[BreachExchange] When it comes to cybersecurity, don't overlook staff education

Wed Mar 30 19:54:59 EDT 2016

http://www.fiercehealthit.com/story/when-it-comes-cybersecurity-staff-education-matters/2016-03-29

In April 2014, the FBI issued warnings about the healthcare industry's
vulnerability to cyberattacks. In particular, the agency called the
possibility of increased cyberintrusions likely, given the combination of
the shift to online systems and a lack of preparation by most organizations.

Nearly two years later, the FBI has its hands full as those warnings have
come to fruition.

Hospitals and payers are in full panic mode in the wake of recent highly
publicized attacks. The latest example is Monday's cyberattack on MedStar
Health, which operates 10 hospitals in the District of Columbia and
Maryland. The FBI is investigating the incident as a possible ransomware
attack, the same kind that paralyzed Hollywood Presbyterian Medical Center
in February before executives opted to pay $17,000 to get control of its
systems back.

The incident at MedStar is so bad, according to the Washington Post, that
some patients have even been turned away.

While employees at MedStar, Hollywood Presbyterian and other health systems
all likely have been trained on cybersecurity, it bears repeating that
staff education matters.

In talking to several hospital information security managers and CIOs at
the Healthcare Information and Management Systems Society's annual
conference earlier this month in Las Vegas, cybersecurity--and in
particular ransomware--certainly was top of mind. Many indicated they had
stopped the spread of ransomware before it hit mainstream networks, but
would not have been able to do so without the help of vigilant employees.

On a recent audiocast posted to the American Hospital Association's
website, Mary Ellen Callahan, a partner at Jenner & Block who serves as AHA
outside counsel for cybersecurity issues, preached a similar mantra.

"Try to educate your entire workforce," Callahan said. "Also, make sure
that you backup your data regularly. Make sure that your software systems
are up to date. Making sure that you have good hygiene throughout your
whole infrastructure will really help to prevent" such incidents.

Mike Overly, an information security lawyer at Foley & Lardner LLP, called
the human component to breach prevention critical.

"In most instances, ransomware attacks result from human error: opening a
file from an unreliable source," Overly told FierceHealthIT in an email.
"This type of error can only be addressed through user training and clear
policies."

What's more, during a recent FierceHealthIT webinar focusing on privacy and
security, both Aaron Miri, CIO at Dallas-based Walnut Hill Medical Center,
and Meredith Phillips, chief information privacy and security officer at
Detroit-based Henry Ford Health System, discussed the importance of
ensuring such training becomes part of the normal culture of an
organization.

"It shouldn't be easy to access data; it shouldn't be," Miri said. But, he
added, security also does not need to be onerous and burdensome.

"It's about engraining" security as a habit, he said.

Education won't prevent all cybersecurity incidents from occurring; hackers
continuously seem to find new ways to breach systems every day.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160330/46e73f59/attachment.html>