HealthBlawg

David Harlow's Health Care Law Blog

  • About
  • Archives
  • Podcast
  • Press
  • Awards/Reviews
  • HIPAA
  • HCSM

Keep it Clean: Ransomware and David Harlow in the Press

July 17, 2017

I wrote a piece for HealthTech recently, arguing that healthcare organizations must practice better data hygiene to stay ahead of looming cyberthreats, noting that cybersecurity in healthcare is not just an IT problem, and that we need a cultural shift in emphasis parallel to the paradigm shift we have seen in the way we have collectively dealt with healthcare-associated infections (HAIs).

What Cybersecurity Can Learn from Modern Medicine

Healthcare’s ongoing cybersecurity plague closely resembles another challenge the industry previously perceived as insurmountable: the spread of healthcare-associated infections. Through the past decade, however, organizations stopped accepting HAIs as a certainty.

Three factors drove the change:

  • Unambiguous financial incentives: The federal government changed Medicare rules and no longer reimburses hospitals for the cost of preventable hospitalizations.
  • Building and sharing tools: Development of public and private sector HAI prevention programs, broad dissemination of key learning, guidelines and checklists, and sharing of experiences.
  • Leadership and drawing a line in the sand: When a health system CEO says, “We will eliminate all central line infections in our system within three years,” things happen.

We know what we need to do; we just need to do it.


Tune in to past and future HIPAA Chat webinars & web radio broadcasts


After the Eternal Blue exploits WannaCry and NotPetya hit, I spoke with Part B News for a piece on the new status quo in ransomware and approaches to take in minimizing exposure (behind paywall). These include some real basic stuff — but major multinational corporations, large government agencies and health care organizations failed to take some of these steps and got burned:

  • Patch your OS and software.
  • Limit the ability of end users to install software — either don’t let them do  it at all, or limit their choices to whitelisted programs screened by IT security staff.
  • Remember — not all IT professionals are IT security professionals. Bring in the right resources for the job.
  • Not all systems or all staff need access to all data. Minimize the data used in any one system, limit data exposed to view in any way from beyond the internal network, and make sure that backup systems are isolated (air-gapped) so that they don’t get automatically infected in production systems are infected.
  • Limit certain privileges to a per use basis, not even a per-user basis, and sunset passwords, so that sensitive data is less exposed.
  • Use creative training techniques, including fake phishing emails that lead to training sites if opened and clicked. (Better than using the same online preso and quiz you used last year.)

In the end, the bottom line is, well, the bottom line:

Establishing a culture of compliance is critical to increasing funding for implementation, and that starts at the top. Executives, therefore, must commit publicly to eliminate all preventable data breaches. Committing to do better is the first step to becoming better.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Related Posts

  • David Harlow quoted on six-month SGR override

    This week, physicians dodged the federales' fiscal bullet yet again.  The sustainable growth rate automatic…

  • David Harlow In the Press

    Here are a few recent press mentions which may be of interest: 1. Solving Healthcare's…

  • David Harlow In the Press: Security, Ransomware and HIPAA Audits

    Inquiring minds want to know -- and your faithful HealthBlawger has been interviewed here and…

Filed Under: Compliance, Health care policy, Health Law, HIPAA, HIT, Privacy, Security

« Interoperability’s Second Act
Counting noses at the county level: Marketplace participation »

Trackbacks

  1. Health Wonk Review for July 21, 2017 - More Cheap Travel Now says:
    July 24, 2017 at 2:01 pm

    […] Harlow at HealthBlawg says healthcare organizations must practice better data hygiene. In Keep it Clean: Ransomware and David Harlow in the Press, he […]

Threads

Follow me on: Threads

Mastodon

Follow me on: Mastodon

HIPAAtools

Hipaatools

The HIPAA Compliance Toolkit

The Walking Gallery

The Walking Gallery

Quick Links

  • Home
  • Categories
  • Archives
  • Podcast Interviews
  • HIPAAtools
  • HIPAA Compliance
  • Health Care Social Media
  • Speaking
  • In the Press
  • Blogroll

David Harlow

David Harlow

HealthcareNOW Radio

  • Subscribe
  • Contact
  • Book Me: Speaking
  • About
  • The Harlow Group LLC
Copyright © 2006–2025
HealthBlawg is a publication of The Harlow Group LLC. See Copyright notice and disclaimer.
Fair use with attribution and a link is encouraged. Click for more on David Harlow.
[footer_backtotop text="Back to top" href="#"]