Security is a Worldwide Problem
The recent rash of ransomware and hacking attacks have highlighted once again the highly exposed nature of our information systems and the challenge of securing these systems. In May of 2017 Wannacry trojan encryptor malware was unleashed and spread rapidly bringing many hospitals in the National Health Service (NHS) to a standstill. It made use of a Microsoft Windows vulnerability called EternalBlue (patched by Microsoft on March 14, 2017). The speed and breadth of the impact created a lot of media attention as well as the impact on some very public facing companies including the NHS but to the security community and many in this area it was not a surprise and many had viewed these kinds of attacks as inevitable and it was only the question of timing that was in doubt.
Healthcare is a Prime Target
The healthcare has had a big fat target on its back for some time – the records stored are rich in detail and value and by most accounts worth at least 10 times as much as your stolen credit card information. We have seen a steady stream of breaches impacting health records – I personally have been impacted on two separate occasions by two separate breaches.
In fact, 90% of healthcare organizations reported suffering a data breach during the last two years. About 45 percent reported more than 5 data breaches during that time period. But it doesn’t stop there – as a recent Nightline report showed – we may soon be dealing with security incidents impacting individual patients. The first ever “Hack of a Hospital” conference hosted by Dr. Christian Dameff and Dr. Jeff Tully demonstrated a number of attacks and their potential impact on the treatment and care of patients
Healthcare Security is in Critical Condition
As the recent 2017 Healthcare Industry Cybersecurity Taskforce Report report from the Health Care Industry Task Force made clear
Now more than ever, all health care delivery organizations have a greater responsibility to secure their systems, medical devices, and patient data
But as their graphic highlighted
Security has been an afterthought in healthcare data storage and management and we are trying to play catch up in an area that is seeing rapid innovation by the criminal hacking community of exploits and techniques that challenge the security fo our data. Even with HIPAA and HITECH we are still seeing healthcare situations where data is just not secured well enough and the threat vectors are wide, varied and innovative The task for had 6 high-level recommendations suggested to collectively increase security across the healthcare industry
- Define and streamline leadership, governance, and expectations for health care industry cybersecurity.
- Increase the security and resilience of medical devices and health IT.
- Develop the health care workforce capacity necessary to prioritize and ensure cyber security awareness and technical capabilities.
- Increase health care industry readiness through improved cybersecurity awareness and education.
- Identify mechanisms to protect research and development efforts and intellectual property from attacks or exposure.
- Improve information sharing of industry threats, weaknesses, and mitigations.
Incremental Security Improvements in Healthcare
But how does a facility or provider office start down the path of securing their systems and data?
- Security comes from the Top – if the CEO or Senior Leaders are not making it a priority it won’t be a priority
- Make security part of the culture integral part of any organization’s culture and behavior
- Empowering your employees and helping them make the right decisions
- Train yourself and your employees – put in an effective CyberSecutiy Training Program for Everyone
Do you have any better suggestions? What small change have you seen that makes a difference to improve security in your organization and in healthcare? What one thing could we do that would have a big impact in this area?