Today on Insights. We go back to a conversation Host Bill Russell had with Nassar Nizami, Executive VP and CIO at Jefferson Health. The topic of discussion was A Look Back at Cyber Attacks in 2016-2017. How Far Have We Come? Bill gives us some dreaded stats and Nassar offers solutions.
Hello and welcome to another episode of Insights. My name is Bill Russell. I'm a former CIO for a 16 hospital system 📍 and creator of This Weekin Health IT. A channel dedicated to keeping health IT staff current and engaged. Our hope is that these episodes serve as a resource for the advancement of your career and the continued success of your team. Now onto the 📍 show.look back at cyber attacks in: records that were breached in: % higher than what we saw in:
Probably because of the requirement to encrypt by many organizations. So the laptop or device that is lost or stolen and is interrupted then it's not a reportable incident. And there is some requirements on encryption and so forth. But I think that over the last five or six years, seven years this requirement or sort of incentive to input data force organizations or strongly impress the organizations to encrypt.
And because of that, we are seeing the results of a steadying of instruments there. So now that you see a rise in hacking related incidents, I think that's an area where we need to focus. And I think there are other areas, the inappropriate disclosure is also steady but all expected.
But the reason I thought that this was interesting is that, you know this and you think about this in the context of everything else, hacking by Russians in the news and so forth. And this just highlights an area, which is still are as an industry are struggling.or someone who used to be. So: of those breaches. In: ts was therefore far lower in:
And that's just somebody trying to find Brittany Spears' record or whatever. The breakdown was 102 inside errors and 70 cases of insider wrongdoing. Four incidents were classified as both. So I mean, these are two big categories, right? You have incidents that are attributed to your employees.f healthcare data breaches in:
And the average in the prior year was 233 days. And actually, they say it should be noted that the data was skewed because some breaches that occurred they didn't detect for more than a decade. So I'd like to break our conversation down into three areas, prevention, detection, and response.
So from a prevention standpoint ransomware is on the rise. What can health systems do to prevent or prepare for these types of hacking attacks?
So I think, to think about preventing attacks and respond is the right way to think. Right. And I think the best controls are preventative control.
So things never happen hopefully. As an industry, we have made some good progress in the last six or seven years around prevention unfold. We all had, most organization had firewalls for the last 15, 10, 15 years. So that's a given now there are new generation of firewalls that are happening that are really good at application level analysis.
And so forth. But I think the biggest bang for buck, an organization can probably get from a prevention point of view is probably from a technology, I will talk about this in a technology and then human sense. So two categories. From technology point of view, in my opinion, is multifactor authentication.
Okay. And it just makes it very difficult for someone who is actively trying to access information. It does not, it's not a cure. It's not a silver bullet, but I think that multifactor authentication has been a challenge in healthcare to implement because of cultural reasons and the need for physicians to get to a patient record immediately and so on and so forth.
So there have been reasons that it has not, industry has not adopted it wholeheartedly. Like if, for instance, in banking or other commercial industries, most of them their workforce has to use two factor authentication or multifactor authentication. Secondly, I think in almost, no most of the breaches that we see which are under hacking or you mentioned ransomware was some, some person doing something that they're not supposed to do.
So it's be opening an email or going to a website and installing something. And that can not be emphasized enough, I think. Because the only, I think the real protection that you can do is train your workforce at different levels. So many organizations do not have dedicated security teams.
They have the experts but those people are probably, a handful of people in any even size large organization, they're a handful. But then you have your folks in technology who I think is is training them on security. To make them your first line of defense and then population in general.
Right? So there are technological solutions, I mentioned MFE. I mentioned firewalls that are data loss prevention solutions. There are many technological solutions that we can implement, some of which I mentioned, but I think any organization that is interested in securing and proactively protecting with the technology that they're implementing.
Yeah. The weaknesses is the human. So let's shift gears to detection. So one of the things that changed the way I think about security is one of our vendors came in and said you need to start designing as if they're already in. Just assume they're already in your network.
There's no walls you can put up that can keep them out. And I'm like, okay. So that actually transformed how I thought about security and prevention. The other thing was a CIO told me he contracted with one of the firms. It could be RSA or one of the firms and what he wanted them to do was to see if he could get physician credentials on the black market.
And they were able to, within I think 24 to 48 hours procure about five or six of their physicians actual credentials, which worked on their system. So they were able to get into a Citrix environment. Get into the medical record and start moving around. And so, detection becomes a little, becomes almost the front line now.
Because you're assuming that they're there in your network, they're tooling around. So you almost have to look at patterns of usage. If that doctor is looking at the wrong record or records that aren't theirs are we tracking all those things? So from a detection standpoint what are some things we can do to detect, first of all, a decade to track a breach is, is kind of amazing. What are some things we can do to find those incidences quicker and sort of move that cycle forward?
So again, I'll talk about technology and people's side of it because I think people are really, again, really important. So the core technologies now, so I mentioned data loss prevention technologies as a security incident and event management system that can log in in real time alert. And this isn't here yet. So we spoke about artificial intelligence and machine learning in the context of health care. But this is an area where I'm seeing some really promising technologies in startups that are coming up ways of detecting very intelligent bays and correlating in quarterly events and then learning.
This is an area that already has some advanced technologies available and we are developing some technologies in this area. SIM is a must. That's a baseline DLP, I think is a must. Many healthcare organizations, actually, the people part is a challenge. So you can have the technologies, but we have the people who are going to look in, respond and sift through all the false positives.
This is definitely a standard to create a number of false positives. And in some cases, before spotters, many, many times more than real incidents, right? Do we have the manpower? The trained manpower? And I think that we don't have as healthcare in particular. As a nation, we don't have enough security professionals.
There is a lack of security protection for everyone. So the pool is very small to begin with. And especially there is an acute need for more security professionals within healthcare. So, I think that looking into third parties, partnering with third parties for 24 by 7 monitoring is a at least in the, short-term a stop gap solution.
Probably things can get through without detection, even if you have 24 by 7 monitoring. But I think in today's day and age, 24 by 7 monitoring is a must.
And if you're a health system that can afford it, to build your own security operation center of sort. Fantastic. But I think most healthcare system s , even our size, or even larger than us cannot afford a 24 by 7 monitoring. Just, the human capital is just not there. So having the right technologies and having people who can respond to it internal and then some external power is I think effective detection scheme or plan.
Wow, thanks for tuning in another great episode. If you have feedback for us regarding this content and materials, or if you would like to help us to amplify great thinking to propel healthcare forward, which is our 📍 mission, please send us a note at email@example.com. Thanks for listening. That's all for now. 📍