Why it takes more than technology to defend your organization
Written by J. David Sims, HHS 405(d) Task Group Member and AIHC Board Member
This article is reproduced with permission from the HHS 405(d) Task Group Newsletter. In 2021, the 405(d) Program has grown its reach and continues to pursue its mission of Aligning Healthcare Industry Security Approaches. The 405(d) Program is now able to assist in many of your cybersecurity needs. Whether it is instituting cybersecurity practices using the Health Industry Cybersecurity Practices, better known as “HICP,” or educating your staﬀ on cybersecurity, we are here for you! AIHC is so excited that our talented Board Member, David Sims, is serving on this important task force.
“Dr. Cooper, the computers aren’t working right. They all have a message on the screen about paying to have our data and systems unlocked!”
This was the welcome that Dr. Cooper received on Monday morning from his panicked practice manager, Sherry, as he walked into his practice. No, this would not be a good morning, not at all.
“Sherry, get IT on the phone!” shouted Dr. Cooper as he made his way to every computer and was met with the same ransomware message on each screen. Dr. Cooper had invested a modest amount of money each month to outsource his IT support and security to a local IT firm.
“The IT guys said they can’t log in remotely, so they’ll have to send someone out. It will be an hour or so before anyone can get here,” Sherry explained. In the meantime, patients were starting to fill the lobby for their morning appointments. With no plan of how to respond to such an incident, Sherry instructed her staﬀ to start rescheduling patients and prepared to close the oﬀice for the rest of the day. A little while later, Scott from their IT firm arrived. He instantly realized he was walking into a mess. As he walked through the parking lot, he could hear agitated patients complaining about having to reschedule.
Upon entry he noticed another patient expressing concern about their medical records as the front desk person explained that they are experiencing a ransomware attack. Scott quickly assessed the situation and realized that there was nothing he can do to resolve this. Scott turned to Dr. Cooper with a look of dread and began rapidly firing questions:
“Do you have a ransomware response plan?” “Do you have cyber insurance?” “Who is handling public relations?” “Have you called your attorney?”
Dr. Cooper threw up his hands and said, “Wait. So, you’re telling me that you can’t fix this?”
Scott replied, “You have an active ransomware attack happening. Likely, this is going to be a data breach. If so, you are going to have to notify all your patients that have been aﬀected. You may also have to notify the State and HHS and follow State and Federal breach laws. You’ll also need to determine if the media will need to be notified.”
“How could this happen?! We pay you for security!” exclaimed Dr. Cooper, who was sitting down with his head in his hands as he pondered what this will mean for his practice and his patients.
We will leave this true story now and look closer at the question Dr. Cooper asked, “How could this happen?” Afterall, they are indeed paying for cybersecurity and the IT firm is providing good security. So, how then, can this happen?
Like many businesses, this practice did not understand that cybersecurity is not just a function of IT. In fact, there are three areas that must be present for an eﬀective privacy and security program to work. Let’s take a closer look at these three areas.
Social engineering, or hacking humans as it is sometimes called, is today’s most successful way to attack an organization. The attacker can bypass all the security that keeps them out if they are able to have someone on the inside let them in. Technology has no way of keeping out the bad guys if the good guys are letting them in through the “employee entrance.”
Your people will either be a security asset or a security liability.
Mostly, people want to do what is right. They want to protect the patients and their employers, but they are often not given the proper tools or training to make them eﬀective security assets.
Organizations should dedicate time and resources to eﬀectively train and test their employees on proper cyber hygiene, privacy and security topics, and incident response. Remember, it’s the people, people.
A process is the guide that explains to employees how your business does certain things. All too often, a business will either not have processes in place, or they do have them, but nobody knows what they are because they are not trained on them.
It is a guarantee that if your organization has never practiced an incident response, even a table-top exercise, your team will do nearly everything wrong when an actual incident occurs.
Not having an eﬀective, planned response will cost you much more when (not if) disaster strikes. “Failing to plan is planning to fail,” as Ben Franklin said.
This is the final piece of the cybersecurity trifecta, and yet most people think it is the only piece. This is also the most confusing piece due to its complexity and many other factors. Following a framework or guide, like HICP (Health Industry Cybersecurity Practices), will help organizations understand where their focus should be to properly address the most common threats. Ensure you are devoting enough resources to this area, but understand that technology alone will not properly protect you.
People, processes, and technology. Those are the three areas that must thrive for any organization to have an eﬀective privacy and security program. A cyber incident can happen at a moment’s notice. How well you can recover from it will depend on how prepared you are in advance. In a crisis, people do not rise to the occasion; they fall to their level of preparation.
A resource that can definitely get you started and begin to protect your patients from cyber threats are publications located on the 405(d) Task Force Website.
This publication lays out the top five threats facing the healthcare industry and provides the top 10 practices needed to mitigate them. If you do not have your IT department in house but use a third party, this is a document you can provide to your IT contractor and ask- “Are you doing these things? And if not, why?”
Protecting patients is our number one priority and we all now have to realize that this includes cyber, and using the most up to date practices is paramount to achieving this goal.