CMIOs have a central role in protecting cybersecurity
Too often, healthcare data security is thought about in terms of the safety of a hospital's IT infrastructure (the job of the CIO and CISO), or the financial and reputational risk of a breach (the province of the CFO and CEO). But CMIOs also need to be well-attuned to the serious threats cyber criminals pose to clinical information.
“These types of attacks can really disrupt the clinical care we provide for our patients," says one physician executive. "It's not just about data."
At the AMDIS/HIMSS Physicians' Executive IT Symposium on Sunday, the security role of the chief medical information officer was highlighted, as the black-market value of health records increases and rampant ransomware attacks put EHRs at risk.
Daniel Nigrin, MD, chief information officer at Boston Children's Hospital and a practicing pediatric endocrinologist, speaks from experience. He fought a lengthy and much-publicized battle against the hacktivist group Anonymous back in 2014.
Over the course of about a month that spring, Nigrin and hospital IT staff engaged in "a series of cat and mouse events" with Anonymous, whose members had targeted the hospital to protest a controversial custody case involving one of its patients.
It started with a threatening online video, progressed to low-level distributed denial-of-service activity – and moved eventually to massive DDoS attacks, along with a huge influx of malware-infected emails.
Throughout the attack, "our EHR system remained functional," said Nigrin. But it was touch and go for a while. And when the dust had cleared, it became apparent just how at-risk patient safety was.
"If we lose our internet, we have a huge disruption," said Nigrin. "There's all sorts of (web-based) functions and processes our organizations rely on that are absolutely critical to care."
That's why it's key to have contingency plans in place, to be able to reconfigure workflows when needed, to recognize importance of email and alternate forms of communication, he said.
"These types of attacks can really disrupt the clinical care we provide for our patients," said Nigrin. "It's not just about data."
Security consultant Kevin Johnson said most health organizations still "don't truly understand the kinds of attacks that exist," whether network-based, web-based or the result of the negligence of trusted third parties. Third-party risk is "astronomical," he said, "from the doctors who have privileges to the vendors who deal with you."
Similarly, too few provider organizations appreciate that "breach harm has many forms," said Johnson. And once the bad guys get in, they're just getting started: "Their goal is to expand their foothold. And there's always ways in."
Physicians often resent being coached or told what to do by security professionals. But Johnson said they should think of the larger picture.
"Docs in the room, please do not be insulted," he said. "We aren't doing it because we think less of you, or because we think you can't handle stuff." The fact is that hackers set their sights on healthcare providers because "you have access to everything (they) want," he added. "You have access to the data and systems of the organization (they) want to attack."
Security "is everybody's responsibility," said Johnson. "It's something we all have to do."
This article is part of our ongoing coverage of HIMSS17. Visit Destination HIMSS17 for previews, reporting live from the show floor and after the conference.