2017 is here, and, like any new year, promises both opportunities and challenges. The question is, what will we do with it? Will it be a year of great progress, one of marking time, or worse yet one of falling further behind? Meeting the cybersecurity challenges of the future is a job for leaders. There should be no doubt that healthcare institutions are under attack on a regular basis now from external threats, while continuing to face the insidious abuse of insiders. As the old saying goes, “they have it coming and going.”
Based on recent news and the headline of this article, you are likely expecting this will be a discussion of the irresponsible actions of the MedSec and Muddy Waters organizations that outed St. Jude Medical by disclosing vulnerabilities in the medical devices they make. Certainly this is not something I condone or support as the right path to an acceptable end, as it raised fears in the people using those devices, gave the criminal element harmful information and quite possibly caused irreparable financial harm to St. Jude before perhaps the issues identified were even verified. I would argue, however, that the fault for this situation has a much broader cast than the characters represented in this one episode.
Let’s look seriously and objectively at the dangers inherent in maintaining current systems of user privileging Sam was just another network engineer assigned to the server team at the hospital. Each engineer had two sets of credentials, one with and one without elevated privileges, and they had all been told not to use the one with privileges when just accessing the network or routine services such as email. But Sam always liked to do things his own way, and saw no point in wasting his time worrying about which login he used, thinking, “These security guys were always making a mountain out of a molehill.” Then one day, a massive outage took place that affected multiple systems and applications, and someone in finance was on fire because they couldn’t get payroll out, hell they couldn’t even access the payroll servers.
The modern healthcare ecosystem is all about data and what we can do with it, which is why Data Loss Prevention (DLP) tools should be on everyone’s list of priority solutions to implement. I used to say that DLP solutions paid for themselves based on their ability to control exfiltration, and therefore reduce the risk of breaches, but these solutions are becoming far more important than that. DLP tools have the ability to help users take control of information and do what is really important—manage it from cradle to grave.
Last week, the Brookings Institute published a very well-written report that accurately illustrated the current threat environment and identified the specific issues that seem to continue to plague healthcare in its efforts to fight cyber incidents. The shame of it was there was no ‘new’ news. In fact, this week seemed like deja vu as Larry Ponemon published his sixth annual report on healthcare cybersecurity, which unfortunately, reflected a lot of the same issues as last years, or even the last
When I was a kid just about everyone had a sandbox, and if you didn’t, you wanted a friend who did. Sandboxes were great terrain to fight your toy soldiers on and for building off-road tracks for your Matchbox cars. That of course is not the sandbox I’m talking about today, but the analogy with respect to having one – or wanting one – could very well be one in the same.
I’ve not spoken to a single security professional, meaning someone who carries the experience, training and certifications to be called a CISO, who believes that they can adequately protect the healthcare organization they serve by simply being compliant with HIPAA. It’s time we let the air out of that balloon. The last couple of years, and in particular last year, showed everyone that data security in healthcare was no longer for the faint of heart. Securing healthcare today is the business of serious organizations and serious men and women with real skills. HIPAA is neither a suitable standard nor a framework for protecting a modern, diverse, hyper-connected enterprise. We live in an information ecosystem that is evolving at a rate that is straining our ability to keep up.
Written by Mac McMillan, FHIMSS, CISM | February 15, 2013 The final statement in the Attestation that Healthcare providers have to sign says it all. “I certify that the foregoing information is true, accurate and complete. I understand the Medicare/Medicaid EHR incentive program payment I requested will be paid from Federal Funds, that by filing this attention I am a claim for Federal Funds, and the use of any false claims, statements, or documents, or the concealment of a material fact