Not If, But When, You’re Hacked

Cyber security has become as important as washing your hands. Passing on a virus in either situation can have catastrophic consequences.

At a recent Health IT conference, a few hospital chief information security officers talked the about the present state of HIT cybersecurity and offered some observations.

Here are the headlines:

1. You will be hacked. It is just a question of when and how you mitigate the damage.

2. Firewalls don't work.

3. HIT is 10 years behind other industries, like financial services, but hopefully we can learn from the mistakes others made so it won't take 10 years to catch up.

4. You need a security operations center.

5. Most chief information security officers (CISOs) don't have specialized training in cybersecurity and there needs to be higher standards.

6. Having a state-of-the-art cybersecurity capability requires money, leadership support and the right processes.

7. Big medicine cybersecurity solutions are not applicable to small medical practices. However, most small practices can protect themselves with basic interventions and outsourcing.

8. Behavior analytics can help detect chronic offenders.

9. HIT cyberattacks often go unnoticed for many months. By that time, a lot of damage has been done.

10. Don't negotiate with cybercriminals.

11. You need an in-house team to respond to incidents but you can outsource monitoring.

12. HIT is being hit because that's where the money is and the pickings are easier since financial services got better at stopping hackers.

13. You need a crisis management plan in the event of a cyberattack.

14. We are not training enough people in HIT cybersecurity.

15. Independent practices affiliated with large hospital systems represent a challenge, particularly when using different systems.

16. As the Internet of Things gets bigger and interoperability becomes more of a reality, there is more to attack.

17. “Share but protect” is becoming harder.

18. Most cyberattacks happen because doctors and other staff members open phishing mail with viruses, malware, and ransomware. They need continuous monitoring and education.

19. Cybersecurity has moved from the basement to the boardroom.

20. Most security information officers get paid to say “no.”

Whether you are a small, independent practitioner, independent but affiliated with a large system, or an employed physician in a large system, cyber security has become as important as washing your hands. Passing on a virus in either situation can have catastrophic consequences.