From the April 2015 issue of HealthCare Business News magazine
One of those experts is Timothy P. Ryan, managing director of cyber security at the investigative firm Kroll, and a former supervisory special agent with the FBI who supervised the largest cyber squad in the U.S. He has seen a change in the level of sophistication of attacks in recent years. A decade ago, there was a small core of people who had the technical know-how to break into a company and move within it, he says. “Now there are more people who know how to do it, and I don’t see the methodology to detect that or respond to it has having changed as dramatically as the skill sets to carry out those attacks.”
The days in which health care organizations, particularly providers, were under the radar of sophisticated cyber criminals are over, according to Larry Ponemon, founder and chairman of the Ponemon Institute, a think tank focused on privacy and data protection practices. He says that incidents involving external attackers are on the rise, and now account for up to 25 percent of all patient data breaches.
A view from the health care trenches
Special-Pricing Available on Medical Displays, Patient Monitors, Recorders, Printers, Media, Ultrasound Machines, and Cameras.This includes Top Brands such as SONY, BARCO, NDS, NEC, LG, EDAN, EIZO, ELO, FSN, PANASONIC, MITSUBISHI, OLYMPUS, & WIDE.
John Houston is vice president of privacy and information security, and associate counsel at the University of Pittsburgh Medical Center (UPMC). As a large academic medical system with 21 affiliated hospitals, UPMC has significant resources to maintain cyber security. That includes a team of analysts that review security-related communications from its various sources on a weekly basis, and address issues that require attention. It also relies on the private sector for threat intelligence.
Despite the sophistication of today’s hackers, they often use basic tactics such as phishing emails to gain access to networks. In fact, UPMC has recently started to use what Houston describes as mock-phishing — sending emails to employees to see if they click on the link and provide personal information.
When they do, they get a message that, if this were an actual phishing email, they would have given away credentials that would have given hackers entry into the system.
He says it is important to understand that the way data is housed today has changed. Five years ago, much data were housed in the organization’s data center. Today, and increasingly in the future, data will be housed using cloud-based services. Consequently, he has to think differently about protecting his data, which exists both inside the perimeter and outside of it.
In a sense, relying on third-party vendors is more difficult, because it requires a high level of trust. In his view, this is an area where the health care industry needs to mature. “There needs to be a better way, as an industry, to ensure that those vendors are doing what they are supposed to do, that goes beyond having a business agreement.”