Simply by nature, healthcare contains a wealth of data —not just medical records, but credit card numbers, social security numbers, and personal contact information. Combine this with a web of technology that connects internal and external parties, ever-evolving hardware and software, multiple wireless networks, and a proliferation of people that are interacting with all of this data, and there is little surprise that the industry is a popular target for cyber criminals.
Just a few years ago, healthcare security threats focused on lost and stolen devices, but cyberattacks today include hacking, phishing, unleashing malware, extortion, and additionally in the last few months, ransomware (holding data for ransom), have all become increasingly popular. “The threat paradigm we live in today is very different than the one we used to live in. Cybercrime is very real in the health industry,” said Chuck Kesler, MBA, chief information security officer for Duke Medicine in Raleigh-Durham, North Carolina.
Not only is cybercrime a real threat, it is also more pervasive than what most people realize, said Mac McMillan, FHIMSS, CEO and chairman of CynergisTek, based in Austin, Texas. “There are a lot more incidents going on than what we see in the news,” he said. And, Kesler added, “the patients are the real victims here, and they often aren’t even aware of what is going on.”
To address the issue of cybersecurity, Kesler and McMillan presented a session on best practices for protecting against cyberattacks at the Healthcare Information and Management Systems Society (HIMSS) conference in Las Vegas.
Too often, organizations think they need to protect attacks from the outside, but, as McMillan said, “walls don’t work all by themselves. You need to think from the inside out, not just from the outside in.” Cyberattacks do not happen overnight and are works-in-progress, often taking place over the course of 12 months to18 months before data is actually extrapolated. During that time, attackers look through data logs, gather information on network architecture, watch traffic, examine security measures in place and, only then, begin extrapolating data.
Building an information security program for your practice requires much more than anti-virus software and encryption. An organization’s risk assessment needs to include myriad security controls at the administrative, technical, and physical levels. Company policies and procedures need to address not just ways to protect data and prevent breaches, but also how to respond to and recover from an attack. “The bottom line is that breaches will happen,” Kesler said, “and you need to plan ahead before they happen.”
Technically speaking, organizations need to use two-factor authentication, sophisticated password systems, intrusion detection, and log systems —and these systems need to be monitored. If something out of the ordinary is taking place but no one sees it is happening, these tools offer no protection. “From a risk perspective, I don’t care that these things are there,” McMillan said. “I care that they are working.” The same is true for physical protection from security threats: Fencing, locks, cameras, guards and back-up power can all help protect from cyberattacks.
One of the most valuable tools organizations have to fight cybercrime is their staff. Good information security isn’t just based on high-quality technology, but also on relationships and open communication among departments, including medical staff, IT engineering and management, compliance officers, and counsel. If people note something unusual regarding data storage or transmission, they need to feel empowered to say something. “If you think you only have one or two people on your security team, you’ve already lost,” McMillan said. “Everyone in your organization is a part of the security team.”