Who's Afraid of the Big Bad Breach - Part 2

Last time, I described the extent of the cybersecurity threat in healthcare, including reminding readers of the March 2015 Anthem breach of 78,800,000 patient records.  What a disaster!  As I mentioned, most cybersecurity experts warn that, when it comes to intrusions and breaches, it’s more a matter of “when” than “if.”

So what’s a healthcare provider to do?  Risk management principles teach that 100% protection is virtually impossible.  The cost of getting from, say, 96% protection to 99.5% rises exponentially.  Your risk management plan must include assessing your level of risk exposure, deciding your level of risk tolerance, aligning your resources, and managing accordingly.

Here are five risk mitigation steps outlined in the January 23, 2017 Modern Healthcare story entitled “A smarter anti-hack defense” (page 18). 

·         Invest in intelligent software – These programs can detect unusual activities and trigger immediate investigation and intervention

·         Increase budget allocation for cybersecurity – Make sure you have enough highly trained staff

·         Develop processes to ensure timely implementation of security patches for medical devices – Connected devices are a newer vector for intrusion and one that is sometimes overlooked

·         Replace aging medical devices – Manufacturers sometimes stop supporting older devices, which increases vulnerabilities over time

·         Virtually separate devices from the rest of your network – Having your entire infrastructure connected allows more thorough penetration in the case of a breach

These are “techie-type” steps that are certainly needed.  The first place most organizations go in thinking about cybersecurity is the IT department, and rightly so. 

But most experts believe the biggest risk comes from employees who inadvertently allow intrusions.  Some estimate that as many of as 2/3 of all data breaches are caused by employees’ poor judgment.  Let me give just one infamous example.

According to an October 20, 2016 story in The Washington Times, the hacking of the Democratic National Party was triggered when Hillary Clinton’s campaign chairman John Podesta clicked on a link in a March 16, 2016 email and was asked to re-enter his password.  Rather than landing on a legitimate Gmail site, though, he actually ended up on one with links to the Russian government.  And the rest is history.

It’s catastrophes like this that prompted the Cybersecurity for Dummies book to urge organizations to look beyond the traditional IT department and include three other employee groups:  executive leadership, HR and end users.  Executives must be fully invested in supporting policies that minimize threats.  HR is responsible to implement them.  And end users must constantly be reminded of the need to be vigilant.

Healthcare organizations must develop policies and procedures for at least the following:

·         Passwords

·         Wi-Fi security

·         Safe browsing practices

·         Remote access

·         Mobile devices

·         Data retention

Just issuing a notebook outlining policies is not sufficient.  The messages must be continuously reinforced.  Beyond these policies, organizations also need robust remediation and recovery procedures in case the worst happens.

Data breaches are part of the new reality, one with which healthcare organizations must come to grips.  Because the threats are multi-faceted, so must be the defensive strategies.