Hospital and health system CIOs don't need to figure out how to implement a blockchain solution to enhance cybersecurity at their organizations just yet — there are many simpler things they can do first, according to HIMSS17 attendees.
We asked several attendees and vendors in Orlando, Fla., this: What is one simple thing a health system CIO can do in the next hour to improve cybersecurity at their organization? Here are their tips. (Responses are lightly edited for length and clarity.)
Francis "FX" X. Campion, MD, CMO, Ayasdi (Palo Alto, Calif.): "Understanding variants is key. … We refer to it as 'anomaly detection,' but there is a new wave of smart information tools to assist in understanding, at the periphery of your organization, where the leaks are and where the abnormal behavior is. It's adopting the next intrusion detection."
Adam Klass, Chief Technology Officer, Vigilanz (Minneapolis): "They could take a look at their [disaster recovery] plan. ... And ensure good password protection is going on within their organization, but that might take more than an hour. Just establish a security culture in general. You can have all these great things in place, but if the culture isn't embracing that, it's certainly something you need to get your hands around."
Ian McCrae, CEO, Orion Health (Auckland, New Zealand): "A lot of hospital systems are managed on low budgets [and] have poor security. I think they are very vulnerable. There are so many services and things you can do… But if you want to secure your system, you have to do it in the cloud. It is a lot of work."
Hemant Goel, President, Spok (Eden Prairie, Minn.): "The biggest hole in security is people. Educate your people. One of the black-hat guys, Kevin Mitnick, who is known for his cyber hacking, is a perfect example. He takes a $60 VPN token, buys it. … He sets up Google free Wi-Fi [with it] out of his backpack at Starbucks. Now you're at Starbucks and you think it's Google Free WiFi — and he says I've gotten everyone at Starbucks to login and I've gotten all their info. The easiest thing to do is educate the people. Make them savvy and understand how easy it is to hack."
Andrew Mellin, MD, CMO, Spok (Springfield, Va.): "Send out a phishing email that you generate yourself and see how many people respond."
Paul Bradley, Chief Data Scientist, Zirmed (Chicago): "I recently had a long talk with our director of security, he really made me aware that right now the attacks that most hackers take to get inside is not directly through a firewall. They are going to send people at your company messages that look really familiar to them that are phishing schemes. They'll get you to click on a link that will download some malware to your machine. We do a lot of training with our employees to be aware of this. If anything looks suspicious don't click it and forward it on. At hospitals and health systems too, those are vectors. We all want to help people and answer questions and it's almost like the bad people are trying to prey on that."
James Golden, PhD, Senior Managing Director of Healthcare Advisory and Healthcare IT Practice, PricewaterhouseCoopers (Hartford, Conn.): "[Get a] next gen firewall and improve reporting from an analytics perspective."
Aaron Miri, CIO, Imprivata (Lexington, Mass.): "Make sure that you enforce simple identity management solutions: complex passwords, making sure that there aren't the 'get-out-of-jail' clauses for people that don't have a password on their phone because they want to access email. Maybe they are a certain type of individual — an executive, a physician — that just didn't want [a password]. That can't be acceptable anymore. Then look for other ways to strengthen that presence. … Let me put it this way. If you are homeowner and you don't lock your front door, and somebody breaks in when you are not home. … Whose fault is that? Lock your front door. And then get a security system and double locks, or whatever you need to do. But at least lock your front door."
Rod Piechowski, Senior Director, Health Information Systems, HIMSS (Chicago): "Leadership comes from the top. If executive leadership at an organization believes fully in this concept of holistic security, that we are all in this together, we all play a role. … Let your staff know that you support everyone's participation in this. Ask for their support in working with the IT department to learn about new threats and learn about what to watch for, and to feel a sense of responsibility to the organization."
Heather Staples Lavoie, Chief Strategy Officer, Geneia (Harrisburg, Pa.): "The weakest link in security is people. It's a human resources, management challenge. Some of it is really education. Nobody wants to hear it, but two-factor authentication is important. It's a hassle for people, but it's more of a people challenge than an organizational or technical challenge. Organizations really need to move up and tighten controls. Many of the breaches that you've seen have really been because of people issues, not necessarily because of technical vulnerability."
Ben Kanter, MD, CMIO, Vocera (San Jose, Calif.): "Lock down all the PCs in the hospital. Lock down all the USB ports. Lock down all ability to alter configuration. Second is strengthen your policy for all of the laptops. … Do you have the ability to remote wipe? Is it encrypted? That sort of thing."
Todd Rothenhaus, MD, CMO, athenahealth (Watertown, Mass.): "I would wipe everybody's passwords out, all access out, and restart it. I believe it's the internal intruder and the carelessness. No. 2 would be your people have files, Excels, all over the universe with patient information in it. … Just knowing that there's an Excel with Social Security numbers on some drive is easy [to address]."
Frances Dare, Managing Director, Health & Public Service, Accenture (Irving, Texas): "I'd have a risk assessment done right away. What it's likely to reveal is that my biggest risk areas are my connected medical devices. It's not just about EHRs. While people and behavior are absolutely [vulnerabilities], we're seeing the biggest vulnerabilities right now in medical devices."
Brian Kalis, Managing Director of Digital Health and Innovation, Accenture (Minneapolis): "I would advocate, if it is not already, making cybersecurity a board-level priority. Making it as a board-level priority as well as part of the C-suite agenda. If I were to go to part two, I would start working on the human-factor aspect of it. That's going to be training and change management."
Dave Dyell, President and CEO, Jellyfish Health (Panama City, Fla.): "Training. I think training is the simplest and easiest thing. It's really shocking sometimes how staff at different levels of the organization won't really understand the impact they can have on cybersecurity and that simple little thing that they do, accessing a website or whatever, can really endanger the entire health system and every patient's record."
Randy Parker, Founder and Chief Business Development Officer, MDLive (Sunrise, Fla.): "Move off of on-premise systems and move into cloud where they have data security and high trust capabilities that have been build for security. So many systems are still working on legacy, on-premise solutions and have not been able to take advantage of the types of technology that are available for cybersecurity today."
Paul Black, CEO of Allscripts (Chicago): "An hour doesn't give the CIO much time. I'd recommend using that window to run an audit which might help pinpoint significant vulnerabilities — and that information could then form the starting point for a comprehensive plan to rectify weaknesses and limit future exposure. For long term cybersecurity improvement, I recommend opening IT positions with staff augmentation strategies and hiring a top cybersecurity firm to conduct an external review of security preparedness."
Ed McCallister, Senior Vice President and CIO of UPMC (Pittsburgh): "Educate your employees. We do that through internal phishing exercises. We send an email out asking you to download information, then we follow-up with those who download the file. We've been doing mock phishing exercises for a year, and when we did the first, 38 percent of IT professionals fell for the email. These are people who are supposed to be more away of what's trending in this space. In the year since, it's trending down."
Keith Bigelow, Genera Manager of Analytics at GE Healthcare (San Francisco): "[The CIO] should go in the bathroom and look in the mirror and ask, 'Do I really have a better cybersecurity team than some of the health clouds? Do I really have a team that is better at protecting patients' data?' How can a hospital afford to staff enough people to entrust and protect the data of their patients? Even if [breaches and attacks] weren't getting more sophisticated, the volume of them is getting more intense. Your expertise is care, not cybersecurity. I just don't think that can be a core competency of a hospital long-term."
Neal Singh, CEO of Caradigm (Seattle): "Get a governance and compliance plan in place. The more you can put governance and risk compliance systems in place to get a handle on data, the better off you are. You'll have people coming and going from your organization all the time, or activity happening with organizations joining yours. You have to make sure the right person is accessing the right data set."
John Kravitz, CIO and Interim Chief Data Officer, Geisinger Health System (Danville, Pa.).: "Educate employees to let them know they will always be under phishing attacks to surrender their credentials. Also [educate them about] targeted phishing attacks, where the hacker learns about the people and processes in the organization then poses as that person in order to exploit the organizations assets."
Suzanne Travis, Vice President of Regulatory Strategy at McKesson Technology Solutions (Alpharetta, Ga.): "Have a risk assessment. If they haven't done a risk assessment and aren't managing to results of the risk assessment, they could be wasting their resources, targeting the wrong thing or thinking they are safe when they are not. The most common reason providers fail a HIPAA audit is because they don't do a risk assessment."
Bill Miller, CEO of OptumInsight (Eden Prairie, Minn.): "We hire so many people and acquire so many people. Get people trained on what they can and can't do. That has to be done quickly and early on in the process of them being hired. We don't have a business if we are breaching security. These breaches we put our fundamental reputation at risk — our brand really comes down to trust."
More articles on health IT:
How HSHS Medical Group meets consumer demand through virtual care
Evidation Health, Shepherd Center join forces to broaden care options for neurological patients
What issues dominated HIMSS17? We asked, you answered