Washington is having a heyday with the revelation that Hillary Clinton used a personal email account to conduct government business during her four years serving as Secretary of State, but while many of the discussions encircling the revelation are political, the technological implications run just as deep.
On Monday, the New York Times reported Ms. Clinton communicated via a personal email domain when she was Secretary of State. What's more, she used a "homemade" email server located in her New York state home, the Associated Press found.
While other government employees have conducted business from personal emails, the situation with Ms. Clinton raises additional flags given her international stature. The original NYT report said it was unclear what, if any, security measures were implemented with her personal email domain.
"The question is [whether] whatever provider she's using gives her anywhere near the same level of protection for the confidentiality and the authenticity of the communications as she would be getting from her State Department email," said J. Alex Halderman, a cybersecurity expert associated with Ann Arbor-based University of Michigan, in an Al Jazeera America report. "If she's using it from her main work machine to send and receive her mail, then people could be intercepting the mail she's sending and receiving, even changing its content."
What's even more troubling to the Clinton scenario is that her aides warned her and those in her office that using the personal email account was dangerous, especially given the presumably sensitive nature of some of the emails.
"We tried," said a current State department employee in the Al Jazeera America report. "We told people in her office that it wasn't a good idea. They were so uninterested that I doubt the secretary was ever informed."
Whatever your political opinions of Ms. Clinton are, this revelation serves as a reminder for executive leadership that even C-suite level executives don't escape the threat radar or cybersecurity responsibilities of the rest of the organization.
There are a couple of key takeaways healthcare leaders can internalize from these occurrences.
First, you can never be too lax with cybersecurity issues. Ms. Clinton's aides have told media that she only sent unclassified information through emails, but that doesn't guarantee the classification category of incoming messages. Al Jazeera America points to an email sent to Ms. Clinton posted on The Smoking Gun, a website that publishes leaked documents, which read in all capital letters, "THE FOLLOWING INFORMATION COMES FROM EXTREMELY SENSITIVE SOURCES AND SHOULD BE HANDLED WITH CARE."
If that's not the X on a hacker's treasure map, then I don't know what is. And now in healthcare, given the rising value of personal identifiers on the black market, any piece of protected health information that may be transmitted or accessed through unsecure networks puts patients, and health systems' cybersecurity, at risk.
Secondly, the comment from the State Department staffer serves as a soapbox for all the frontline IT workers. They all told her not to do it, but she did it anyways. No role is more significant than the other when it comes to cybersecurity, even if you're the Secretary of State or CEO of a major metropolitan academic medical center.
While diplomatic operations are of a different caliber than patient data, they both deal with the safety and privacy of Americans, and they both warrant the utmost dedication to protection.