Excluding top secret government systems, or experimental research, most commercial entities expect server upgrades to result in a net savings, or at least to maintain a baseline of performance. And servers can be quiet pricey, ranging from $5,000 to $20,000+ if you want to own the actual hardware. Cloud based servers are $0 (to try) up to several thousand dollars, again, depending on what you require.
Imagine a server that cost $100,000. Or $500,000. Or $1,000,000. What would you expect from such a computing powerhouse? What if all you received was a basic, run-of-the-mill server, with basic competent on-site installation, would you feel like it was a bad deal? Why would anyone pay so much?
Nobody, at least not intentionally. But that’s exactly what a Northern California hospital did. Not intentionally, but by a series of events a single server cost St. Joseph’s Health over $41 million! That’s a lot of new MRI machines, doctor’s salaries, and clinical improvements, combined.
Cause | Cost |
Controls and Systems Upgrade | $17 million |
Class Action Settlement | $15 million |
Credit Monitoring | $4.5 million |
Victims Fund (ID theft damages) | $3 million |
HHS OCR Civil Monetary Penalty | $2.14 million |
Total | $41.64 million |
The only difference between St. Joseph’s and a number of other hospitals and healthcare networks is that we know about what happened at St. Joseph’s. Others are just waiting to be discovered. And at the risk of sounding like an armchair quarterback, the problem in this case wasn’t an IT problem, it wasn’t even an IT security problem, it was a management problem.
Information security is not IT security. Information security includes IT security, and risk management, and regulatory compliance, and management policies (referred to as governance). In this instance, the server was installed, and no doubt it was fully functional and configured according to SOP. What was missing was a process to manage the installation of new technology, especially where ePHI was stored, transmitted, or processed.
When we trust our doctor to treat our medical information confidentially, we are trusting the supporting cast of professionals to do likewise. It is incumbent on healthcare leadership to incorporate information security into the overall culture and strategic vision of their organization, to take responsibility for the due care that our most intimate medical information deserves.
Contact RMO Consulting today to learn how we can work together to determine your organization’s information security needs.