James Thew - Fotolia
SearchHealthIT spoke with Gary Seay, former senior vice president and CIO of Community Health Systems in Franklin, Tenn., one of the early victims of a healthcare data breach, about how to reduce or prevent cybersecurity attacks. Seay retired at the end of 2015 and became principal of BrightWork Advisory, LLC., a practice focused on enabling innovative healthcare solution success. Seay talked to SearchHealthIT about the most common mistakes healthcare organizations make that leave them vulnerable to attack and the lessons he's learned during his time as a CIO.
What are the common mistakes healthcare organizations make that make them more vulnerable to cybersecurity attacks?
Gary Seay: Healthcare providers are primarily focused on delivering care and are very sensitive to providing convenient access to active medical staff. This creates a real operating dilemma for senior business executives and technologists, who have to balance enablement of care as quick, convenient, readily accessible to every member of the care delivery team against HIPAA privacy requirements and cyberthreats. So things like two-factor authentication and strong passwords or limited data access, role-based access to data, and aggressive care team management are all challenges that need to be balanced because the requirement to support safe, effective and timely delivery of care to the patient is paramount. And then, you're always competing for resources. It isn't cheap.
Can you talk about lessons learned throughout your career in terms of preventing healthcare cybersecurity attacks?
Seay: Never assume you're safe. If you don’t know you’ve been hacked, then you probably have been hacked and just don't know it yet. Active defense and security professionals are adept, are focused primarily on defenses. You don't just have to build your castle walls high and deep, you also need to be sure that you're actually not storing gold that you don't need. So pay attention to your data repositories and your warehouses and your content. Don't create targets for data breaches that you really don't need to have. Pay attention to culture. Phishing awareness, role-based access, ongoing policy training and awareness are all key elements of creating a culture in an organization that is aware of their responsibilities and are well prepared to be partners.
Security is everyone's job, not just IT or not just the chief information security officer. Help operating management and medical staff understand their role and their position in the whole process of securing patient information while you're also working to make it accessible. You really have to pay attention not just to security but also convenience and accessibility. There are ways to achieve both and still be secure. Active two-factor authentication is a good example of that. It can be configured to be reasonable for the user and effective to prevent a credential theft from becoming a data breach. Cultivate a relationship with the FBI before you need it. Have a game plan in your back pocket in the event that a data breach [happens] for handling legal compliance [and] communications and is robustly compliant with the law; ethically sound; and very, very sensitive to restoring confidence in your brand. Never assume that you're good.
Verizon researchers give tips on how to prevent a data breach
People pose a risk to healthcare data security
IoT medical device security: The FDA is cracking down
Cybersecurity technologies for preventing ransomware