When was the last time you talked to your company’s emergency response planners? If you haven’t done so in a while, make it a New Year’s resolution to get a cup of coffee with them.
Since late 2013, we’ve seen high-stake data breaches at Target, Home Depot, and most recently, Sony Pictures Entertainment, among other companies. The Sony cyberattack makes it clear that the potential after-effects of data theft must figure prominently into a company’s overall disaster preparedness plans.
The Sony situation — in which hackers working on behalf of North Korea’s government stole proprietary information and personal employee data through Sony’s computer network, according to the FBI — has already resulted in lawsuits, embarrassing executive emails posted publicly, and a new movie’s release outright cancelled amidst security threats.
In short, the data theft disrupted business in a way Sony likely never anticipated.
Technology and its benefits play prominently in the national push towards EHRs, interest in cloud-based medical care, and the general use of digital devices in healthcare. However, technology in the wrong hands can result in people taking illicit advantage of all three of these trends.
Just prior to leaving the ONC in summer 2014, former Chief Privacy Officer Joy Pritts told SearchHealthIT that two of the best tools to help thwart medical identity theft are security risk assessments and thorough criminal background checks on new employees.
Much like healthcare clinicians and safety officers must judge their ability to react to bombings, transportation disasters, and disease outbreaks, CIOs must determine whether a given organization can withstand a network-based assault on the level of Sony’s incident.
Will your patients return if a foreign country steals their EHRs? Do executives in your company use email to express opinions that would be unflattering under public scrutiny? Are revenues at risk if a hacker threatens violence at a hospital?
Regardless of whether the motive is simply EHR fraud or a bigger political statement, a potential cyberattack via health IT systems needs renewed discussion between emergency preparation organizers and CIOs. To avoid this assessment any further, particularly for large healthcare systems, invites a situation similar to Sony’s.
Scott Wallask is news director at SearchHealthIT. Follow him on Twitter @Scott_HighTech.