financial rewards and attribution to ethical hackers.
The Linux operating system, the MySQL database and the PHP language were all developed in open source model by thousands of people working remotely. The quality of the work has been astounding in that these open source product have clobbered commercial products from Microsoft, Oracle and others.
To make the hacking fund self-sustaining, companies and governments should be required to pay a very significant bounty for security holes found by ethical hackers who are registered members of the hacking community. This will encourage hackers to go ‘white hat’ and be able to make a lot of money from their work. This approach will give commercial entities and governments incentives to make the paradigm change in their development cycles by including ethical hacking in development cycles and hiring young people who are well suited for this work.
For the first decade, any bounty income earned by ethical hackers should be exempt from federal and state income tax. The work of ethical hackers has a tremendous social good and directly benefits society, as we are all well aware of the fallout from hospital and healthcare security breaches. A tax exemption would further encourage people to cross over the line from black hat to white hat hacking and prevent hospital and healthcare security breaches.
Ron Avignone founded Giva in 1999 and is based in Silicon Valley, California, serving customers worldwide. Ron holds an MBA from the University of Chicago and is a New York State Certified Public Accountant with a minor in English. Ron is also an avid endurance athlete, vegan and mindfulness advocate.