Before the week of HIMSS17 sessions began, I attended the Cybersecurity Symposium. Here are a few of my main takeaways from this symposium:
- A term that was used often throughout the day was "cyber hygiene." Think of it in the same way you'd think of personal hygiene. It's the habitual things you do each and every day to keep your devices clean and the protections you utilize to prevent viruses and malware.
- Phishing attacks increased 250% in the first quarter of 2016 and they continue to be the #1 mechanism for delivery of malware.
- Data ownership and data stewardship are similar concepts but are different when you approach it from a security perspective. Data governance will be a key focus going forward.
- Some recent cyber attacks have found some of their social engineering information by listening in on unsecured teleconferences and WebEx sessions. Recommend password protecting these and letting attendees know the password via separate mechanisms (text it separate from the email invite, for example).
Executive and Board Involvement
In another session called, “Engaging Executives and Boards in Cybersecurity,” the speaker shared about the Executive and Board involvement in cybersecurity and the challenge that can be. Here are three things that often hamper the discussion:
- Complexity of cybersecurity – difficult to understand the complexity and language of security, and feel it’s the responsibility of IT
- Lack of effective messaging – limited communications that deliver an understanding of what the threats are and the risks involved
- Breach impact unawareness – costs and ramifications of a breach on the organization aren’t fully understood
Cybersecurity Messaging Framework
In order to explain cybersecurity concerns to the healthcare Executives and Board, here is a Messaging Framework to use:
- Who might attack? – Relay the likely scenarios
- What are they after, and what are the risks we need to mitigate? – What information is at risk and what is needed to protect it
- What tactics might they use? – So we know what to educate our workforce on and what protections are needed that we don’t have
- What is needed to strengthen our information security program to reduce the risks to an acceptable level? – What is our current capability and what needs to be done?
The ICE security team recently put together this Security tip sheet if you’re interested in learning 6 practical steps towards protecting your organization appropriately from healthcare cyber attacks.