Issue link: https://beckershealthcare.uberflip.com/i/806232
56 CIO / HEALTH IT this concept of holistic security, that we are all in this together, we all play a role. … Let your staff know that you support everyone's participation in this. Ask for their support in working with the IT department to learn about new threats and learn about what to watch for, and to feel a sense of responsibility to the organization." Heather Staples Lavoie, Chief Strategy Offi- cer, Geneia (Harrisburg, Pa.): "e weakest link in security is people. It's a human resources, management challenge. Some of it is really ed- ucation. Nobody wants to hear it, but two-fac- tor authentication is important. It's a hassle for people, but it's more of a people challenge than an organizational or technical challenge. Orga- nizations really need to move up and tighten controls. Many of the breaches that you've seen have really been because of people issues, not necessarily because of technical vulnerability." Ben Kanter, MD, CMIO, Vocera (San Jose, Calif.): "Lock down all the PCs in the hospi- tal. Lock down all the USB ports. Lock down all ability to alter configuration. Second is strengthen your policy for all of the laptops. … Do you have the ability to remote wipe? Is it encrypted? at sort of thing." Todd Rothenhaus, MD, CMO, athenahealth (Watertown, Mass.): "I would wipe every- body's passwords out, all access out, and re- start it. I believe it's the internal intruder and the carelessness. No. 2 would be your people have files, Excels, all over the universe with patient information in it. … Just knowing that there's an Excel with Social Security numbers on some drive is easy [to address]." Frances Dare, Managing Director, Health & Public Service, Accenture (Irving, Texas): "I'd have a risk assessment done right away. What it's likely to reveal is that my biggest risk areas are my connected medical devices. It's not just about EHRs. While people and behavior are absolutely [vulnerabilities], we're seeing the biggest vulnera- bilities right now in medical devices." Brian Kalis, Managing Director of Digital Health and Innovation, Accenture (Minne- apolis): "I would advocate, if it is not already, making cybersecurity a board-level priority. Making it as a board-level priority as well as part of the C-suite agenda. If I were to go to part two, I would start working on the hu- man-factor aspect of it. at's going to be training and change management." Dave Dyell, President and CEO, Jellyfish Health (Panama City, Fla.): "Training. I think training is the simplest and easiest thing. It's really shocking sometimes how staff at different levels of the organization won't really understand the impact they can have on cybersecurity and that simple little thing that they do, accessing a website or whatever, can really endanger the entire health system and every patient's record." Randy Parker, Founder and Chief Business Development Officer, MDLive (Sunrise, Fla.): "Move off of on-premise systems and move into cloud where they have data security and high trust capabilities that have been built for securi- ty. So many systems are still working on legacy, on-premise solutions and have not been able to take advantage of the types of technology that are available for cybersecurity today." Paul Black, CEO of Allscripts (Chicago): "An hour doesn't give the CIO much time. I'd recommend using that window to run an audit which might help pinpoint significant vulnerabilities — and that information could then form the starting point for a compre- hensive plan to rectify weaknesses and limit future exposure. For long-term cybersecurity improvement, I recommend opening IT po- sitions with staff augmentation strategies and hiring a top cybersecurity firm to conduct an external review of security preparedness." Ed McCallister, Senior Vice President and CIO of UPMC (Pittsburgh): "Educate your employ- ees. We do that through internal phishing exercis- es. We send an email out asking you to download information, then we follow-up with those who download the file. We've been doing mock phish- ing exercises for a year, and when we did the first, 38 percent of IT professionals fell for the email. ese are people who are supposed to be more away of what's trending in this space. In the year since, it's trending down." Keith Bigelow, General Manager of Analyt- ics at GE Healthcare (San Francisco): "[e CIO] should go in the bathroom and look in the mirror and ask, 'Do I really have a better cybersecurity team than some of the health clouds? Do I really have a team that is better at protecting patients' data?' How can a hos- pital afford to staff enough people to entrust and protect the data of their patients? Even if [breaches and attacks] weren't getting more sophisticated, the volume of them is getting more intense. Your expertise is care, not cy- bersecurity. I just don't think that can be a core competency of a hospital long-term." Neal Singh, CEO of Caradigm (Seattle): "Get a governance and compliance plan in place. e more you can put governance and risk compliance systems in place to get a handle on data, the better off you are. You'll have people coming and going from your organization all the time, or activity happening with organiza- tions joining yours. You have to make sure the right person is accessing the right data set." John Kravitz, CIO and Interim Chief Data Officer, Geisinger Health System (Danville, Pa.).: "Educate employees to let them know they will always be under phishing attacks to surrender their credentials. Also [educate them about] targeted phishing attacks, where the hacker learns about the people and processes in the organization then poses as that person in order to exploit the organizations assets." Suzanne Travis, Vice President of Regulato- ry Strategy at McKesson Technology Solu- tions (Alpharetta, Ga.): "Have a risk assess- ment. If they haven't done a risk assessment and aren't managing to results of the risk as- sessment, they could be wasting their resourc- es, targeting the wrong thing or thinking they are safe when they are not. e most common reason providers fail a HIPAA audit is because they don't do a risk assessment." Bill Miller, CEO of OptumInsight (Eden Prairie, Minn.): "We hire so many people and acquire so many people. Get people trained on what they can and can't do. at has to be done quickly and early on in the process of them being hired. We don't have a business if we are breaching security. ese breaches we put our fundamental reputation at risk — our brand really comes down to trust." n Cybercriminals Sell EHR Databases for $500k Underground By Jessica Kim Cohen T he majority (65 percent) of vic- tims of medical identity theft have to pay roughly $13,500 to address their situation, according to a Trend Micro report. But how much do criminals charge for the information? Criminals can make use of EHRs in a few different ways, according to the report. They may procure drugs using prescription information, create fake identities using personally identifiable information or obtain medical insur- ance with Social Security numbers. Here are five estimates of what crim- inals charge for EHR-related docu- ments being sold underground. • Complete EHR database: $500,000 • Driver's license: $170 • Comprehensive personal profile, with personally identifiable infor- mation, Social Security number, appointment schedule, date of birth, insurance ID number and other documents: $5 • Medical insurance ID: $1 • Personal profile, with medical and insurance data: $0.99 n