3 cybersecurity lessons from the Hollywood Presbyterian ransomware attack
This year at HIMSS16, we hosted a cybersecurity panel discussion in the Imprivata theater on "Protecting health information: thinking beyond cybersecurity." Moderated by Anthony Guerra, editor-in-chief of healthsystemsCIO.com, the panel included health IT and security experts:
- Arthur Ream, Chief Information Security Officer and Director of I.T. Applications at Cambridge Health Alliance;
- Frank Fear, MA CHCIO, Chief Information Officer at Covenant Healthcare; and
- David Ting, Founder and CTO at Imprivata.
The panel focused on the reality of data breaches in healthcare and the security measures that every healthcare organization should put in place to safeguard patient information. We'll outline the key observations from the panel in a series of blog posts, starting with a look at key lessons learned from a recent hospital cyber attack.
In February, Hollywood Presbyterian Medical Center in Los Angeles paid a $17,000 ransom to a hacker who seized control of the hospital's computer systems and would only give back access when the money was paid. The panel discussed the industry implications of the hack and what healthcare organizations can learn from it.
"Healthcare is very lucrative. Fraudulent people don't just care about your credit cards anymore."
1. This is real. Sophisticated cybersecurity breaches are happening to healthcare.
Healthcare hacks are getting more sophisticated by the year. Following a year where hackers accessed more than 110 million patient health records in 56 major cybersecurity attacks, hackers are finding clever new ways to access healthcare data.
Though common in financial services and other industries, the Hollywood Presbyterian attack was the first ransomware attack reported in healthcare. Panel participants said it opened their eyes to the fact that hackers are seeing the value in healthcare records, and becoming more likely to target them. Watching increasingly sophisticated healthcare hacks play out in the news only makes it more real for healthcare security teams, and encourages them to put more safeguards in place to prevent hackers from targeting their organizations.
"Breaches are inevitable, but you have to do your best to keep up."
2. If you lose the trust of patients with a data breach, it's difficult to rebuild that trust.
When someone steals your money or credit card number, your bank or financial services institution can make you whole and give your money back. But in healthcare, when your personal medical information is stolen, you are left exposed and there is no way to make you whole again. In healthcare, it's the trust of the patient that is at stake when data is breached.
Panelists said they can put all the cybersecurity technology in the world in place to try to prevent hospital employees and outside contractors who access hospital data from clicking on suspicious links but, as evidenced by the Hollywood Presbyterian attack, hackers are always a step ahead. To thwart hackers, hospital leaders need to make sure that their staff are educated and aware enough to reach out to the IT and security team before clicking on a potentially illegitimate link.
3. The IT and security team is NOT the security department. The entire enterprise is responsible for security.
The Hollywood Presbyterian cyber attack solidified our panelists' belief that the only way for a healthcare organization to be fully secure is for the entire enterprise to play a role in managing security.
If everyone in the organization is involved in implementing security policies and getting educated on security procedures, a breach of security will not be a mystery. No one at any level will be left wondering, how did this happen to us? Hospital staff and clinicians can't ignore the fact that breaches can and do happen in healthcare.
Panelists discussed some tactics they've used to educate employees at all levels, including running quarterly breach drills, organizing monthly security policy meetings with representatives from different departments, and arming front desk clerks and clinic receptionists with scripts to communicate quickly and effectively with patients in the event of a security incident.
Stay tuned for more highlights from the CIO security panel.
Follow Imprivata on Twitter for daily updates on security in healthcare.