At the PHI Protection Workshop spring forum, presenter and data security firm Santa Fe Group CEO Catherine Allen acknowledged that protecting healthcare data involves more than just battening down the hatches against external cybersecurity threats such as hackers, terrorists and employees who sign on to jobs just to access and steal data.
However, those threats to providers will likely increase in the coming years, she said, as EHR implementations mature across most organizations and these “bad actor” employees realize the value in exploiting health data.
Allen drew parallels to the financial industry, whose data systems “grew up” some years ago. Healthcare can learn lessons from the financial sector as it follows down the same IT systems evolution path. First, she said, bankers cooperated to start a database of bad actor employees that amounts to a blacklist employers can check during the pre-hire background screening. Healthcare would benefit from such a database, too.
Also, she said, financial institutions typically see regulators as partners who help them better manage security risks, as opposed to adversaries as many healthcare institutions see them. She said that corporate compliance leaders view regulatory advisories as helpful tips for surviving audits or locking down data from the bad guys and not onerous busywork.
Speaking of the bad guys, Allen said healthcare information security leaders should stop thinking of hackers as miscreant teenagers in mom and dad’s basement attempting to cause mayhem. Although that does happen on occasion, she said more frequently hackers are paid employees of organized crime syndicates who methodically break into systems in order to steal salable data.
And then there’s the terrorists, who aim to attack infrastructure. While healthcare isn’t apparently a common target yet for these groups, it could be in the near future, as data systems go online and attention is brought to their importance through initiatives such as President Obama’s recent cybersecurity executive order.
“They hire people, they look like a regular business would look for certain skill sets — to hack,” Allen said. “They interview for superior computer science skills and information hacking skills.”