DEBUNKING THE CYBERSECURITY THOUGHT THAT HUMANS ARE THE WEAKEST LINK
EXPERTS AT THE HIMSS HEALTHCARE SECURITY FORUM SAID THE NEXT PHASE OF INFOSEC SHOULD BE TO SECURE THE HUMAN AND PUT SAFETY NETS IN PLACE TO PROTECT THEM.
BOSTON – THE TIME HAS COME TO MOVE BEYOND THE SECURITY MANTRA “DON’T CLICK ON EMAIL LINKS OR OPEN ATTACHMENTS AND WE’LL ALL BE SAFER.”
“We’ve been saying that for 15 years and the strategy doesn’t work,” said Theresa Payton, CEO of Fortalice Solutions and former White House CIO said here on Monday at the HIMSS Healthcare Security Forum.
Instead, Payton said that she is still seeing business email compromises on the rise in healthcare.
“From a social engineering standpoint, it has never been easier to trick employees,” Payton added. “Business email compromise is one of the largest unreported crimes after ransomware.”
What’s more, there’s a 25 percent probability that any given healthcare organization will be hacked in the next 2.5 years, said Salwa Rafee, worldwide security leader for healthcare and life sciences at IBM.
And there will always be human error, such as recycled passwords or someone clicking on a malicious link, and the technology will fail as well.
“Humans are not the weakest link,” said Payton. “Technology is open to be hacked and data can never be 100 percent secure. We have to design for the human.”
That applies to all employees, administration, clinicians – and even patients, according to Chad Wilson, chief of security and IT director at Children’s National Health System.
Hospitals will also have to protect patients and their data outside the EHR, beyond their four walls and into consumers homes and daily lives, added Anahi Santiago, CISO of Christiana Care Health System.
“Information security is a patient safety issue,” Santiago said.
With that in mind, Payton recommended network segmentation and two-factor authentication, as a minimum type of safety net, to isolate attacks so when they do happen, hospitals can stop them from spreading to other departments, devices, facilities or software systems.
“Segment, segment, segment,” said Sonia Arista, national healthcare practice director at Fortinet.
Though segmentation is not a guarantee, it can minimize damage and maximize resilience, Payton said.
“We’ve been so focused on data and network and hardware that we’ve kind of forgotten about the human cyber and social footprint,” she explained. “The next thing is putting a safety net around the user.”
USSS AGENT TO OFFER INPUT ON GREY CRIME AT VIRTUAL CYBERSECURITY SUMMIT: FOUR CORNERSSeptember 15, 2020
USSS AGENTS TO OFFER INSIGHT ON CYBERSECURITY AMID PANDEMIC AT TWO-DAY NYC VIRTUAL SUMMITAugust 17, 2020
LOCAL CYBERSECURITY COMMUNITY ORGANIZER DATA CONNECTORS MOVES TO ALL-VIRTUAL FOR 2020May 11, 2020
VIRTUAL CYBERSECURITY SEMINARS CONTINUE IN CHICAGO, WITH ATTENDANCE MORE THAN DOUBLING IN-PERSON REGIONAL EVENTSApril 27, 2020
DHS CYBERSECURITY ADVISOR TO BRIEF LOUISVILLE EXECUTIVES ON VITAL IMPORTANCE OF SECURING IT ASSETS IN A COVID-19 ENVIRONMENTApril 21, 2020