“We’ve been saying that for 15 years and the strategy doesn’t work,” said Theresa Payton, CEO of Fortalice Solutions and former White House CIO said here on Monday at the HIMSS Healthcare Security Forum.
Instead, Payton said that she is still seeing business email compromises on the rise in healthcare.
“From a social engineering standpoint, it has never been easier to trick employees,” Payton added. “Business email compromise is one of the largest unreported crimes after ransomware.”
What’s more, there’s a 25 percent probability that any given healthcare organization will be hacked in the next 2.5 years, said Salwa Rafee, worldwide security leader for healthcare and life sciences at IBM.
And there will always be human error, such as recycled passwords or someone clicking on a malicious link, and the technology will fail as well.
“Humans are not the weakest link,” said Payton. “Technology is open to be hacked and data can never be 100 percent secure. We have to design for the human.”
That applies to all employees, administration, clinicians – and even patients, according to Chad Wilson, chief of security and IT director at Children’s National Health System.
Hospitals will also have to protect patients and their data outside the EHR, beyond their four walls and into consumers homes and daily lives, added Anahi Santiago, CISO of Christiana Care Health System.
“Information security is a patient safety issue,” Santiago said.
With that in mind, Payton recommended network segmentation and two-factor authentication, as a minimum type of safety net, to isolate attacks so when they do happen, hospitals can stop them from spreading to other departments, devices, facilities or software systems.
“Segment, segment, segment,” said Sonia Arista, national healthcare practice director at Fortinet.
Though segmentation is not a guarantee, it can minimize damage and maximize resilience, Payton said.
“We’ve been so focused on data and network and hardware that we’ve kind of forgotten about the human cyber and social footprint,” she explained. “The next thing is putting a safety net around the user.”