As U.S. health care systems continue to consolidate, they must be aware of the information technology risks lurking in the shadows.
The risks have been compounded by the move to the cloud.
The pace of consolidation remained strong last year, with approximately 1,600 deals. And while megamergers are expected to slow in 2020, larger organizations continue to purchase smaller systems through tucked-in acquisitions. January had more than 200 health care deals, more than double from last January. While these acquisitions are strategic to gaining market growth, such deals may also put health care systems at risk when it comes to cybersecurity.
An invitation to risk
The U.S. health care information technology infrastructure is complex. While most organizations believe their information technology department manages all systems and applications within their networks, the reality is that most do not. A health care system’s information technology infrastructure can consist of inpatient clinical applications, ambulatory clinical applications, and business applications. Some of these are managed by information technology departments, while others are managed by the department using the technology.
While most organizations believe their IT department manages all systems and applications within their networks, most do not.
Take the example of a radiology department that acquires a CT X-ray from an outside vendor. It is managed administratively by the department’s director, who has full access rights to the machine and is tasked with provisioning the machine while it’s in use. The director has no information technology security background, yet is managing a machine that stores personal health information and accesses the hospital’s network. This scenario happens repeatedly within the hospital, creating an environment in which hackers can thrive. That scenario is often referred to as “shadow IT.”
RSM defines shadow IT as those systems built and used outside of the control of an organization’s information technology department. Research company Gartner estimates that in 2020, one-third of successful attacks on enterprises will be on data in shadow IT resources. As the health care industry continues to consolidate, the threat that IT systems and applications are left unmonitored by a centralized IT department only grows.
Going to the cloud
Further contributing to the rise of shadow IT is the use of cloud computing within the health care industry. Following the global trend of increased investment in cloud infrastructure and application software, health care organizations expect to move more of their workloads from traditional, on-premises servers to a hybrid cloud model.
Hybrid cloud is a term used to describe an environment that uses at least one private and one public platform and typically includes some level of interaction between the two. A 2018 study by cloud computing company Nutanix surveyed 345 health care organizations around the world and found that their hybrid cloud deployments were expected to double in the following 12 to 24 months. In considering criteria for where to run essential workloads, health care organizations cited security and compliance as leading priorities.
Health care organizations of all sizes continue to be prime targets for malicious cyberattacks, according to a 2019 study from cyber risk assessment company NetDiligence, and the number of incidents is on the rise. From 2014 to 2018, the report found, health care systems with less than $2 billion in annual revenues reported 382 incidents. Of those, 115 occurred in 2018. This trend is likely to continue with the widespread adoption of cloud-based services within the health care sector.
Health care services and health care technology systems have attracted record volumes of capital from private investors looking to deploy their cash. Over the past decade, the deal count and capital volume deployed to these two sectors of the health care industry have surged, from roughly 1,400 deals and nearly $62 billion in capital in 2010 to a peak of 3,900 deals and $191 billion of capital in 2018.
This growth, combined with the consumerization of technology and cloud-based services, has only accelerated the risk associated with shadow IT. Payers and providers have become more comfortable using mobile apps and services to empower their daily workflow. At the same time, health care systems have adopted technologies that use advanced artificial intelligence and big data.
Health care organizations should be thinking about how they can properly manage their IT systems and applications that interact with their overall IT infrastructure. A pervasive risk within the health care industry lies not only with vendors but also in the sensitive data they collect and store.
“Security leaders need to focus on assessing their vendors and eliminating data storage risk,” said Vikrant Arora, vice president and chief information security officer at the Hospital for Special Surgery in New York. “This can be done by making sure vendors purge sensitive data received from providers and sharing de-identified data, where possible.”
It’s all part of an assessment of risk that hospitals need to take as the industry continues to consolidate. Without that step, vulnerabilities will continue to lurk within an organization.