Halifax Health Vice President and CIO Tom Stafford views the constant effort needed to defend against cybersecurity threats as a war.
“At the end of the day, we’ve got the bad guys trying to get to our data,” Stafford said Tuesday at HIMSS19 in Orlando, Fla. “And so we have to do novel things and layer technology to make sure we’re protecting our patients’ information.”
Healthcare is an especially big target because it represents “low-hanging fruit,” Stafford said. Patient data not only is plentiful, it’s also timeless, making it much more valuable for hackers.
“If you have a credit card and it gets stolen, all the account information gets wiped, you get a new credit card and you go back to work,” he said. “The problem is, when you get your healthcare data stolen, hackers can keep using it.”
With that in mind, Stafford said organizations must be better stewards of data.
Improve Staff Education About Digital Threats
According to the HIMSS 2019 Cybersecurity Survey, email continues to be the most frequently reported initial point of compromise for the healthcare industry, with 59 percent of all organizations surveyed in the past 12 months saying they had experienced a breach that started with phishing.
To that end, Stafford touted environmental awareness and staff education as critical. Halifax, he said, stresses the personal importance of good cybersecurity hygiene, which more easily translates to workplace practices by employees.
“What’s the most important thing in the world to someone in their personal life? It’s the pictures and documents they have on their home PC,” Stafford said. “If you teach them the right principles to secure that, it’s no different than work, it’s just volume.
Stafford said the organization’s click rate currently is down to 1 to 2 percent.
“Our best deterrent is the end user, hands down, based on the current environment,” he said.
Biomedical Devices Pose a Threat Due to Legacy Operating Systems
Stafford also called biomedical devices one of the biggest challenges healthcare organizations face today. When asked to identify legacy systems in place at their organization, 33 percent of respondents to the HIMSS survey said embedded legacy operating systems in medical devices were commonly used.
“The real problem with biomed today is you’ve got devices outlasting the useful life of the operating system,” Stafford said. “Manufacturers are going to keep trying to sell us old stuff until they’re forced to make a change, and the only change will be when we start refusing to buy this stuff.”
Stafford said before Halifax Health demonstrates biomedical devices to physicians, the company will scan those solutions.
“If we bring in a device and a physician loves it, but it has XP on it, now you’ve just dissatisfied them,” he said. “If you have a program like that today, I would extend it not just to purchase, but to demo. Believe it or not, we had an ultrasound shipped to us that was supposed to be Windows 10, but it was Windows XP, so we shipped it back.”
Providers Must Update Their BAAs and Embrace Ethical Hacking
Other strategies Stafford endorsed included two-factor authentication, getting to really know your cyberinsurance vendor and updated business associate agreements, the latter of which he called insufficient for the industry, especially in today’s climate.
“They’re one-page documents,” Stafford said. “You’re only as strong as your weakest link, and if you’re working with a company that’s not that strong, then you’re not that strong.”
He also stressed ethical hacking as vital to exposing current and potential weaknesses.
“We look forward to ethical hacking because it allows us to improve our security posture and boost patient care,” Stafford said. “Don’t be afraid of it, and do it.”
From a broad perspective, Stafford called for greater communication and sharing between organizations about their attacks.
“As a group of people, we have to have a better call to action to help each other,” he said. “What happens today is, if someone gets ransomed or has a cyberattack, they don’t talk about it. The only way we can solve a problem and help everybody else is if there’s more collaboration.”
Keep this page bookmarked for articles from the event. Follow us on Twitter @CDW_Healthcare, as well as the official organization account, @HIMSS, and join the conversation using hashtags including #CDWHIMSS and #HIMSS19.