As a recent IBM study estimates, the average cost of a severe data breach tops $7 million in the health care industry, underlining a painful truth: Hackers are just as much a threat to the bottom line as malpractice lawsuits, bad investment decisions or changing economic conditions.
There is an ever-greater pressure, said Michael Hamilton, co-founder of Seattle-based CI Security, an information security consulting firm, for those with the best real-time understanding of how cyber crime is evolving to have the same kind of access to chief executives and governing board members as those who manage finances and other critical business functions have long enjoyed.
"They're trying to avoid records disclosure, theft, extortion and the disruption of critical operating capacity," Hamilton said. "Those are direct fiduciary risks to the business."
Lisa Easterly, chief executive of the San Diego Cyber Center of Excellence, said there is a definite push across all industries, especially those that hold sensitive records of patient or employees, to elevate information security among top decision makers.
"Every CEO, at this point, is now in the business of cyber security," Easterly said. "They need to be engaged and understand what the risk is on a real-time basis; the threat landscape is ever evolving and becoming more sophisticated."
In San Diego County, nothing could have underlined these points more clearly than the ransomware attack that hit Scripps Health, the region's second-largest health care system, in May.
The attack, which Scripps still has not fully explained, so compromised digital systems that all facilities were forced to revert to paper record processing for nearly one month. Early on in the attack, which eventually forced the health provider to notify nearly 150,000 of its patients that their records may have been breached, so slowed critical functions that emergency, trauma and stroke cases had to be diverted to other facilities.
While it is not clear how frequent and robust cybersecurity briefings were at the highest levels of Scripps leadership before the attack, a few digital bread crumbs available for anyone to see online seem to indicate that the role of chief information security officer moved down, not up, the corporate organization chart years prior to May's attack.
Profiles posted to the popular jobs site LinkedIn show that the CISO position moved further from, not closer to, Chief Executive Officer Chris Van Gorder.
The LinkedIn profile of Powell Hamilton, now running his own security consulting firm, indicates that he filled Scripps' chief information security officer position at the vice president level from November 2015 through April 2019.
Hamilton declined to comment on his reason or reasons for departure after receiving notification from Scripps' legal department that doing so would violate the terms of his severance agreement.
A LinkedIn profile for Scripps employee Cyrus Bulsara indicates he took over the CISO role in June of 2019, but as a director, not a vice president. Bulsara's profile indicates that he majored in business and economics at UC Santa Barbara, is working on a master's degree in cybersecurity from the Whiting School of Engineering at Johns Hopkins University and is a certified intrusion analyst and certified information security manager.
Scripps did not make Bulsara available to discuss his role and generally declined to discuss moving the position within the corporate hierarchy.
"Scripps has always prioritized the security of our patients' information," the company said in a written statement. "Over the past several years, Scripps has significantly increased investments in and resources under the CISO, a key position in our organization."
Scripps has remained mum on what budget it allocated to information security. Scripps said in an email that Bulsara reports to Scripps' chief audit, compliance and risk executive, who reports to the organization's board of trustees and CEO Chris Van Gorder.
That path to the CEO appears to be somewhat rare, at least in health care.
An informal survey of local health care organizations found that none list chief information security officers among the executive teams that directly report to CEOs. Many report to chief information or chief technology officers.
While that arrangement seems perfectly logical, Hamilton said it can create an unhelpful competition for resources.
Information technology departments, he said, are generally focused on keeping equipment up and running and also on "digital transformation," the process of modernizing existing practices to gain efficiency through electronic upgrades.
"The CIO is concerned with keeping the lights on; if the stuff is working, don't mess with it," Hamilton said. "Having to carve out that budget for security means that the digital transformation work is not going to get done and that's the stuff that makes money for the business, and security can get sidelined."
This, Easterly said, is a common problem and many corporations have recently been finding ways to remove information security from IT to lessen the chances of competing interests.
"For information security you are unfortunately having to use resources that perhaps the business would like to be able to use for forward-facing needs," Easterly said, adding that she has no knowledge of Scripps' specific situation.
Literally responsible for saving lives round-the-clock, and holding the most sensitive information possible on its patients, health care systems are increasingly in the crosshairs, especially since digital systems have gradually become the main way that medical providers access test results, imaging and care documentation.
Given these realities, UC San Diego took the unprecedented step in 2019 of naming what is believed to be the nation's first medical director of cybersecurity.
Dr. Christopher Longhurst, UCSD's chief information officer, said the position, held by Dr. Christian Dameff, an emergency medicine specialist and cybersecurity researcher, is an attempt to tailor the organization's approach to health care realities.
The typical approach, Longhurst said, is to simply lock systems down as tightly as possible. But extra password-confirmation programs and other ways of hardening the health care information target can create difficult tradeoffs when lives are on the line.
"Having a medical director partner who is committed to the criticality of cyber security can help make the case with physician colleagues about why this is so critical but, at the same time, make sure that we're not locking our systems down to the point where we're going to negatively impact patient care," Longhurst said.
UCSD has been public about its attempts to anticipate digital attacks, even inviting the media to observe a simulated ER ransomware attack at its medical simulation center in 2019. Doctors in training worked through just what they would do if CT scanner images and other digital information suddenly became unavailable due to a ransomware attack.
That kind of training, though, focuses on what to do once an attack has arrived. Practicing such reactions, Easterly said, is critical but not enough. All companies should be training all employees to spot and avoid the most-common ways that hackers gain access to networks, especially through look-alike "phishing" emails that can trick just about anybody to input their credentials into sites designed to look just like trusted resources.
Company-wide audits where consultants conduct their own phishing attacks are recommended to help employees all the way up to the executive level to gauge personal levels of susceptibility.
"Training across the board is just so important; it's the first thing that we really recommend across the board," she said.
But there is also a need for top executives, already deluged with information from all aspects of a business, to understand and demand accountability for new cyber threats as they appear.
Chief information security officers are studying these threats daily and are in the best position to communicate what they've learned to decision makers. But too often, Hamilton said, CISOs have trouble translating their technical findings for board room audiences.
While the top executives could often use with a little more training on the ins and outs of technological threats, information security executives also need to do a much better job of reading the room.
CISOs must present their information in terms of risk to the bottom line.
"Scary Russian cyber buffer overflow SQL injection ... nobody cares," Hamilton said. " Nobody in that board room gives a rat's ass about that stuff."
"It's more about being able to say something like, 'we have 1 million records meeting the definition of personally-identifiable information, and we know that they're worth about $200 apiece if you've got to clean up a data breach. That's $200 million in potential liability. Can I have $50,000 for controls to reduce that risk in half?"
While the knee-jerk reaction with cyber security may be to name an organization's best technical expert the CISO, that can end up backfiring unless that person is willing to sharpen their understanding of the business they're trying to protect.
"A big part of the problem is that people who have come up through this technical track need to go out and get a damn MBA," Hamilton said. "Yes, the CEO should probably learn something about cyber, but the CISO, even more so, needs to know more about business."
©2021 The San Diego Union-Tribune. Distributed by Tribune Content Agency, LLC.
