Issue link: https://beckershealthcare.uberflip.com/i/534828
78 Health IT T he last thing a healthcare IT, security or privacy officer wants to do is send an open invitation to hackers to infiltrate their systems. Yet that may be exactly what they are doing when discussing their security programs. Across all industries, marketing and highlighting an organization's strong points and unique offerings are key — and common sense — to business practices and gaining market share. The same concept largely holds in the healthcare industry. Hospitals that acquire the latest technologies are sure to talk about them, for example. However, this dynamic does not remain true in the world of healthcare cy- bersecurity, a growing landscape of highly valuable information mixed with hackers' desire to obtain and potentially misuse the information. In healthcare, organizations walk a delicate line between marketing their ca- pabilities — cybersecurity included — and creating an even greater security risk for patient data. External communication Healthcare data breaches are on the rise, and a new Ponemon Institute report found criminal attacks are the top cause of breaches, increasing by 125 per- cent over the past five years. Internally, cybersecurity discussions are certainly top-of-mind for hospital and health system executives and privacy leaders, but talking about cyberse- curity measures to the media or general public can be a liability to the orga- nization, depending on how they are discussed. "[Cybersecurity] absolutely is something [healthcare organizations] should be talking about, but there's an appropriate way to talk about it and an inap- propriate way to talk about it that could potentially put you at harm," says Mac McMillan, co-founder and CEO of information security and privacy consulting firm CynergisTek and current chair of the HIMSS Privacy and Security Policy Task Force. What not to do The key, Mr. McMillan says, is to not speak in terms of the absolute, such as saying data at a healthcare organization is 100 percent secure or that in- dividuals needn't worry about their data protection at a certain company. Doing so, Mr. McMillan says, sets healthcare organizations up for two issues. First, making such a statement is essentially an invitation for a hacker to try to break into the system. The best case scenario, Mr. McMillan says, would be a hacktivist — someone coming after healthcare organizations not with the intention of stealing data but just to prove them wrong — successfully doing so. The worst case scenario would be an actual hacker who successfully infiltrates a system with a harmful agenda. "Now you've got a major breach on your hands that you have to try to explain when you just told everybody you were 100 percent secure," Mr. McMillan says. Secondly, making a definitive claim like a network is entirely secure brings ad- ditional scrutiny onto your organization, including an intensified, watchful eye from the Federal Trade Commission. The FTC carefully monitors what claims companies voice to their consumers, and if a healthcare organization makes such a claim, it may face charges of consumer fraud, Mr. McMillan says. "When you put on your website that your environment is 100 percent secure… or certify the network is HIPAA-compliant, basically what you've done is you've made a contract with the consumer, that if you fail to live up to it, it's essentially a consumer fraud issue," Mr. McMillan says. "You made a claim that wasn't true." Additionally, statements guaranteeing security are inherently untrue, even if a healthcare organization believes it has all the best security measures in place. Healthcare threats change daily. New vulnerabilities are identified and new threats emerge. "There's no such thing as a 100 percent secure solution or secure environ- ment," Mr. McMillan says. "You can certify you're doing all the right things, that you're following a particular approach and you can certify that you use a certain methodology. But you cannot certify that you're secure." Considerations for communication However, like Mr. McMillan mentioned, healthcare organizations should dis- cuss cybersecurity outside of their own four walls, largely as an affirmation to patients and consumers that the organization is dedicated to protecting information. "What you can say, and what you should say — assuming it's true — is that you are trying to achieve a high level of security, or you are doing the things you believe are responsible to protect information or that security is a high priority with your organization," Mr. McMillan says. "That says to the con- sumer what they want to hear, which is you care about security and you care about the protection of their information, but you're not making some bold claim that their information is 100 percent protected in your environment." Dear Hacker: Here is Your Invitation to Attack Our Network Discussing cybersecurity is a liability if one isn't careful. By Akanksha Jayanthi