With the continued move towards digital securing patient data has moved to the top of the list for many healthcare organizations. I sat down with David Chou (@dchou1107) to talk about data and device privacy and security and get his perspective on the challenges and what organizations can be doing to protect themselves and their patients from cyber attacks.
David Chou is an executive with more than 13 years of experience in the healthcare industry. David has been named to several “Top Social CIO” and “CIOs to Know” lists. He is a visionary and resourceful leader with expertise in healthcare and digital technology and a proven track record of delivering innovative, state-of-the-art solutions.
KATE: How would you characterize the current state of IT security in healthcare?
DAVID: The healthcare industry has the most exposure and it is the most vulnerable industry for data security breaches. According to the latest survey published in USA Today, the healthcare industry has accounted for 42.5% of all data breaches over the last three years – more than any other sector of the economy. Another staggering statistic is that 91% of all healthcare organizations have reported at least one data breach over the last two years. The primary reason why the healthcare industry is so vulnerable is because your medical information is worth 10 times more than your credit card number on the black market. The data for sale includes names, birth dates, policy numbers, diagnosis codes and billing information. According to experts who have investigated cyber attacks on healthcare organizations, fraudsters use this data to create fake IDs to buy medical equipment or drugs that can be resold, or they combine a patient number with a false provider number and file made-up claims with insurers.
KATE: What is the biggest security and privacy challenges facing healthcare organizations?
DAVID: There are three big challenges facing healthcare organizations in terms of data & device privacy and security:
Many healthcare organizations failed to invest in their technology infrastructure in the past five years and now with security highlighting the top concerns for the board and the CEO, we are starting to see a lot of healthcare organizations investing in upgrading their legacy infrastructure. I have personally witnessed many multi-billion dollar healthcare organization having outdated networks that are not segmented. There are even organizations that I have visited where they still have their network data ports wide open which means that anyone with a laptop and a network cable can plug their laptop directly to network port on the wall and get access. These are the basic security precautions that must be addressed immediately and the leaders of IT must address upgrading the legacy infrastructure to avoid any security breaches.
Access Control Maintenance
Inventory maintenance and coordination is still a challenge. Healthcare organization must follow their process of working with HR, User department, and IT in communicating effectively the changing roles and access of a user. Healthcare organizations have sensitive data spread across various devices in the mobile world that we live in today. The data is residing not just on servers and desktops but also laptops, mobile devices, and other specialized devices for inputting medical record data. I agree that we must work on having encryption set up but my philosophy is to manage the data access and stop trying to manage every device that is connected. If the focus is on data access management and providing a secure mechanism of data access, that will be a lot more effective than trying to maintain an inventory of the various devices and ensuring that they are protected. This is easier said then done but it is the guiding principle that I use to manage data security in the mobile world.
Medical Device Issues
Medical device security is a tough one to tackle since the device manufacture is not working with the healthcare organization’s technology department. We are buying a black box expecting it to work and meet all of the security protocols. The medical devices usually are closed and FDA certified systems that will not allow for the installation of any tools to scan for security vulnerability. I have read about a scenario where a hospital staff clicked on an email containing a worm that spread across the entire network including the hospital’s medical devices. The IT team at the hospital was successful in cleaning out the worm on every network device but failed to detect the worm inside the medical device. The worm on the medical device allowed the hacker the ability to gain access and compromise the security. This is an ongoing concern for healthcare security officers as the number of connected network medical devices increases and the industry does not have a firm solution on this problem yet. The good part is that the medical device companies are aware of the vulnerability and security is also on the priority list.
KATE: What is the CIO’s role in regards to data & device security and privacy?
DAVID: From a technology perspective here are a few things to consider:
- Understand the current vulnerabilities (malware, attacks, virus). Do you understand the details of a virus attack and how they can penetrate your network? If not, it is ok but take the proactive steps to learn about it. Have your CISO sit down with you to provide a regular educational deep dive.
- Start identifying the systems where your critical data resides in and take the necessary precaution to safeguard it. We can all point to the EMR as a critical system, but what about your enterprise data warehouse, payroll, etc.?
- Do you have a plan in place in case of a security incident? This can be a disaster plan exercise if the entire network is down? It is important to have a communication plan for the organization and we must have a routine drill similar to a disaster drill in the organization.
- Does your organization have a cyber-insurance in place? If not, it will be worthwhile to look into getting an insurance policy for the organization.
KATE: What can organizations do to be more prepared to defend against cyber adversaries?
DAVID: All organizations have cybersecurity at the top of their list and it is a boardroom discussion now. We have seen the recent news of a hospital paying $17,000 in ransom to get the decryption key for unlocking the hospital’s system and this should put the healthcare vertical on high alert. The most important thing that the organization can do is to educate their staff on security and the measures that every employee must take to protect the institution. The majority of security threats happens internally within an organization and it starts most commonly with an employee opening an email or file that allows the hackers access to the network. Education of the staff has to be top priority for an organization and the once a year security assessment is not good enough. Cyber security has to be an organizational objective and it needs to fall on the ownership of the entire C-suite executives. For example, educating the staff and making sure that they are following the security organization policy should be the responsibility of the Chief Human Resource Officer and not the Chief Information Officer’s role. The collaboration of the departments making cyber security a top requirement will be a step towards combating cyber adversaries.