Cyberattacks on US Healthcare Cyberattacks on US Healthcare (edited) October 7, 2014 | Dr. Dwayne Hodges, CISSP, www.hbma.org If you look around you, chances are you’ll see some form of technology. Whether it’s a computer, smartphone, or tablet, these days technology in the workplace is as ubiquitous as coffee or meetings. The same is true in healthcare, and for many reasons, this is a good thing. Information technology and Web‐based tools have helped the healthcare industry manage patient records & conduct billing, research, and administrative functions with greater efficiency. But with these tools comes the threat of cyber attacks. Any institution (be it a private practice or a public hospital) that uses health IT systems with inadequate security or enforcement is susceptible to a cyber attack. What’s more, a breach of security in the healthcare industry is particularly challenging because the impact is widespread and carries very specific legal, organizational, and individual accountability issues. Indeed, the rising prevalence of cyber attacks poses a huge problem for the healthcare industry. THE STATE OF CYBERSECURITY IN HEALTHCARE – The advent of health IT systems has, unfortunately, allowed hackers to commit traditional crimes of theft & financial fraud faster and easier. Additionally, the Internet provides an unparalleled degree of anonymity, making it difficult (if not impossible) for police to investigate & prosecute these crimes. Although healthcare institutions have processes & basic security systems in place to stem the threat of cyber attacks, I have seen that the healthcare industry, in general, lacks the technical and administrative knowledge necessary to combat advanced, persistent threats. The impact of a cyber attack can be huge – the potential for the loss of intellectual property, personally identifiable data, and public confidence. Cyber attacks in the healthcare industry have multiple victims: the healthcare provider/institution and the patients. Not only can this be financially devastating, but the lack of patient confidence and trust can undermine the infrastructure of the entire industry. How can you stem the threat of cyber attacks? To be fully effective, you will need to bring in an expert. Advanced, persistent threats such as the ones that can occur in the healthcare industry require an ability to plan, design, and implement effective cybersecurity controls that can stay ahead of emerging threats and current technologies. Cybersecurity should not be randomly assigned to any employee. Instead, cybersecurity requires a higher level of education, training, and certification. DEFENSE IN DEPTH & BREADTH ‐The following is an overview of best practices for cybersecurity implementation, as well as the techniques a cybersecurity professional should use. Just as practitioners use data to make healthcare decisions, IT personnel should also use data when designing and implementing cybersecurity programs and policies. To start, IT staff should conduct a robust risk analysis, which will generate data on the types of information and information systems that need security controls and therefore serve as the foundation of a strong and effective risk management plan. A robust risk analysis includes a detailed inventory of the organization’s active/inactive information systems, networks, programs, applications, hardware, and software. It is important not to confuse the inventory with an audit or confuse an audit with security. They are three tasks that have very separate and distinct functions. The data from the inventory represents a holistic and intricate view of all the health information that is generated daily within the IT systems. An effective cybersecurity plan uncovers every point of entry for all systems identified in the inventory – similar to listing all points of entry and exit when developing an evacuation plan for a building. The next piece is to determine where this information goes. A process known as mapping details the flow of data from one system to the system that stores the personal health information. The next phase of the risk analysis is the audit, which is a bird’s‐ eye view of an elaborate process with minute details. This is a very complex process and will need to be conducted by a cybersecurity expert. The final phase of the risk analysis is security. Cybersecurity practices in the healthcare industry must be integrated into the planning, design, and implementation of technical, administrative, and physical levels of controls. NO SILVER BULLET‐The threat of a cyber attack can be a scary prospect, and the consequences of one are immense &serious. Each organization has its own systems, processes, and challenges. In order to help you protect your organization against a cyber attack, first, seek the advice of a cybersecurity consultant. The consultant can conduct an audit, assessment and provide you with recommendations on implementing a compliant cybersecurity system. In doing so, you are taking a significant step in warding off cyber attacks. Previous Next