The Healthcare Information and Management Systems Society 2016 Conference offered many important takeaways regarding data security and privacy.
Here are six of the most critical points that resonated repeatedly from the various sessions I attended, as well as in the many interviews and more casual conversations I had last week during HIMSS16:
- The security risks posed by the Internet of Things, consumer wearable health devices, mobile health apps and medical devices are rapidly evolving. It's vital that these gadgets and apps be closely scrutinized as part of a risk analysis. If these risks are not currently being assessed and mitigated, they need to be moved from the back burner to the front burner ASAP. Not only are these products susceptible to malware and other hacker attacks, the data being transmitted from the devices aren't generally encrypted, says Kevin Johnson, CEO of security consulting firm Secure Ideas.
- Ransomware attacks are the new No. 1 worry for healthcare entities. The recent ransomware attack on Hollywood Presbyterian Medical Center is drawing attention to the problem, but these attacks quietly have been going on for a while in the healthcare sector. Some organizations have nipped them in the bud, but others have paid attackers. More of these cases will likely be in the spotlight soon, especially as larger incidents involving ransomware get added to the Department of Health and Human Services' "wall of shame" website of breaches affecting 500 or more individuals. These attacks are becoming more targeted and more sophisticated. So make sure your backup systems and media are properly secured - and perhaps even consider making backups of your backups - because some attacks involve targeting backups before databases and other systems get locked up by the malicious encryption.
- Signatures for ransomware and other malware attacks are morphing quickly, so don't count on your anti-malware solutions to save you. The best line of defense is multilayered. That includes close monitoring of systems and logs for abnormalities and following up swiftly when suspicious activities are identified, advises John Houston, CISO of the University of Pittsburgh Medical Center. But make sure you learn what your baselines are first.
- Carefully guard credentials of privileged users. That includes considering solutions that "vault" the credentials of systems administrators and others with elevated access, recommends Mac McMillan, CEO of security consulting firm CynergisTek. That's because if attackers gain access to your environment through stolen credentials, that could nullify other breach precautions you've taken, such as encryption.
- User awareness is critical to prevention of breaches. That includes your workforce - and the employees of vendors - knowing and understanding your security and privacy policies and procedures, as well as being attuned to recognizing - and promptly reporting - potential phishing emails and suspicious behaviors of others, says Robert Rost, director of IT security defense services at Banner Health. While the importance of workforce awareness isn't a new theme, it's one that's continually skimped on, as is evident in many of the new breaches that make daily news headlines. Banner Health rewards good awareness with awards for employees who recognize and report phishing scams, Rost says.
- Finally, we all know by now that having a information security risk program focused solely on HIPAA compliance isn't enough to keep up with the quickly evolving cyberthreat landscape. Nevertheless, HIPAA compliance audits are indeed resuming this year, warns Deven McGraw, deputy director of information privacy at HHS' Office for Civil Rights, so covered entities and business associates alike need to ensure they're complying with HIPAA. In addition, OCR enforcement actions involving financial penalties against those organizations reporting breaches could soar this year, predicts privacy attorney Adam Greene of the law firm Davis Wright Tremaine. So, while it might be impossible to avoid all breaches, make sure your organization, at the very least, is updating its risk assessments and then mitigating the identified risks.
Paying close attention to key lessons offered at HIMSS16 could help organizations cope with the ever-changing cyber threat landscape.
What was the best cybersecurity tip you learned during HIMSS16? Please share your observations in the comments section below.