KELLY MCEVERS, HOST:
A cybersecurity breach at a hospital isn't just about data security. It could also be a matter of life and death. Think about all the monitors and machines involved in a patient's care. A federal task force has found that cyberbreaches in health care are common, and that cyberattacks are on the rise. On top of this, hospitals have trouble recruiting cybersecurity leaders. Lauren Silverman of member station KERA has more.
LAUREN SILVERMAN, BYLINE: In the neonatal intensive care unit in Fort Worth, a father is rocking a baby attached to a heart monitor. While doctors roam the halls trying to prevent infections, Theresa Meadows is worried about another kind of virus.
THERESA MEADOWS: The last thing anybody wants to happen in their organization is have all of their heart monitors disabled or all of their IV pumps that provide, you know, medication to a patient disabled.
SILVERMAN: Meadows is chief information officer or CIO of Cook Children's hospital system. She manages IT and cybersecurity for nearly 7,000 employees at more than 50 locations across Texas. Meadows lead a nationwide evaluation of hospital cybersecurity, and the grade she gave - C-minus. Dr. John Halamka, CIO of Beth Israel Deaconess Medical Center in Boston, agrees.
JOHN HALAMKA: It turns out that health care has traditionally underinvested in information technology.
SILVERMAN: Like, way underinvested. Halamka, who's been a CIO since the '90s, says just a decade ago, pretty much all health records were paper. Then in a period of a few years, hospitals switched to electronic. The growth in digital health data has not kept up with security. Other industries, like financial services and the federal government, have devoted more than 12 percent of their IT budget to cybersecurity. Health care averages just half that. At the same time, Halamka says medical data is worth more than ever. And hackers have gotten creative.
HALAMKA: In 1997, what threats did I face? MIT students who tried to hack the Harvard network. In 2017, what threats do I face? State-sponsored cyberterrorism, organized crime and hacktivism.
SILVERMAN: It's no wonder demand for cybersecurity talent in health care has exploded. But it's not that easy to recruit. Consultant Drexel DeFord jokes he's a recovering CIO.
DREXEL DEFORD: CIOs are overly stressed right now with everything from security to regulation. And when I talk to them about maybe coming into health care, the answer I usually get is that no way. It's too complicated. It's way simpler to do banking or oil and gas.
SILVERMAN: And much more lucrative. According to Burning Glass Technologies, the average advertised pay for health care cybersecurity positions is 25 percent lower than in finance. Here's Dr. Halamka.
HALAMKA: People look at me and say, wait, you've been a nonprofit IT leader for 20 years? Don't you realize that you could have retired at the age of, say, 40 with a billion dollars in your bank account if you would have just done social media instead?
SILVERMAN: Plus, you're on the line every minute not just for keeping someone's social media profile working, but helping keep them alive. Theresa Meadows with Cook Children's says a good CIO is familiar with high-tech medical devices, comfortable with software and complicated regulations. Also, a CIO needs to keep hospital staff educated on the latest threats, sometimes with mock cyberattacks.
MEADOWS: We might send an email out to the whole organization that says, please click on this link for your tax information. But there were warnings all through there, like, this came from an external site. And then when they click on the link, they actually get phishing education about why they shouldn't have clicked on the link and here's all the warning signs.
SILVERMAN: The average cost of a health care breach is estimated to be more than $2.2 million, not to mention the reputational damage. Meadows says the price of hiring a cybersecurity leader might seem high, but leaving the job open is an invitation for trouble. Lauren Silverman, NPR News.
(SOUNDBITE OF THE FUNK ARK'S "EL BEASTO")
NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.