Keep it Clean: Ransomware and David Harlow in the Press

I wrote a piece for HealthTech recently, arguing that healthcare organizations must practice better data hygiene to stay ahead of looming cyberthreats, noting that cybersecurity in healthcare is not just an IT problem, and that we need a cultural shift in emphasis parallel to the paradigm shift we have seen in the way we have collectively dealt with healthcare-associated infections (HAIs).

What Cybersecurity Can Learn from Modern Medicine

Healthcare’s ongoing cybersecurity plague closely resembles another challenge the industry previously perceived as insurmountable: the spread of healthcare-associated infections. Through the past decade, however, organizations stopped accepting HAIs as a certainty.

Three factors drove the change:

• Unambiguous financial incentives: The federal government changed Medicare rules and no longer reimburses hospitals for the cost of preventable hospitalizations.
• Building and sharing tools: Development of public and private sector HAI prevention programs, broad dissemination of key learning, guidelines and checklists, and sharing of experiences.
• Leadership and drawing a line in the sand: When a health system CEO says, “We will eliminate all central line infections in our system within three years,” things happen.

We know what we need to do; we just need to do it.

Tune in to past and future HIPAA Chat webinars & web radio broadcasts

After the Eternal Blue exploits WannaCry and NotPetya hit, I spoke with Part B News for a piece on the new status quo in ransomware and approaches to take in minimizing exposure (behind paywall). These include some real basic stuff — but major multinational corporations, large government agencies and health care organizations failed to take some of these steps and got burned:

• Patch your OS and software.
• Limit the ability of end users to install software — either don’t let them do  it at all, or limit their choices to whitelisted programs screened by IT security staff.
• Remember — not all IT professionals are IT security professionals. Bring in the right resources for the job.
• Not all systems or all staff need access to all data. Minimize the data used in any one system, limit data exposed to view in any way from beyond the internal network, and make sure that backup systems are isolated (air-gapped) so that they don’t get automatically infected in production systems are infected.
• Limit certain privileges to a per use basis, not even a per-user basis, and sunset passwords, so that sensitive data is less exposed.
• Use creative training techniques, including fake phishing emails that lead to training sites if opened and clicked. (Better than using the same online preso and quiz you used last year.)

In the end, the bottom line is, well, the bottom line:

Establishing a culture of compliance is critical to increasing funding for implementation, and that starts at the top. Executives, therefore, must commit publicly to eliminate all preventable data breaches. Committing to do better is the first step to becoming better.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting