In the next hour, 4,670 patient records will be breached, says Errol Weiss, Chief Security Officer of Health-ISAC.
“We’ve got to do a better job of protecting our patient information,” says Weiss, adding that Department of Health and Human Services government data show more than 500 million records were breached in the last 15 years. “To me, it’s an indicator of the challenges that we’re having in the health sector in terms of being able to protect patient data and protect our systems from breaches, cybercriminal acts, nation state acts, and so on.”
Weiss was the presenter of this year’s AHIMA webinar, “Current and Emerging Threats in the Health Sector.” He discussed the top cyberthreats facing the healthcare sector, how to use the information to influence cybersecurity budget and investment decisions, and to leverage practical steps and resources to improve the learner's own cybersecurity posture. The webinar is available to view online here.
The webinar is among the ways that AHIMA is helping health information (HI) professionals learn more about cybersecurity and best practices to keep patient information safe from cyber theft. For example, AHIMA provides privacy and security resources that include links to federal rules and other information related to strengthening cybersecurity.
In addition, AHIMA worked with Weiss and Health-ISAC to create a cyber threat intelligence (CTI) certificate tailored specifically for healthcare professionals. The CTI course focuses on the fundamentals of cybersecurity practices and the process of navigating through an organization’s cybersecurity framework.
In his webinar and an interview with the Journal of AHIMA, Weiss talked about emerging threats to privacy and security of health data and how HI professionals can help improve cybersecurity and keep patient information safe.
Question: Why is it important for HI professionals to be actively involved in helping fight cyber threats currently facing healthcare?
Weiss: There are all these threats out there, and some people might say, ‘Is this something I really need to worry about?’ Yes. These have impacted healthcare in one form or another, and some of it happens every day, multiple times a day. We say that cybersecurity is a team sport. We rely on everyone to be a part of security and that comes by doing everything from reporting suspicious things to not clicking on links that don't seem right.
Question: As cyber threats become more sophisticated, are healthcare workers prepared for the evolving security threats they might encounter?
Weiss: I do think people are a bit more savvy today. They’re getting years of training and awareness that we've all been giving our employees and staff. People are more aware, so they're a little bit more cautious about what they are clicking on. A lot of companies are using phishing testing to periodically launch tests out to the staff to get them thinking about it more often and know how to report it suspicious emails when they see them.
Question: What is an ISAC?
Weiss: ISAC stands for Information Sharing and Analysis Center. It is a concept that started in the mid-1990s when the government realized that much of the critical infrastructure was owned and operated by the private sector. There is an ISAC for every one of the critical infrastructures—finance, water, transportation, aviation, food, technology, and more. Obviously, health is one of those as well. The idea about the ISAC is it’s a virtual neighborhood watch program. It is really about helping out your neighbors and helping out your peer companies and organizations and sharing information with each other when it comes to threats, vulnerabilities, incidents, best practices, and all kinds of information that organizations can use to better protect themselves from today’s threats and tomorrow's threats and learn from each other on how to protect that super critical patient data that we’ve all got. Health-ISAC has over 14,000 people in our network that are sharing everyday with each other.
Question: How vulnerable are healthcare organizations to cyberattacks?
Weiss: Historically, the investment in cybersecurity has not been where it should be. We don’t have enough resources in cybersecurity, and therefore we’ve got networks that are not well defended. And then now we’ve got ransomware actors who don’t care who they interrupt; they’re purely after money. When ransomware impacts an organization like a modern hospital that relies on IT systems to function, if they cannot restore from backup quickly, now we've got lives at stake. We've got real human impact with ambulances being diverted to other locations, delays in healthcare, procedures being canceled, lab results being delayed, and on and on and on. They’re more inclined to pay ransom because lives are dependent on it. So it's kind of almost the perfect storm of why we see hospitals being targeted and potentially why they're paying the ransoms.
Question: If investments in cybersecurity were lagging in the past, do you see that changing?
Weiss: When I got here to Health-ISAC six years ago, there were a lot of ransomware events happening. People were really starting to get the attention of the boards and senior leadership in the hospital networks that, ‘Hey, we've got to take cybersecurity seriously.’ And so for the last six to 10 years, we've seen budgets moving in the right direction. People are spending more on cybersecurity in healthcare. There’s still some catch up to do.
Question: What emerging technologies should healthcare organizations be prepared for that might lead to future cyber attacks?
Weiss: The biggest game changer that we’re going to have and continue to see is what’s happening around artificial intelligence. Things are moving incredibly fast there. From a security standpoint, the area of artificial intelligence is bringing up a whole new set of challenges. In the cybersecurity area, AI has improved detection of new threats and we've seen great strides in improving on diagnosing threat types and new attack types and providing defensive information for cybersecurity teams. And even on the threat intelligence side, AI makes our threat intelligence analysts a lot more effective and efficient. Hopefully, your organization is looking at artificial intelligence policy, what are the do’s and don’ts, what are we going to allow our staff to do, and how do we do it safely so we don’t jeopardize sensitive patient information or cause harm to patients.
Question: What’s your takeaway message to HI professionals when you discuss cybersecurity?
Weiss: I tell them we need your help and to be part of the cybersecurity solution. I talk about the fact that if you're safer at home, you're safer at work. That's part of the takeaway because today with people working remotely from home, if I, as a cybercriminal, can't get to your system at work because the work environment is better protected, I'll come after you at home. We see all these attempts by the bad guys and you get somebody on the other side who’s just so convincing and it’s hard not to believe them. They’re going to connect to you, maybe it’s by email or text message, or it’s on LinkedIn, and they’re going to move the conversation to a channel that is not protected by work. If you see something wrong, work with your InfoSec team and get their help. If there's a process that's cumbersome, like if you've got to log in to six systems and it’s just a giant pain, maybe there's a better way to do it.
Question: What are key actions that healthcare workers and organizations should be doing to protect patient information?
Weiss: When I boil it down to what are the top three things you should be doing, it’s stay up to date on patches, back up your systems, and then use multi-factor authentication. My advice to you is do not reuse the same username and password across multiple sites; you need to change it. My second recommendation is to actually consider using a password manager to be able to track all that. And if you're better protected at the personal level at home, you're going to be a better, more secure person at work as well.
Damon Adams is content production editor for AHIMA.