How often do you think about the security of your HVAC system? What about those card readers you just installed on cash registers in the cafeteria — are they FASB-compliant? Oh, and your medical device partners? How secure are the connections when they tap in remotely to update software on an MRI machine or the PACS system?
The reality is, in our hyper-connected world, everything is vulnerable. What do you want to bet that Target executives are a bit more rigorous in their review of internal and external security protocols? Recall that a weakness with an HVAC contractor reportedly opened a back door for thieves to make off with 40 million credit card records.
Whether it is Home Depot, Target, the iCloud hack of such celebrities as Jennifer Lawrence, or 4.5 million compromised patient records at Community Health System, cybersecurity is serious business, not to mention front-page news. No sector of the economy is immune from attacks and no CEO should take the matter lightly.
“It’s happening everywhere and it is frightening,” Todd Richardson, senior vice president and CIO of Aspirus Inc., a health system in Wausau, Wis., told me earlier this week. “I tell my staff that we are on thin ice and we have to be very conscious of the threats that are out there.”
It’s not enough to just focus on encrypting laptops, changing passwords or establishing a strong BYOD policy, he said. Anything that sits on or can access the hospital’s network can be a Trojan horse. It’s critical to have a vigilant vendor management system, which includes examining vendor security audits.
IT governance is also key, he added. As part of that, it is important to have hard stops on purchasing and maintenance contracts if IT and security haven’t been involved or consulted. That’s true for something even as seemingly benign as webcams in the NICU. Yes, adding this benefit is great for parents, but if not properly managed, the Internet connections present a security risk, Richardson said.
Equally as important: recognizing that this isn’t merely a technology problem.
“There are behavioral and policy aspects to preventing and addressing cyberrisk,” said Chantal Worzala, director of policy at the AHA.
She pointed out that the AHA has a guide for member CEOs and trustees to help them understand the risks. It gives specific ideas for questions to ask and actions to take. A host of resources are available at www.aha.org/cybersecurity.
She also suggested that hospital executives adopt six action items to manage cybersecurity risks.
As you might expect, several federal regulatory agencies have taken a keen interest in trying to minimize cybersecurity risks. The FBI in April warned that the health care industry is especially vulnerable. The FDA, CMS, SEC, DHS all have guidances or reports on cyberthreats. Most significantly, the president in 2013 issued an executive order on the matter. NIST has taken the lead in coordinating federal efforts; its cybersecurity framework is an important resource.
“We really encourage hospitals to participate in information-sharing activities put forward by federal agencies, regional FBI offices and some nonprofits working in this area,” Worzala said. “The threat-landscape changes, and people need to be attuned to what’s happening.”