Cybersecurity is a team sport
At the HIMSS Annual Conference and Exhibition, HIMSS18, Allscripts hosted a panel called Being Prepared: Data Security Best Practices and Lessons Learned. Because we believe cybersecurity is a team sport, this panel included representatives from competitors, government, providers and consultants.
Several common themes emerged from this group as they discussed the growing complexity and frequency of cyberattacks in healthcare. We share a few highlights from the “lessons learned” portion of the program here:
“[Small practices] don’t talk about cybersecurity or know much about it…we need to be talking about the basics. They are extremely vulnerable because they don’t have any resources for cybersecurity. If vendors offered up basic information – about phishing, password strength – it would be so valuable to them.”
– Dara Barrera, Manager of Practice Management and HIT, Michigan State Medical Society Manager
“Ransomware is still the hot topic and it will continue to increase as a threat. Make sure you have backups. It sounds basic, but backups are the one thing that will save you in a ransomware attack.”
– Kris Kusche, CISO, Albany Medical Center
“We encourage all of our clients to pay close attention to who has local administrative rights and privileges, make sure your passwords are strong, segment where your critical data is, take data off the network that doesn’t need to be there anymore – all common practices and controls to help limit risk.”
– Gerry Stellatos, Managing Director, Mandiant
“If you look at all the data breaches over the last 10 years there are about eight things they all have in common, year after year. Understand what those commonalities are, and work with your teams and vendors to figure out how they fit with your organization and prioritize your level of risk…that will tell you where you stand.”
– Tony Maupin, CISO, NetSmart
“We have a lot of devices, so the goal is to reduce the footprint and reduce the vulnerabilities. The other thing we do is vulnerability scans on a regular basis, and business owners are part of those conversations, too, so it’s not just an IT effort.”
– Jon Walter McKeeby, D.Sc., MBA, CPHIMS, CPHI, CIO for NIH Department of Clinical Research Informatics
“Drill and test your people. They are your main vulnerability. Train them and keep testing them…help them be aware of the risks.”
– Michelle Lardner, MS, RN-BC Deputy CIO, NIH Department of Clinical Research Informatics
“I work with my software developer team and show them how attacks actually happen…on the operations side, the training can be very dry because there are lots of things that are required to be there. So if you want them to learn something and enjoy it, you have to have something that can stretch their minds.”
– Tim Gaylor – CSO, athenahealth
Our panelists agreed that as the cyberattack threat surface expands, we need to stay vigilant and focused on data security. Keep implementing those basic security practices, and continue to regularly test those as this is a constantly moving target.
Our industry must share best practices and work as a team to combat evolving threats. Ultimately, some of these vulnerabilities could evolve into a patient safety issue.
Thanks to our panelists for coming together to participate in this event. You can read more about this panel in a recent Healthcare IT News article.