Healthcare Systems are treating the Symptoms
& Not the Disease of Cyber Threats
The first quarter of 2015 has yielded a large number of cyber threats and open vulnerabilities in the healthcare industry.
The trend has steadily increased from 2010 and will only continue to climb as the healthcare industry continues to become further entrenched in technology – everything from electronic medical records to HIPPA compliance to payment card information to be more exact. In fact, during the passed few months, New York Presbyterian and Columbia University were forced to enter into settlements totaling $4.8 million dollars surrounding the “availability” of all patient data being accessible by the public.
More recently, UMASS Memorial Medical Center discovered that one of its employees accessed and used personal identifiable information, credit card data and other patient information throughout his 12-year tenure for his personal use.
These stories are just two symptoms of a cyber threat disease that is poised to become a pandemic.
Much the same way a lay person is confident that an antibiotic will cure whatever ails them, it appears that healthcare organizations are approaching risk mitigation by only treating risks that other healthcare systems have been susceptible to without realizing the damage they are doing to themselves by addressing the problem with an ill-conceived solution.
One could argue that this theory would make sense to quick-fix information security and data personnel. For example, if an entity falls short in laptop encryption, the exposed entity’s business neighbor would encrypt their laptops and feel some sense of security or accomplishment.
Relying solely on other organizations shortcomings to remediate similar gaps in your business does not make your business secure. In fact, it makes the business even more exposed by giving business leaders a false sense of hope. There are no shortcuts and quick fixes to securing your data and business. While you may mitigate one issue and feel secure in that specific sub-segment, the harsh reality is you have only mitigated one of one thousand or even more security vulnerabilities in your business.
The first step any organization should conduct is to cease reading the horror stories, stop remediating risk by pinpointing other healthcare organizations publicized shortcomings and look to a seasoned Chief Security Officer with my big three requirements. The requirements are ECF - experience, certifications and a former executive background.