Derek Dudley, director of IT and an IT security officer at Madison (S.D.) Regional Health System, discusses today's biggest threats to hospital data protection and what cyberattacks are in store for the future.
Question: What would you say is the No. 1 threat to hospital cybersecurity today and why?
Derek Dudley: The number one threat is hospital staff. This includes everyone from nursing, physicians, administration, even technology staff. The top issues in healthcare today are errors, malware and misuse. Errors such as information being given to the wrong recipient. Malware is generally delivered through phishing campaigns, and misuse is often done via an employee snooping, possibly a celebrity or VIP in the community visited. Or they may be just snooping on a friend, neighbor, family member, or a date they had last night. These are all things that require user intervention to realize, "this wasn't correct," or "this is not appropriate."
Awareness training on these topics can help, but for it to be effective, the organization must do regular training on more than just an annual basis. I would even suggest the training has to take place every two to three months to be effective. Then not all fault should fall on the user — If they are not receiving appropriate training on a regular basis, is it really the user’s fault?
Q: What do you see as the next big cybersecurity threat hospitals should look out for?
DD: Malware and ransomware are not going anywhere. My personal opinion tells me that the more hospitals start outsourcing to the cloud for help with infrastructure and service controls, the more we are going to start seeing Denial of Service attacks become an issue. They already happen, but when all of your lifesaving equipment and information is on premise, it doesn't affect the organization as hard.
The other thing I am seeing quite common is medical device security. Vendors are not providing the capability to secure, audit and respond to security issues with their equipment. Sure, the device may be secured in a locked area within the building so that it can't easily be removed from the organization, but if you look at the topic of misuse being a problem, now you are giving them a device that doesn't require a login, or you can't audit who was looking at that information. It's a huge security issue, one that right now falls on the organization to protect, no liability falls on the vendor manufacturer. And it's across all vendors, nobody in particular.
Q: What advice would you give to other hospital CISOs or CIOs to get hospital staff on the same page in the aftermath of a cyberattack?
DD: Meet regularly and often. When a cyberattack has happened everyone feels like they are scrambling to get things accomplished or resolve the situation. The key is to keep a close communication with everybody throughout the organization. Get your incident response team together, which should include representatives from each department, and discuss and determine the best courses of action. Also plan for regular means of communication to be down. Email and phones may not be functioning. Collect contact information for personnel, IT vendors, security and law enforcement for both daytime and after hours.
Q: What do you consider to be the most important aspect in hospital data protection?
DD: Identity and access management. Managing the roles and access privileges of users and customers must be maintained and monitored on a regular basis. Being able to grant permissions and take away permissions when needed in a prompt manner will go a long way in protecting hospital data. Additional tools such as single sign on or multifactor authentication can help when developing an identity and access management platform.
When you have the correct access control mechanisms in place and you can actively monitor those accounts, immediately you can tell when someone is attempting to login without correct passwords or they attempted but the multifactor authentication failed, or they logged in at 2 a.m. when they normally work 8 a.m. to 5 p.m. Phishing or social engineering are so popular in gaining credentials today, an organization must have something in place to monitor and validate credentials. I would, in turn, say a good incident response program would be second to hospital data protection. If you can't stop the breach, you better be able to respond quickly.
To learn more about hospital and health system cybersecurity, as well as the key trends for CISOs, register for the Becker's Hospital Review 2nd Annual Health IT + Clinical Leadership Conference May 2-4, 2019 in Chicago. Click here to learn more and register.