This book includes a plain text version that is designed for high accessibility. To use this version please follow this link.
● Strategic Directives

Better put on your running shoes

Mitigate the risks of cyber attacks. By Jason Free, Features Editor


ost health organizations fully understand that they are at great risk in terms of cyber attacks, but few possess the proper perspective in terms of develop- ing an eff ective cyber attack defense plan. Paul

Calatayud, Chief Information Security Offi cer, Surescripts, perhaps puts it best when he says, “Preparing for a cyber attack is like prepar- ing for a bear attack. You don’t train to fi ght the bear. You prepare to be faster than the guy standing next to you.” While it may sound rather ominous, Calatayud’s statements provide

a very reasonable context for creating a plan to secure your facility and its very valuable assets.

Know what’s at stake T e full economic value of the records held within a single healthcare organization is almost beyond measure. When trying to calculate the combined value of the personal information of patients, the potential fi nes incurred for data breach violations and the loss of reputation within the industry and general public due to a cyber attack, one can quickly become overwhelmed by the numbers. “Outside of malpractice, I can’t think of a more damaging force to

a hospital’s reputation than a data breach,” says Calatayud. “In time, you may be able to lose the stigma, but in all honesty, I think in the future, it will cause some organizations to close their doors forever.” It could be argued that no matter the skill level of its staff nor the sophistication of its equipment, a bad reputation in terms of patient data safety could doom a hospital’s standing in the community. T at’s not to say that administrators should use reputation as their incentive to develop a plan against data breaches because, like their physicians, their chief goal should be to do no harm to their patients. “If you look at a standard healthcare organization, there are mas-

sive amounts of electronic protected health information (EPHI),” says Matt Goche, Consulting Director, SunGard Availabilty Services. “It contains personal information such as social security numbers and credit card data that can easily create false or stolen identities. Don’t forget that hospitals often have gift shops, cafeterias and payment operations. So there’s a lot of personal information within a hospital network. If a ‘bad guy’ is able to get access to a single stream of this data, there is some type of market for it.” Given that it occurs millions of times a year, we have all either heard,

or even experienced fi rsthand, the traumas caused by stolen identities. In terms of criminal opportunities, the theft or misrepresentation of one’s identity will become only more attractive as more of our daily lives become part of the digital world. As previously mentioned, these threats are not unique to medical environments, so rather than looking at their situation in a vacuum, healthcare organizations ought to seek

12 April 2014

out best practices from other industries, and none has had to deal with as many cyber attacks as the fi nancial fi eld. “Going back to the 1980s, many banking systems at the time felt as though they may be able to get rid of their branches and put all of their business operations online. Obviously that didn’t happen, but with that philosophy behind their security practices and policies, they have developed more robust, more mature data security systems than those often found in healthcare,” says Calatayud. In many ways, banks are currently the fastest people facing the possible “bear attack” of a cyber crime, so there is a great deal to learn from their defensive strategies. However, it is important to keep in mind that the act of stealing from a healthcare organization is not like robbing a bank. T e information, and money, within a bank is similar in nature to EPHI in a hospital because electronic data is just that, electronic data, but there are key diff erences with the data that must be considered. “If somebody steals from a bank, the bank knows exactly what’s been taken. Whereas with a cyber attack upon a healthcare facility, you may not even know that it happened. T ere are instances where an organization fi nds out that, for years, people were illegally accessing information from their networks. T is activity went unnoticed because no information was stolen. It was copied,” says Goche. In other words, it does not matter if your social security card is locked in a safe. As long as I know the nine digits on the card, you can keep it, and I can go about my business stealing your identity. Calatayud continues, “In the case of money, it can be electronically

replaced, or there is insurance and other ways to recover that loss. T e same things apply in retail with the theft of a credit card. T e immediate response in that situation is to change your credit card number and seek to indemnify future required payments. A unique, or interesting, aspect with healthcare data is the perpetuation of that data. By that I mean, when you lose your healthcare records, you really can’t replace that information. Once it’s lost, it can be regenerated but, in the wrong hands, it can result in the perpetuation of identity theft and the prolonged abuse of that information. It can be misused for insurance claims, taxes, etc. T at information becomes very critical because it’s associated with a human being versus being associated with a fi nancial institution.” As painful as a stolen credit card can be, it is most often a terminal

event that can be mitigated rather easily. However, if I steal certain healthcare information, I can open up a credit card on your behalf and you may not even know it happened. T e damage can run deeper and longer because by the time you are aware of my thievery, it’s usually when creditors are looking for you, calling you to let you know about


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28