Blog

What Do We Do About Cybersecurity?

Not a day goes by without news of a breach, ransomware attack, or a distributed denial of service attack. Protecting data, which is the aim of cybersecurity, has gone beyond just an information technology (“IT”) problem to a “whole of organization” problem. The solution to this problem involves holistic cybersecurity.

Top 5 Significant Future Threats

  1. Ransomware (68.7%)
  2. Advanced Persistent Threat Attacks (61.3%)
  3. Phishing attacks (60.7%)
  4. Spear-phishing (56.7%)
  5. Negligent insiders (55.3%)

Source: 2016 HIMSS Cybersecurity Survey

Confidentiality, integrity and availability of data

We have all heard about cybersecurity. But, what does it really mean? Cybersecurity involves the protection of electronic information in terms of confidentiality, integrity, and availability, frequently referred to as the “CIA” triad. [1] The exact opposite of the “CIA” triad” is the “DAD” triad of destruction, alteration, and (unauthorized) disclosure.

Availability

In the health sector, organizations frequently focus on the “A” (availability) of the “CIA” triad. Can I get access to the patient information? Can I get access to the information quickly? Is the information available when I need it? And, is the application, system, and/or device that either houses the information or serves as a conduit to that information available?

Confidentiality

Sometimes, the emphasis on the availability of the information takes away from resources that could have been invested in preserving the confidentiality of information (the “C” in the “CIA” triad). But, in the health sector, too much of an emphasis on confidentiality may sacrifice the availability of the information—hence, a steady state equilibrium must exist between preserving the confidentiality and availability of the information. Breaches should be avoided at all costs, and yet being able to readily access the information should not be forsaken. (Patient information should not be kept so secret so as to be a trade secret.) [2]

Integrity

But, what about the “I” in the “CIA” triad? Why does integrity really matter? Integrity of information should not be overlooked. Information which lacks integrity may have been intentionally or unintentionally tampered with or corrupted. Such information should not be relied upon. In the health sector, incorrect information (i.e., information lacking integrity) may pose a risk to patient safety (e.g., an incorrect dosage or type of medication or the wrong data for the wrong patient). Database corruption may result in a lack of integrity of the information. The integrity of information may also be impacted by a ransomware attack. [3]

Ransomware has been the subject of much concern for healthcare organizations

The very thought of having your computer suddenly inaccessible due to a ransomware infection is alarming, especially when access to the information is imminently needed. [4] A common mode of delivery for ransomware is with a phishing e-mail. The recipient of a phishing e-mail may unwittingly click on a malicious link or open a malicious attachment, potentially infecting his or her computer with ransomware. The infection will be successful if adequate controls are not put in place. [5] Once infected, the computer system will likely not be accessible to the end user and the user will be presented with a threatening message demanding payment in return for restored access to the computer (and its data). [6]

A good cybersecurity program is achievable.

With so many threats and all of the news of breaches affecting the health sector, a good cybersecurity program may seem untenable. But, a good program is achievable with appropriate administrative, technical, and physical safeguards (all of which are required by HIPAA). The first step is to foster awareness and the second step is knowing where to turn to for solutions. These quintessential steps are embodied in the HIMSS Cybersecurity Hub.

Cisco Systems, Inc. is the first supporter of the HIMSS Cybersecurity Hub

On a related note, HIMSS is pleased to announce the first supporter, Cisco Systems, Inc., of the HIMSS Cybersecurity Hub, located at the HIMSS Innovation Center in Cleveland, Ohio.

Seeing Security in a New Light: Take a moment to learn more about this collaboration from Barbara Casey, senior executive director, Healthcare Americas Business Transformation at Cisco.

At the hub, healthcare professionals find educational resources about cybersecurity threats within healthcare-specific environments. For example, the hub answers questions, such as:

  • What threats do I need to look out for?
  • What can I do?
  • Where do I turn to for help?

The HIMSS Cybersecurity Hub empowers visitors with the knowledge to make good security decisions to positively impact the security posture at their organizations. This knowledge comes from HIMSS and the public and private sectors. With real-world solutions and resources for the health sector, this interactive experience is destined to be a one-stop shop for all things relevant to healthcare cybersecurity and privacy.

HIMSS Cybersecurity Community Webinar on Feb. 16

Unsecured Endpoints in the Hospital Environment: Securing IOT and Medical Devices:

Interested in more on cybersecurity? Richard Staynings, principal and cyber evangelist, Cisco, discusses what the future may hold for targeted attacks against IOT and medical devices, and what healthcare technology and security leaders should consider doing to protect them. Registration is complimentary.

Learn More

 

[1] The HIPAA Security Rule requires administrative, physical, and technical safeguards to ensure the protection of the confidentiality, integrity, and availability of electronic protected health information. See https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/.

[2] A definition of a “trade secret” can be found on the United States Patent and Trademark Office website. See https://www.uspto.gov/web/offices/com/doc/ipnii/lawsec.pdf.

[3] The HHS Fact Sheet on ransomware explains that the confidentiality, integrity, and availability of electronic protected health information may be impacted by ransomware. See https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf.

[4] The FBI has a public fact sheet on ransomware. See https://www.fbi.gov/news/stories/incidents-of-ransomware-on-the-rise.

[5] See supra note 4.

[6] See, e.g., https://www.linkedin.com/pulse/27-screenshots-real-ransomware-jen-ruhman

Keywords: 
cybersecurity; privacy and security; HIMSS Cybersecurity Hub