LAS VEGAS -- Hospitals, health systems, and their CIOs are on full alert when it comes to healthcare cybersecurity vulnerabilities. All are trying to identify possible weak points in their organizations and make sure to monitor and secure them. One possible entry point for attackers are Universal Serial Buses, or USBs, David Higginson, executive vice president, chief administrative officer and CIO at Phoenix Children's Hospital, told SearchHealthIT at HIMSS 2016. Higginson details the complicated nuances USBs pose to healthcare organizations and offers up advice on what can be done to fortify against healthcare cybersecurity vulnerabilities via USBs.
David Higginson: USB ports are a nightmare for us. We have a lot of people coming into our organization to do presentations; vendors come in and want to show stuff. It's a fairly public environment. People bring a USB stick and want to be able to plug it into a device, and bad things happen when software transfers that way, and we can't just shut off USB devices; that's not really going to be practical. So it's always a balance between being very secure versus trying to be accommodating of peoples' needs, and, unfortunately, what tends to happen is you side on the accommodation side until you get hit, and then you swing the pendulum [the other way].
What can healthcare organizations do to prevent healthcare cybersecurity vulnerabilities via USB drives?
Higginson: There's no magic answer, I would say. So you can take one strategy, which is we just shut off USB ports throughout the organization and try to stop people loading on content, but that doesn't work very well because people still transfer files via USB connections, even if you give them a [Microsoft] OneDrive or Dropbox account. When people come as visiting lecturers, academics may come into the organization, all they bring with them is a USB stick. They plug it in and their PowerPoint will come up. It's not going to work very well. And so one of the things that we've focused on ... is when you take data from our network onto a USB port it gets encrypted to protect our data leaving the organization. That's fairly easy to do. That's kind of becoming a standard. But then you've taken that entire USB drive that belongs to someone that may have their family pictures on it and you're encrypting that whole drive. So if they use that encryption they lose that USB port. That often doesn't go well.
And then the flip side of it is they're dragging files onto my network. So they bring that PowerPoint onto my computer to show it, but what if they were bringing a virus? What if they're purposefully bringing malware into the organization? I don't know what the magic answer is, and [with] everybody you've talked to, it depends on whether they've had an attack. Those people are more on the conservative side, and other people may be different.
More cybersecurity needed in medical imaging systems
HHS in charge of assembling cybersecurity group
Probst talks about cybersecurity at HIMSS 2016