Last week, CIOs, CMIOs, CHIOs, and healthcare leaders gathered in Phoenix, not only for sun and golf, but for the popular annual Fall Forum CHIME. The College of Healthcare Information Management Executive brings together some of the brightest minds in the industry to discuss important topics in health and IT. A major topic this year, garnering mentions in almost every session and the focus of keynoter Shark Tank shark Robert Herjavec, was cybersecurity.
Stories of breaches and ransomware were abound. Did you know that the value of a patient record is worth 4x as much as credit card details on the dark web? Beyond that, the scariest part is not the loss of records beyond your walls, but the potential for cybercriminals to hold ransom and actually change the data in the EHR. This means that cybersecurity is not just an IT issue, it's a patient safety issue.
Interestingly, recent breaches have not occurred through traditional software applications or email phishing schemes, but through medical devices and unpatched systems. A hospital is an environment that presents additional challenges that other highly sensitive industries (like banks, federal facilities, etc.) don't have, in the form of public access to every corner. Try walking around the counter at your bank and you'll be surrounded by police in no time. Staff, patients, and the public can walk right up to a touch a medical device or system that is likely connected into the hospital's network. It's imperative for healthcare organizations to patch systems and determine points of weakness with vendors and device manufacturing to bolster their security.
The greatest source of sensitive information in your healthcare organization is your Electronic Health Record (EHR), and analytics is the window into your EHR. That makes your business intelligence applications ripe for attack, both internally and externally. What are you doing to protect this area? True analytics platforms have robust, rules-based security engines and capabilities not only to monitor and audit usage, but also help to prevent breaches and identify patterns of suspicious activity. Here’s what it looks like in Qlik:
Remember, compliance is not an effective cyber defense, and HIPAA is not security. An ounce of prevention is worth a pound of cure.