'Everything you do is a risk management decision'
By: Mike Miliard, Healthcare IT News.
During the Cold War, back when Richard "Dickie" George was a mathematician at the National Security Agency, security meant something different than it does today. The foes knew one another well. And if there was plenty of skulduggery to go around, at least there were some recognizable rules of engagement.
"Back when it was us and the Soviets, there was about one big espionage event every 10 years," he said, speaking at the Healthcare IT News Privacy & Security Forum in Chicago on Tuesday.
In the 21st Century, the threat landscape is very, very different, said George, now a senior advisor for cybersecurity at Johns Hopkins University Applied Physics Lab.
To wit: There were more than 41,000 cyberattacks on government agencies in 2010 alone. That number has only risen. And the malefactors are only getting more insidiously creative.
"They just caught a refrigerator sending out 100,000 phishing emails," said George. "A refrigerator! It's a different world."
A different world, and a dangerous one. That was the theme that emerged – and was driven home again and again – at the Privacy & Security Forum.
Healthcare, especially, is at risk: Medical data is the number one aim for hackers and medical devices are loaded with potentially fatally-exploitable malware, said George, whose talk's title – "Healthcare's Brave New World: Life as a Target" – said it all.
At Johns Hopkins, the challenge is acute and complex, he said: A network of hospitals, with the need to share information constantly. Add in myriad affiliated physicians practices of various shapes and sizes. And the fact that it's a large research university, with scores of students, many of whom are foreign nationals, with access to very sensitive health data.
"Risk management is really hard," said George.
Unfortunately, nowadays "everything you do is a risk management decision," he said. Because in an interconnected healthcare ecosystem, risk is omnipresent.
If you start with 1 percent good behavior and 99 percent bad behavior, and then work hard to improve that to 99 good behavior and 1 percent bad, you still haven't improved your security, said George. That 1 percent is still enough to pose serious security risk.
"People write code," he said. "People make mistakes. Security is never going to be perfect. People are going to get in."
Indeed, hackers' "creativity is shocking in some cases," said Dan Bowden, chief information security officer at University of Utah Health Care.
Bowden says he's seen an uptick in aggressiveness and ingenuity recently, with phishing and zero day attacks sharing more and more in common – almost becoming synonymous in some cases.
That necessitates an "endless cycle of discussion" reassessing data policies, IT strategies and vendor relationships, he said.
(One tip for those looking for business association with smart security strategies, he added: any time a vendor touts the fact that its "HIPAA-compliant," that should be "one of the biggest red flags." It speaks to a fundamental misunderstanding of what strong security requires.)
The threat is so omnipresent – and potentially so ruinously expensive – that many providers are increasingly turning to cyber insurance as risk mitigation strategy, said Erin Whaley, an attorney with Richmond, Virginia-based Troutman Sanders.
Such investments can indeed help defray a host of costs associated with a breach – hefty patient notification costs, fines, money spent hiring PR to restore damaged reputations, even funds to pay blackmail threats from ransomware, she said.
It's important, however, to tailor coverage levels to one's own organizational needs, adjusting according to gaps and vulnerabilities.
"If you've seen one cyber policy, you've seen one cyber policy," said Whaley.
In fact, "you may need layers of coverage to get to limits that make you feel comfortable," she said. "Even then, it may not cover all the costs associated with a breach."
One certainty exists, however: "Good insurance doesn't replace good security," said Whaley. "Good security is a prerequisite."
Insurers won't underwrite policies without demonstrably robust security practices, she said, since the payouts associated with healthcare data breaches are so huge.