The Most Expensive Single Server Upgrade, Ever (So Far)

download-5
One server, that’ll be $41,000,000.00.

Excluding top secret government systems, or experimental research, most commercial entities expect server upgrades to result in a net savings, or at least to maintain a baseline of performance.  And servers can be quiet pricey, ranging from $5,000 to $20,000+ if you want to own the actual hardware.  Cloud based servers are $0 (to try) up to several thousand dollars, again, depending on what you require.

Imagine a server that cost $100,000.  Or $500,000.  Or $1,000,000.  What would you expect from such a computing powerhouse?  What if all you received was a basic, run-of-the-mill server, with basic competent on-site installation, would you feel like it was a bad deal?  Why would anyone pay so much?

Nobody, at least not intentionally.  But that’s exactly what a Northern California hospital did.  Not intentionally, but by a series of events a single server cost St. Joseph’s Health over $41 million!  That’s a lot of new MRI machines, doctor’s salaries, and clinical improvements, combined.

Cause Cost
Controls and Systems Upgrade $17 million
Class Action Settlement $15 million
Credit Monitoring $4.5 million
Victims Fund (ID theft damages) $3 million
HHS OCR Civil Monetary Penalty $2.14 million
Total $41.64 million

The only difference between St. Joseph’s and a number of other hospitals and healthcare networks is that we know about what happened at St. Joseph’s.  Others are just waiting to be discovered.  And at the risk of sounding like an armchair quarterback, the problem in this case wasn’t an IT problem, it wasn’t even an IT security problem, it was a management problem.

Information security is not IT security.  Information security includes IT security, and risk management, and regulatory compliance, and management policies (referred to as governance).  In this instance, the server was installed, and no doubt it was fully functional and configured according to SOP.  What was missing was a process to manage the installation of new technology, especially where ePHI was stored, transmitted, or processed.

When we trust our doctor to treat our medical information confidentially, we are trusting the supporting cast of professionals to do likewise.  It is incumbent on healthcare leadership to incorporate information security into the overall culture and strategic vision of their organization, to take responsibility for the due care that our most intimate medical information deserves.

Contact RMO Consulting today to learn how we can work together to determine your organization’s information security needs.

Advertisements

How High Will We Go?

images-4
Image credit: healthitoutcomes.com

Last year Ponemon reported information security incidents cost the healthcare industry more than $6.2 billion. I expect this year that number will continue to increase.

One reason is the number two cost vector cited in the report was ransomware. Ransomware incidents are not on the decline. TrendMicro reported in August that just the first half of 2016 had seen a 172% percent increase in ransomware incidents over all of 2015 combined.

Another reason is the importance of information availability in the clinical environment. Where other industries may sardonically quip, “it’s not a matter of life and death,” in healthcare, it quite literally is. As an analyst at ESET put it, “Criminals know this and are deliberately targeting medical organizations.”

Collectively, those of us in the information security field hold a special trust and confidence with those who share personal health information. We need to do a better job of controlling risks to that information, and advocating to those who may not completely understand risk but approve budgets, the need to allocate resources.