At Techumen we recognize that health care providers have highly complex clinical and business processes. In turn, these core functions rely on a large, distributed, computing and communications environment. We also recognize that the demands on computing for health care will be heightened as burgeoning new care areas like population health with its attendant large data sets, precision and genomic medicine, patient-driven care protocols, networked medical instrumentation, and telehealth become firmly entrenched in care-giving.
The IT infrastructure required to serve over 20 hospitals and over 300 clinics is necessarily very complex, distributed and large. Over 1000 applications in use and 70,000 network endpoints offers a simple indication of the size of the problem and the difficulty in securing information adequately. In addition, any comprehensive effort to shore up security and its execution would have to consider two fundamental aspects of delivering security to health care providers:
· To never harm patients
· To not interrupt, if possible, any clinical processes
There is an especially large and growing need for cybersecurity insurance:
1. Breaches are costly. (While breach cost estimates vary widely and typically depend on the type and magnitude of data affected, what is clear, however, is that breach cost analysis must include cost of business interruptions, tangible and intangible customer losses, class action lawsuits, and civil fines. For large breaches this cost can easily run into the millions. )
2. Information technology is too entrenched in corporate processes and breaches will become part of the business landscape (That is most businesses will eventually be hit by some kind of breach or suffer damage from a cybersecurity attack.)
3. Changing legal and regulatory landscape. Class action lawsuits will increasingly make their way through the courts. These will be especially expensive for most companies that have experienced a large breach.
Useful, powerful, small, cheap, and very easy to use. More things in life should be like USB drives, also known as flash drives, memory sticks, thumb drives, or USB keys. Since they were introduced in 2001 their increase in storage capacity has only been matched by their decrease in price. Fun fact: When first introduced, a 128-megabyte flash drive cost about $30. Now you can get 512 gigabytes for that price, and they’ve become devices most people can’t live without. Like all power tools, though, they must be treated with care and can cause a lot of damage if misused.
How frustrating is it to lose a smartphone? $650,000 worth, if you are Catholic Health Care Services of the Archdiocese of Philadelphia. An employee of theirs lost an iPhone last year. It’s easy to do so – but the iPhone was not encrypted, was not password protected, and had extensive ePHI on it. Most workers would say that they don't store ePHI on their phone. They don't use it to access an EMR, open any spreadsheets, or take any notes on their phone. However, ePHI, like water, has a way of leaking out to unexpected places. If you get corporate email on your phone, then you've probably been CC'd on a message with an attached spreadsheet, which often has ePHI. If you've installed Dropbox, or a similar app, on your phone, the data is usually accessible, especially if you've got auto-login enabled - or if the app catches any data locally.
Ransomware is a malicious piece of software that encrypts a user or company’s files. Once encrypted by an attacker it is almost impossible for the victim to regain access to the files without a “decryption” key that is held by the attacker or “file kidnapper”. The “kidnapper” of the file(s) then demands a fee from the company to regain access to its own files. Typically, the attacker, sets a short time span -- usually 72 hours or less -- for the infected user or entity to fork over a ransom. (Attackers do not like to leave digital trails and use temporary servers to accomplish their illicit activity). The ransom is usually payable in Bitcoin – an anonymous currency increasingly popular with criminals. The hackers will display some sort of screen or webpage explaining how to pay to unlock the files.
In our last mailing, we wrote about how to talk to management about security. This time, we will address what to tell them.
It is easy to cloud the communication channels with too many details, the wrong details, or too much technical focus. Instead, concentrate on what management needs to know about the issue at hand, and what they should know in their capacity as organizational leaders. This will help them understand the problems you (and, by extension, they) are dealing with, and importantly, help you get the organizational support you need to solve them.
The gap between IT and management can often be a chasm. Nerds can’t talk to suits. In the Dilbert cartoon, this leads to laughs; in real life it leads to frustration, ignorance, and poor organizational performance. Some of this gap is the nature of the security topic. It’s difficult to discuss security events, which by definition are abstract, future, and highly uncertain, in a clear and concise manner. Many managers are highly quantitative and numbers-oriented, and security is not yet a quantified body of knowledge. The “curse of knowledge” frustrates any attempt to communicate specialized information, as your physicians can tell you – it’s difficult to talk about topics that you know well to an audience that knows little.