Why a California-based CISO considers business continuity plans the best defense against cybersecurity attacks

Todd Plesco, chief information security officer at Irvine, Calif.-based PrescribeWellness, discusses the need for ethics in data protection and how hospitals should handle threats to cybersecurity.

Question: How do you train clinicians and front-line staff to protect patient data and avoid cyberattacks?

Todd Plesco: The most common ways to avoid catastrophe can be as simple as not clicking on things you're unsure of and not leaving a mobile device in the trunk of a car.

I'm a storyteller and enjoy relaying anecdotes about the "what"[data privacy] and the "how"[information security] as it relates to those who can be affected. We tend to do things better when we can visualize how we're helping those around us. Workforce members understand through reminders, orientation and regular training that they are responsible for ensuring confidentiality and integrity of record and systems data in their day to day interactions. My role as senior level executive is to establish and maintain effective methodologies and assurances at the enterprise level by providing the tools and guidelines to help the workforce and systems affect that.

Q: What do you see as the next big cybersecurity threat hospitals should look out for and why?

TP: Ransomware attacks have increasingly exploited the business continuity weaknesses of health information technology and workforce members in our industry. For many organizations caught by ransomware, business continuity plans many times are not exercised enough and only serve as a document created to tick a box for auditors. It's not enough to train the workforce members to avoid clicking on suspicious emails because exploits might be introduced through more sophisticated channels such as medical device firmware or ancillary device driver updates. Oftentimes, the best solution is to completely wipe the device and restore its last backup image. If your health information technology teams aren't prepared to do this when necessary, then now is your chance to start.

Q: What task requires the majority of your time as CISO?

TP: An effective CISO's time is often spent cultivating relationships at all levels of their organization to understand where humans and technology intermingle. This is how a CISO begins to align security strategy and vision in the workforce and in their organization's technology infrastructure. Understanding these crossroads is a necessity to ensure the tools and knowledge exist where it makes sense and that everyone is aligned to performing their jobs well with good security practices.

Q: What do you consider to be the most important aspect in hospital data protection?

TP: Everyone should be vigilant when it comes to protecting one another and the community from embarrassment, discrimination or economic harm. Ethics should play a major role in fostering the workforce culture's realization that the wellbeing of a patient and colleagues includes demonstrating respect and dignity toward patient data. Caring for one another is the most important aspect.

To learn more about hospital and health system cybersecurity, as well as the key trends for CISOs, register for the Becker's Hospital Review 4th Annual Health IT + Revenue Cycle Conference Sept. 19-22, 2018 in Chicago. Click here to learn more and register.

More articles on cybersecurity:
Why a Pennsylvania-based CIO thinks prioritization is essential to hospital data protection
Philips issues another cybersecurity alert for some of its medical devices
Google's newest sister company to tackle cybersecurity: 5 things to know

© Copyright ASC COMMUNICATIONS 2021. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.