Cybersecurity: Building Secure Connected Healthcare Organizations
The Center for Digital Strategies (CDS) at the Tuck School of Business at Dartmouth and the Owen Graduate School of Management convened a workshop focused on information security in the healthcare industry.
Key Insights Discussed in this Article:
- Perhaps more than any other industry, healthcare requires cyber security coordination and communication among different business entities. Regional and local hospitals, physician practices, insurance companies, patients, pharmaceuticals, vendors, and patients must all participate.
- CISOs in the healthcare industry juggle a lot of responsibilities. CISOs in this sector don’t just handle information security; they are often tasked with data retention, protecting privacy, and even maintaining physical security of facilities—all in an industry where individual privacy is paramount and sacrosanct.
- Common pain points include data, systems maintenance, personnel, and third party management. The common thread in these challenges is keeping a secure conduit between information, systems, and human beings. Each waypoint represents a security risk.
- Medical device security is top of mind for 2017. These devices, if hacked, could injure or kill patients: that’s the ultimate healthcare information security threat.
- Patient portals are a two-sided threat. CISOs need to secure the front door, where patients log in. But they also need to secure the back door, where the data is stored and where third parties might have access.
- The Secret Service is a resource for CISOs. It will discuss the latest criminal trends and tactics with CISOs, and will be responsive to request for assistance with data breach investigations.
- The Internet of Things (IoT) is a massive risk that the industry doesn’t know how to manage yet. A distributed network of internet-connected machines can become computing power for hackers. Likewise, compromised building controls can disrupt the care delivery process and harm patients.
- Phishing training programs work. Sometimes it takes repeated lessons and examples of phishing attacks, but these educational programs are the best tool for awareness and training employees on identifying phishing messages.
- Board meetings are an important time for CISOs to garner top management support for what they do. The key is brevity and clarity; the board members don’t want to sit through a long, technical discussion of cyber security.
The workshop was conducted in “Old Mechanical,” one of the oldest buildings (1888) on the Vanderbilt University campus, and the former home of the mechanical engineering school. Funding was provided by a National Science Foundation grant led by Kotz, called Trustworthy Health and Wellness (THaW). THaW, according to its mission, “to enable the promise of health and wellness technology by innovating mobile- and cloud-computing systems that respect the privacy of individuals and the trustworthiness of medical information.”