Guest post by Adam Hawkins, vice president client services, CynergisTek.
HIMSS 2016 is right around the corner, and I’m sure everyone is excited about the prospects of conferencing in Las Vegas. This location certainly has a lot going on to keep everyone busy, on and off the exhibit floor. There should be many new healthcare technology players to see and learn about, and it is always interesting to visit the innovation area. Hopefully, we’ll get to hear what folks like KLAS, HIMSS Analytics and other research organizations are working on in 2016 as well.
For instance, KLAS is continuing its work toward including security vendors as its own category, and has a new study underway to look at service providers in this space. That study won’t be completed in time for HIMSS, but they should be able to preview what they hope to accomplish with the study and what its report will include. I think it will be an important read for everyone in our industry.
Interoperability is a huge area of concentration in healthcare at the moment with the Office of the National Coordinator, Health & Human Services and HIMSS all very much involved in this discussion. There are sure to be several presentations on this and related topics. Hopefully we will hear how security and privacy will be addressed, as they are critical components of making many of our health initiatives successful and rely heavily on interoperability for success.
There is no doubt about it, healthcare as an industry is absolutely reliant on its systems environment and electronic information to the point that efficiency, safety and productivity are affected any time it suffers any disruption. Yet it seems we are destined to incur disruptions more often than not because of our own actions or in-actions.
This article takes a somewhat tongue in cheek look at some of the naïve or bad behaviors, misconceptions, short-sighted decisions and mistakes we make that contribute to making our own data security situation more difficult.
The list of examples here is virtually endless, from having too much confidence in vendors to underestimating employees to naïve beliefs about the internet, social media and applications. Hundreds of hospitals blindly relied on a vendor to process their billings without once questioning the company’s security practices. They were surprised when their revenue cycle was interrupted when that company suffered a Ransomeware attack. Other healthcare entities have found themselves embroiled in breach investigations when subcontractors they never knew existed lost their data, some overseas.
Expressing surprise may be a realistic response, but it’s hardly an acceptable excuse for lack of due diligence. Few organizations watch the folks who represent the highest risk to their systems and information – those with elevated privileges. Examples abound of administrators who became saboteurs. What is amazing is the almost immediate reaction when these kinds of things happen. How could we not be auditing these folks? It should be pretty simple to answer this question when they are usually the ones responsible for auditing. And then there is the internet and social media. The first myth organizations fall victim to is, “we’re too small to attract anyone’s attention” or “no one is looking at us.”
Most attacks from the internet are indiscriminate automated probing of systems looking for anyone vulnerable. You’re right they are not looking for you specifically, but if you are connected they may find you. Last but not least, the naïve belief that there is actual privacy on social media and applications when they tell you there is. Weekly we hear about another app compromised or information leaked from a site thought to be secure. There is no such thing as foolproof security and apps, even ones named “secret” should be approached with caution.
Organizations make bad decisions all the time based on misplaced or erroneous perceptions of risk, or just plain disregard for the risk. Bad decisions though, regardless of the reason, are still bad decisions. How about underestimating the risk from USB ports?
Organizations routinely underplay the fact that these ports unprotected can be the source of information loss or importation of malware. We encrypt mail, laptops, maybe even provide encrypted USB drives, but fail to manage the ports themselves. In complex environments it’s also easy to be overwhelmed with what seem like routine chores, like documenting all changes. Someone says it’s a routine change, it only affects one system, or the vendor is just applying a regular update… implying that it doesn’t have to go through change control and thus, does not get documented. There is also underestimating the risk when we acquire another entity. This risk comes in two forms. The first is the acquisition without the assessment, or rushing the acquisition so assessment is not possible, and assuming the risk blindly. Continue Reading