NIH, experts warn healthcare pros to stay vigilant to thwart hackers
LAS VEGAS – As hackers increase in sophistication and the threat surface expands, cybersecurity needs to be a priority for all healthcare organizations.
That’s especially true since many of the global cyberattacks in the last year -- like WannaCry and NotPetya, weren’t even targeting the healthcare sector, according to Albany Medical CISO, Kris Kusche during a HIMSS18 Allscripts’ meeting on data security best practices.
“That’s the scary proposition,” said Kusche. “The largest threat is essentially the thing that is coming at us that we don’t know about.”
Plus, technology is changing so quickly that it’s difficult to keep up, he added.
For the National Institutes of Health, said Jon Walter McKeeby, the CIO for its Department of Clinical Research Informatics, “there’s the fear of everything… everybody can be attacked. And it only takes one device, one system.”
But maintaining all vulnerabilities “at one time is a difficult proposition,” McKeeby said. “We have to be more vigilant.”
The trouble is that budget constraints make security tough for many providers, while for healthcare providers in the private sector, patching systems and taking vulnerable equipment like MRI equipment offline -- isn’t always an option.
“It needs to get to the point where we don’t need to fight for the budget,” said Dara Barrera, Michigan State Medical Society’s manager of Practice Management and health IT.
“I want to be routine. I don’t want IT to be specially funded,” said Kusche. “I don’t want to have to say I need this special budget because then I will know [security] is part of the culture, part of the DNA of the organization.” And having a culture of security within an organization is crucial, given that people are one of the greatest weaknesses.
So how do healthcare providers manage all of these threats? NetSmart CISO, Tony Maupin said it’s really about working closely with peers, the business unit, vendors, and getting “to know who is dealing with the same kinds of challenges you’re facing.”
“But also… challenge your vendors,” he added, to share best practices, think outside the standard practices and “get involved in those grassroots of security… Let’s just come together and work as a team.”
“To me it’s less about security, and more and more about risk management,” Maupin said. “We’re always going to have resource strains. It’s different for every one of you... but we’re all faced with more work than we can get done with our team.”
So organizations need to have a very clear understanding of risks, and clearly communicate the impact with the executives to make sure everyone grasps the gravity of the situation, Maupin explained. “Like anything else, you prioritize and do the best you can.”
Full HIMSS18 Coverage
An inside look at the innovation, education, technology, networking and key events at the HIMSS18 global conference in Las Vegas.