'You guys scare me in healthcare.'
Data attacks on healthcare organizations have increased a whopping 100 percent from just four years ago, a reality that has chief security and information officers in a dash to stay ahead of the data protection curve.
Ron Mehring, chief information security officer at the 25-hospital Texas Health Resources, who spoke at the HIMSS Media/Healthcare IT News Privacy and Security Forum last week, said for him it's a matter of education awareness.
"You can spend millions of dollars to put technology in place, but that one user we all know clicks the wrong link or answers the wrong question on the phone," Mehring said, and "there goes all those millions of dollars."
[See also: Hacker calls health security 'Wild West'.]
Industry-wide, researchers actually peg that number in the billions – $5.6 billion annually to be exact, according to data from the Ponemon Institute.
Thus, for Mehring, he ensures that from the CEO on down, his employees understand critical infrastructure and the 'why' behind the 'what.' It's not enough to tell employees not to click certain links, for example. "Do they understand there are people out there trying to get in our network?" he added. “Do (employees) understand cybersecurity?"
And, the reality is, many employees don't understand cybersecurity, which can lead to some serious repercussions for the organization.
Kevin Johnson, chief executive officer at the data security firm Secure Ideas, who moderated the cybersecurity session, pointed out that last year, the Federal Bureau of Investigation notified some 3,000 organizations, many of them in the healthcare space, they had been attacked – unbeknownst to them.
[See also: Hacker calls health security 'Wild West'.]
If the FBI has to notify your group when they've been hacked, you're "probably not meeting your audit requirements," Johnson quipped.
When asked if he's witnessed an increase in cyberattacks over the past year, Mehring nodded. "Yes, we are seeing an increase," he said. "I would almost call it a direct attack." A lot of what Mehring and his team are seeing involves attacks relating to targeting the individual and uniqueness in malware, where, within days, the malware actually changes itself, which requires adaption on Mehring's part.
Phil Alexander, information security officer at the 412-bed University Medical Center in Texas, who joined Mehring on stage, said it took him some time to adapt to the way healthcare does security.
"You guys scare me in healthcare," Alexander, who has spent 14 years in the federal cybersecurity arena, said. "Where I come from, you don't bring your cellphone in the building."
But at University Medical Center, as he explained, they don't have physicians who are exclusively their employees, so the docs bring their personal devices to the workplace on a regular basis.
Alexander said they're in the process of implementing both a mobile device security platform and a product that if an employee sticks a thumb drive into the network, a popup lets the employee know they have to encrypt the device, with a "yes" or "no" option. If the employee clicks, "no," he can access the data but can't store it.
[See also: What scares security officers the most.]
Currently, University Medical Center's BYOD policy is: "We wipe your drive," said Alexander, which they would eventually like to move away from.
Johnson, a self-described ethical hacker, suggested the industry move away from several practices based on what he sees in his job conducting vulnerability and penetration tests for organizations. For instance, it takes Johnson 45 seconds to bypass anti-security – and that’s on a bad day, he said. "If we know some jerk like me is going to be wandering through your network, does that mean we have to adjust what we're looking for?"
