Share this article on:
The response from the healthcare industry to current cybersecurity threats has not been fast enough and basic IT security measures are still not being adopted, according to a Nashville-based FBI Supervisory Special Agent.
Speaking at last week’s CHIME/AEHIS LEAD Forum Event at Sheraton Downtown Nashville, Scott Augenbaum – an FBI Supervisory Special Agent in the Memphis Division – explained the attendees that too little is being done to keep healthcare data secure. He also pointed out that in the majority of cases, healthcare data breaches could easily have been prevented.
When Augenbaum is called upon to visit healthcare organizations following breaches of protected health information, he usually discovers that simple data security measures could have prevented the exposure or theft of PHI. “90 percent of what I see could easily have been prevented. I do not go into a data breach situation where I don’t say, now, wow, that was sophisticated.”
He also said that while investment in cybersecurity has increased in the healthcare industry, the situation is not getting better. Money is being thrown at the problem, but the problem is not being effectively tackled. If healthcare organizations fail to get the basics right, they leave gaping holes in their security defenses that can all too easily be exploited by hackers.
Augenbaum’s keynote speech, titled “The Health Information Executive’s Guide to Cybersecurity”, was intended to raise awareness of the problem and explain the seriousness of the current threat level. In the address, Augenbaum pointed out that foreign government-backed hackers pose a serious problem for the healthcare industry. Furthermore, the situation is likely to get a lot worse.
While foreign entities have not previously been interested in healthcare data, the situation today is very different. Augenbaum explained that part of China’s plan is for the country to become a world leader in healthcare innovation by 2020, yet the Chinese government wants to do this without committing funds to research. Instead, the focus is attacking healthcare organizations in the United States to gain access to healthcare information systems. According to Augenbaum, Russia, Nigeria, and other foreign countries are also using hackers to target U.S healthcare providers.
It is not only foreign governments that are keen to obtain healthcare data. Independent hackers from home and abroad are attempting to hold the healthcare industry to ransom by infiltrating their networks and stealing their data.If cybersecurity defenses are not improved, attacks are not only likely to continue, the situation is likely to get considerably worse.
One of the best places to start is with basic cyber-hygiene. Augenbaum suggested focusing on five key areas of basic cybersecurity – as detailed in the Sans Institute’s CIS Critical Security Controls for Effective Cyber Defense. (Details on this link). By following these guidelines, Augenbaum says it is possible to prevent 90% of healthcare data breaches.
- Create an inventory of authorized and unauthorized devices
- Create an inventory of authorized and unauthorized software
- Ensure secure configurations for hardware and software on all devices (PCs, laptops, mobiles, tablets, servers, and IoT devices)
- Ensure continuous vulnerability assessments are performed and vulnerabilities are remediated promptly
- Ensure administrative privileges are controlled
Augenbaum also explained that many organizations have still not appointed a dedicated person to look after cybersecurity strategy at the highest level. The task is often given to people low down the chain who typically lack the relevant experience or understanding.
It was also explained that healthcare leaders need to build comprehensive IT security strategies. Augenbaum pointed out this is not a quick process. “It takes a full three to five years to implement a comprehensive IT security strategy. People simply don’t understand this.” It is therefore essential that process starts now.