Archives     Advertise     Editorial Calendar     Subscribe     Contact Us    



Cybersecurity: It's All About the Holes


 

Cybersecurity is about what is not secure. It's about the blind spots, the weaknesses, the potential problems with the systems and the people.

These are things most of us don't think about because we assume someone else is thinking about it ... or worse, we haven't considered it all. So we need to start looking at cybersecurity the right way. It's not about the security so much as it is the vulnerability. We have to be able to spot the vulnerability before it gets exploited. Since all healthcare providers are legally required to maintain good cybersecurity practices, it is something we should be thinking about on a regular basis.

When most people consider cybersecurity, they think of it as something the IT guy has to worry about or that "just happens" with computers, when, actually, the opposite is true. Yes, the IT department is, or should be, worrying about cybersecurity. And yes, computers and software applications are designed with security features. However, the real danger is in complacency ... the failure to keep up with changes - and now, most recently, the availability of information about the user, which can be exploited as easily as outdated encryption. Everything is secure until someone breaches it, and when that someone has nothing better to do all day than to let their computers search for vulnerabilities on your computers, you have the potential for serious cyber-insecurity.

Hackers are criminals. They are thieves and terrorists, and they are getting better at what they do, which is stealing, ransoming, and exploiting insecure data. Unfortunately, they love the data from medical providers because it usually contains sensitive personal information. The criminals are always looking for unattended data, and they are using public information to make the medical community easier targets. Several recent breaches included the use of information from social media accounts and company websites to make it appear as though the message containing the malware, spyware, virus, or worm came from a legitimate source.

To stay ahead of them, medical professionals have to be able to look at the data system like a criminal, which is not easy to do since most of us have no desire to misuse or misappropriate anything. Our brains are at a distinct disadvantage. Don't think about how secure your network, software applications, or web portals are; instead, look at how secure they aren't. What information is there, and how could someone get it? For example, patient portals are a wonderful tool, but the healthcare industry is way behind when it comes to cybersecurity. A cyber-criminal has nothing better to do than to work on that portal day and night, which means it needs to be constantly monitored to avoid a major infiltration.

If much of this information seems foreign to you or if you think this stuff only happens to big hospital systems, then you should wonder about how cyber-ready your office really is and think about the fact that if you do not know the questions to ask, you are probably not getting the answers you really need.

For an analysis of cybersecurity, you need to look at both ends of the transaction. Consider the network storing and/or transmitting the data and the people who input and/or use the data. People and technology must work together to form a successful cybersecurity system. The network must be constantly monitored; and whether you have internal or external IT professionals at your disposal, you have to ask questions regularly because the status of cybersecurity changes every time the criminals find and exploit a new tool or weakness anywhere along the vast system of software and hardware.

Hackers get information from unintended leaks like New York University publishing the U.S. Military code breaking mechanism or the constant and relentless probing of the security mechanisms tech companies like Microsoft continue to develop. Don't make it easy. Continuously re-evaluate the system. Regularly schedule analyses of devices, such as stationary computers, laptops, iPads, tablets, and smart phones. You don't know if you don't ask, but someone in your workforce probably has protected health information (PHI) or other sensitive data, such as passwords, on a smart phone.

Then there are all the plug-ins - scanners, printers, fax machines, camera systems, thermostats (yes, anything that can be controlled remotely is a potential hole in your security), not to mention all the wearables and implantables that continue to be developed. As those devices become more common, we have to know how they are communicating with the network in order to maintain cybersecurity.

We also have to invest in personnel training, which is sometimes more difficult to control than the network system because human beings can be, let's just say, un-cooperative. And it is not because they don't care, but we may have failed to create a real culture of cybersecurity. We need to invest in personalized training for all employees, including medical practitioners.

Internet tools such as video presentations, webinars, online curricula, and quizzes are all good interim reminders. However, as a recent PHI breach proved, a workforce member who just attended an online training session - which included instruction on an almost identical phishing scam - is not enough when the workforce does not take that instruction seriously. Personnel training cannot be an afterthought, and physicians must set the tone for the workforce.

The culture of the office will ultimately determine its level of cybersecurity or cyber-insecurity. Start looking for holes and constantly evaluate your system to become truly secure.


Julie-Karel Elkin is a member and chief compliance officer at Spicer Rudstrom PLLC. She is the head of the Health Data Privacy and Security practice and has been helping companies and providers, large and small, with all aspects of their compliance needs for more than 20 years. For more information, go to spicerfirm.com.






WEB:
Spicer Rudstrom
Julie-Karel Elkin

 
Share:

Related Articles:


Recent Articles

Alexander Leads Bipartisan Support for Accelerated FDA Reviews

By a vote of 94-1, the U.S. Senate has sent President Trump a bill addressing FDA user fee agreements meant to speed up the Food & Drug Administration's review of new drugs and devices.

Read More

BlueCross BlueShield of Tennessee Partners with TN HIMSS and Belmont University to bring HIT Workforce Education to Chattanooga Region

The Tennessee HIMSS Chapter and the Center for Executive Education at Belmont University will partner with BlueCross BlueShield of Tennessee to bring a 14-week certification program to healthcare information technology (HIT) professionals in the Chattanooga region.

Read More

Alzheimer's Foundation Of America Seeking Nominations For Dementia Care Professional Of The Year

The Alzheimer's Foundation of America (AFA) is now accepting nominations for its 2017 "Dementia Care Professional of the Year."

Read More

Addressing Adolescent Angst in a Digital World

Growing up can be difficult in a digital age. Dr. Jess Shatkin shares insights on how primary care providers can support parents in an age of increasing adolescent anxiety and depression.

Read More

Leading the Way

Child neurologist Jeffrey Neul, MD, has been appointed director of the Kennedy Center at VUMC.

Read More

TJC Sharpens Focus on Healthcare Access for Children

Always a champion for children's health, the Tennessee Justice Center is taking more steps to ensure coverage for nearly a million Tennessee kids.

Read More

You Be the 1

You Be the 1 campaign, started by local couple John & May Bumpus, hopes to reach struggling teens through kindness and empathy and connect them to area resources.

Read More

Pediatric Rounds

The Children's Hospital at TriStar Centennial officially celebrated the opening of its new pediatric emergency room last month.

Read More

NMGMA: Ten Minute Takeaway

Phishing, Vishing, SMiShing ... there are an array of sophisticated methods that cyberthieves can use to access PHI.

Read More

Cash in Hand

With increased patient responsibility, collecting for healthcare services can be difficult ... but there are some best practices providers can put in play to maximize timely payments.

Read More

Email Print
 
 

 

 


Tags:
Cyber Criminals, Cyber Security, Cybersecurity, Data Breach, HIT, Julie-Karel Elkin, PHI, Phishing, Protected Health Information, Spicer Rudstrom
Powered by Bondware
News Publishing Software

The browser you are using is outdated!

You may not be getting all you can out of your browsing experience
and may be open to security risks!

Consider upgrading to the latest version of your browser or choose on below: