(by Imprivata) At HIMSS16 Imprivata hosted a healthcare security discussion around “Protecting health information: thinking beyond cybersecurity.” The panel of health IT and security experts included Anthony Guerra, Arthur Ream, Frank Fear, and David Ting.
Panelists discussed the reality of security breaches in healthcare, and outlined key lessons learned from the Hollywood Presbyterian ransomware attack. Next, they turned to steps that all healthcare organizations can take to prepare and protect against security breaches and data leaks.
“All the hackers think about all day long is how to get in, and they will get in, but you can be prepared.”
1. Make all healthcare users accountable for security
Doctors are used to performing very messy procedures, and once they’re finished, they know someone else will clean up after them. That same attitude tends to apply to enterprise- level cyber security. Doctors want the highest level of access to hospital systems – elevated privileges to install anything they want – but when there’s a security breach, doctors don’t feel responsible for helping to clean it up.
In order to ensure the security of hospital systems, panelists argued that healthcare users’ attitudes must change. If doctors want full access privileges, they need to take responsibility for the consequences in the event of a healthcare security breach.
2. Start, and continue, with cyber security education
Every user in the healthcare enterprise should have a basic level of understanding of the types of cyber threats that exist. Panelists agreed that security education is a key element in preparing healthcare enterprises for attacks. They outlined various education campaigns used in hospitals, including circulating fake phishing emails asking users to enter passwords and other personal information.
In one hospital, IT periodically collects names of every user who fell for a fake phishing attack and requires them to take a security refresher course. While this targeted approach is helpful, panelists acknowledged that a truly successful education campaign must be multi-faceted, hitting all users in the healthcare enterprise on a regular basis.
3. Install security safety nets
Healthcare is a treasure trove of data. In one stop, hackers can access PHI, PII, and PCI. The data isn’t going away, so the question becomes, how do you create an invisible security layer around patient data to minimize exposure in the case of a security breach?
Phishing emails with malicious links are getting harder for healthcare users to identify. According to our healthcare security panelists, 28 percent of people will click on a malicious link believing it to be legitimate, and most of them will enter personal passwords or personal information once they’ve accessed that link. IT leaders can educate users, but they can’t expect all users in the healthcare enterprise to be technically aware of how to decipher a phishing attack, so they have to put safety nets in place to safeguard users against these attacks.
4. Lock down USBs and secure personal devices
As healthcare becomes more mobile and users across the enterprise bring work home, they are using USBs and mobile phones to move sensitive patient data and patient identifiers in and out of their hospital’s network. Today, users access hospital systems on personal devices from anywhere in the world with an Internet connection. In many cases, these personal devices aren’t secure and any data contained on them can be easily accessed if they are lost, stolen, or breached by a hacker.
Panelists agreed that healthcare IT leaders need to take steps to minimize the security risks created by portable drives, peripheral devices, and anything that can sync to the cloud. Healthcare security leaders are locking down these devices with encryption and two-factor authentication for remote access.