How did the state of cybersecurity in the United States get so bad? What happened to create the situation in which organizations find themselves stuck? One high-level expert has a simple answer.

“We took a fundamentally insecure network designed to help a small group of trusted scientists collaborate with one another and turned it into the backbone of our economy without thinking through the consequences of generalizing all of the network’s vulnerabilities,” said Joel Brenner, a research fellow at the Massachusetts Institute of Technology who focuses on cybersecurity, privacy and intelligence policy, and who was the former senior counsel at the National Security Agency. “One problem is you don’t really know on the Internet whether the person you think you are communicating with really is that person. Another problem is it’s very easy to insert malicious code into a system, and really, really difficult to find it.” 

 Learn more at the Privacy & Security Forum in Boston Dec. 5-7, 2016.

And that’s the problem all industries, including healthcare, find themselves wrapped up in today. And for healthcare, cybersecurity presents special problems.

“Fundamentally, there are not only threats to information but threats to healthcare organizations’ ability to operate,” Brenner said. “If someone wants to really create havoc, they could take a hospital offline just like they could take down a manufacturing plant. The healthcare industry focuses almost entirely on the risk to personal healthcare information because that is where the statutory penalties are, and that is a very severe risk. But the other risks concern our trust in hospital systems and hackers’ abilities to make a hospital go dark.”

So what would happen if, for example, a hacker penetrated a hospital system, altered the chemotherapy protocols for cancer patients in that hospital by 10 percent one way or another, and made the changes in such a way that no one could find out for a period of time, Brenner posed.

“What would the consequences be?” he said. “They might be enormous for patients. And the result would be no one would trust any system in that hospital, and perhaps many other hospitals, as well. That would be worse than making one hospital go dark. We have a lot at stake here, more than just PHI.”

Brenner said a good place for healthcare organizations to begin solid cybersecurity efforts is with governance, and that they should look to the SANS Institute’s CIS Critical Security Controls. These controls are a recommended set of actions for cyber defense that provide specific and actionable ways to stop today’s most pervasive and dangerous attacks, SANS described. A principal benefit of the controls is that they prioritize and focus a smaller number of actions with high payoff results, SANS added.

“That is the first place to look, and the list is easy to understand, it’s not a whole book,” Brenner said. “This is fundamentally a governance problem.”

 The Privacy & Security Forum takes place in Boston Dec. 5-7, 2016. What to expect: 
⇒ How to beat back hackers and savvy cybercriminals? Delve into the dark web
⇒ A CISO, consultant, and infosec vendor nail down cybersecurity best practices
⇒ Gone' phishin': Mayo Clinic shares tips for fending off attacks
⇒ What's the fundamental problem with cybersecurity? Relying on the Internet
⇒ Budgets grow but breaches continue without best practices
⇒ Think offshoring PHI is safe? You may not be if a business associate breaches

Like Healthcare IT News on Facebook and LinkedIn