Top 3 HIMSS Takeaways
I recently presented at the Healthcare Information and Management Systems Society – North Carolina Chapter – where I talked about the importance of securing data within the healthcare industry. During my time at the conference, I kept my ear to the ground to better understand broader trends impacting the industry and left with three big takeaways:
1. Big data delivers on promise, gives me pause
In the talk, “Growing Health Analytics Without Hiring New Staff”, Monica Horvath from a company called ThotWave pointed out an amazing – and somewhat unknown – story regarding the water tragedy in Flint, Michigan. Following the water supply change to the Flint River and subsequent lead poisoning crisis, Pediatrician Dr. Mona Hanna-Attisha used big data to gain insights around the increased lead levels in children in the greater Flint area. Then, she focused on specific areas of Flint where the levels were triple. Essentially, she side-stepped bureaucracy to expose this tragedy, which likely saved lives.
This was a huge win for big data champions, as Ms. Horvath pointed out, but it also made me realize that while this was used for a good cause, could bad actors have access to this level of data? How is all that big data surrounding electronic health records being protected? We need to protect and enable data in a way to allow good actors to continue to discover patterns and conclusions, without exposing that data to bad actors that can do harm to individuals.
2. Multifactor authentication: Still all stick, no carrot
The presentation entitled, “Multifactor Authentication – 2016’s Essential Security Project”, co-presented by Chuck Kesler, CISO at Duke Health, and Jon Sternstein at Stern Security, was a great example of a CISO focused on protecting employees of Duke Health, despite widespread resistance.
Even in a healthcare organization, people don’t always want to do what is best for them, like multifactor authentication, to protect employee credentials. When Duke Health started to roll out the program, there was a minor jump in enrollment, which quickly plateaued. It was not until the message that there might be lost wages for those who lagged, did widespread adoption occur. It was really a reality check that something as simple as multifactor authentication takes a big stick to force people to change, instead of the carrot that assures them their credentials can remain secure.
3. Ransomware: Addressing the elephant in the room
Following my presentation – “Data Under Attack” – I was surprised by some of the initial questions, mostly about ransomware. It quickly dawned on me that my presentation title was somewhat misleading to healthcare IT professionals, who have been inundated with ransomware attacks.
Ransomware is a type of malware that infects computers belonging to individuals and businesses, preventing users from accessing their data. The bad actors who infected the computers keep the data hostage until victims pay a ransom.
While this was not the interpretation of “Data Under Attack” I was considering when putting together the presentation, it was a source of some very interesting conversations. For example, take this question: Could encrypting my data protect it from a ransomware attack? I’ll try to be more succinct in this blog than my answer at HIMSS: If the data being held ransom was encrypted, then the bad actors won’t be able to access it. That’s the good news. The bad news is, if you don’t have a backup of your data, you will need to defeat the encryption of the attacker, recreate the data, or pay the ransom. There is an old IT mantra regarding data: “Data does not exist unless it exists in the 3 places”. Organizations that understand (and practice) this are not susceptible to ransomware, and organizations that persistently protect their data are not susceptible to data breaches resulting from the exfiltration of ransomware.
I can’t wait to title my next presentation!
1. Big data delivers on promise, gives me pause
In the talk, “Growing Health Analytics Without Hiring New Staff”, Monica Horvath from a company called ThotWave pointed out an amazing – and somewhat unknown – story regarding the water tragedy in Flint, Michigan. Following the water supply change to the Flint River and subsequent lead poisoning crisis, Pediatrician Dr. Mona Hanna-Attisha used big data to gain insights around the increased lead levels in children in the greater Flint area. Then, she focused on specific areas of Flint where the levels were triple. Essentially, she side-stepped bureaucracy to expose this tragedy, which likely saved lives.
This was a huge win for big data champions, as Ms. Horvath pointed out, but it also made me realize that while this was used for a good cause, could bad actors have access to this level of data? How is all that big data surrounding electronic health records being protected? We need to protect and enable data in a way to allow good actors to continue to discover patterns and conclusions, without exposing that data to bad actors that can do harm to individuals.
2. Multifactor authentication: Still all stick, no carrot
The presentation entitled, “Multifactor Authentication – 2016’s Essential Security Project”, co-presented by Chuck Kesler, CISO at Duke Health, and Jon Sternstein at Stern Security, was a great example of a CISO focused on protecting employees of Duke Health, despite widespread resistance.
Even in a healthcare organization, people don’t always want to do what is best for them, like multifactor authentication, to protect employee credentials. When Duke Health started to roll out the program, there was a minor jump in enrollment, which quickly plateaued. It was not until the message that there might be lost wages for those who lagged, did widespread adoption occur. It was really a reality check that something as simple as multifactor authentication takes a big stick to force people to change, instead of the carrot that assures them their credentials can remain secure.
3. Ransomware: Addressing the elephant in the room
Following my presentation – “Data Under Attack” – I was surprised by some of the initial questions, mostly about ransomware. It quickly dawned on me that my presentation title was somewhat misleading to healthcare IT professionals, who have been inundated with ransomware attacks.
Ransomware is a type of malware that infects computers belonging to individuals and businesses, preventing users from accessing their data. The bad actors who infected the computers keep the data hostage until victims pay a ransom.
While this was not the interpretation of “Data Under Attack” I was considering when putting together the presentation, it was a source of some very interesting conversations. For example, take this question: Could encrypting my data protect it from a ransomware attack? I’ll try to be more succinct in this blog than my answer at HIMSS: If the data being held ransom was encrypted, then the bad actors won’t be able to access it. That’s the good news. The bad news is, if you don’t have a backup of your data, you will need to defeat the encryption of the attacker, recreate the data, or pay the ransom. There is an old IT mantra regarding data: “Data does not exist unless it exists in the 3 places”. Organizations that understand (and practice) this are not susceptible to ransomware, and organizations that persistently protect their data are not susceptible to data breaches resulting from the exfiltration of ransomware.
I can’t wait to title my next presentation!
No comments:
Post a Comment