The patient-provider relationship is sacred, Ed Ricks, CIO at Beaufort Memorial Hospital in Beaufort, S.C., said at HIMSS 2016. And in order to maintain the sanctity of that patient-provider relationship, securing patient data is a must and therefore having robust healthcare cybersecurity strategies is key.
"Certainly we want to be able to provide that for [our patients], but there are a lot of layers that kind of fall into that. You do all the right firewalls, you do all the right spam filters and all the things you should do to kind of protect your network -- that technology gets better all the time," Ricks said. "[It's] scary because there are people smarter than us that are out there trying to do these things."
Marc Probst, CIO at Intermountain Healthcare in Salt Lake City, implored healthcare CIOs and healthcare organizations to continue to work on protecting against phishing attacks by working on perimeter security and educating email users within healthcare organizations.
Ed RicksCIO at Beaufort Memorial Hospital
Ricks said that one of Beaufort Memorial's healthcare cybersecurity strategies is to do a targeted phishing campaign once a month. If an employee clicks on the targeted phishing campaign email or clicks on a bad link in that email, then they will be presented with education about phishing and phishing emails.
"We're on our sixth campaign; we do one monthly. We started mid-fall last year, and the first campaign, I think about 50% of the people actually clicked the link because it seemed pretty legitimate if you didn't know those clues to look for and if you aren't kind of critically thinking about it," Ricks said. "Now we're down [to] like 4 or 5% of folks who actually click that link that could launch, you know, the bad email message."
Another one of Beaufort's healthcare cybersecurity strategies is the use of Iatric Systems Inc.'s Security Audit Manager to audit access to patient data across the enterprise, Ricks said. This enables Ricks and his team to monitor multiple applications and see every instance when a patient record is accessed. Furthermore, they are able to tell whether the activity they are seeing is authorized or unauthorized.
David Higginson, executive vice president, chief administrative officer and CIO at Phoenix Children's Hospital in Phoenix, said, in a previous interview, that network monitoring is key when it comes to healthcare cybersecurity strategies:
So we use a product called AlienVault, and there are many other products out there that really establish a baseline in your infrastructure. So they do a scan; establish the baseline, which is expected to be kind of this safe and steady state; and then they monitor changes in real time against that ... steady state," Higginson said. "So if you start to see activity on the server that you wouldn't normally see, or you start to see accounts created ... then much like your home security system [you] pay someone to monitor that 24/7 looking for those alerts and then trigger alarms.
While using these technologies is important, Probst points out that all these investments in security are for nothing unless healthcare organizations work together.