While few—if any—executives would answer yes to that question, getting the c-suite to plan for and protect consumer health data might require a “Chicken Little” act, said OPEN MINDS Senior Associate Sharon Hicks during the 2019 OPEN MINDS Technology & Informatics Institute. “You have to scare them a bit,” Ms. Hicks said during the “Managing The Data Breach: How To Prepare, Plan & Protect Your Organization” session October 29. “It’s not going to be easy because people live in denial.”
But living in denial is getting harder with recent headlines about millions of dollars spent on data breaches and the fact that 2019 is on track to be the worst year yet for cyberattacks (see Cyber Risk Analytics) with more than 25 million patient records breached in the first six months (see The 10 Biggest Healthcare Data Breaches of 2019, So Far).
A growing number of public and private organizations, as well as U.S. towns and cities, have paid ransoms rather than shutting operations down. And cyberattacks affect health care twice as frequently as other industries (see Preparing For A Cyberattack—In Four Steps and Healthcare Experiences Twice The Number of Cyber Attacks As Other Industries). There is a financial cost, an operational cost, and a reputation cost, Ms. Hicks explained to an audience that included executives whose organizations had received ransom threats.
“Ransomware is a thing. It happens every single day as we see in the press,” Ms. Hicks said. “Hackers focus on small governments because they’re more vulnerable and willing to pay a little bit of money because they don’t know how to get their systems back online. Their targets include large companies that we read about as well as smaller organizations that might not have policies and protections in place.”
One attendee said his organization had been the victim of a ransomware attack when an executive logged into an unsecured hotel network. But a backup plan foiled the hacker’s plans and the organization didn’t pay a dime. As a result of the scare, Charles Moore, senior director of information technology for Inglis, Philadelphia, says the organization allocates “phishing funds” and the chief executive officer understands the value of policies, planning, backups, and testing to protect data and ensure regular operations.
“If systems are down, organizations are actively losing money,” said Ms. Hicks, who suggests that data security experts work with c-suite executives to create budgets for planning, policies, testing as well as real-time backups, real-time failover, and redundancies. “Teams need to go through all of their systems, identify vulnerabilities and address them,” she added.
The key is to engage with executives early in the conversation and ensure they understand the risks and the value of data protection investments, Mr. Hicks explained. “CEOs should know your level of encryption and if your organization is certified every year. The CEO,” she clarified, “not just the CIO (chief information office). That’s the sea change. The c-suite has to understand that this is now everybody’s responsibility.”
To prevent a data breach or hack, Ms. Hicks outlined the following steps and shared a checklist during her session. The checklist included a few key issues:
- Conduct a structured assessment to identify vulnerabilities
- Remediate vulnerabilities
- Construct multiple firewalls
- Employ email filters
- Train staff
- Test your environment
- Engage in regular surveillance
- Use encryption consistently
- Create policies for every contingency
- Document all your policies
- Test, test, test
Another essential piece of the preventive data security puzzle is encryption. Encryption secures data and can lessen fines incurred if it is breached. “If your data is fully encrypted, it’s not a breach even if it’s stolen.”
If your system is breached, Ms. Hicks shared three “best practice” responses: First, take the system offline; second use backup systems to ensure continuity of operations, and third consult your legal team about required reporting and notifications.
While it’s easy to focus on hackers and external threats, Ms. Hicks warned that one of the biggest risks comes from within. Surprisingly (to me), 59% of all attacks were internal (see It’s The People, Stupid). One example: A health care organization had W-2 information for 60,000 employees compromised when a staff saved the data onto a portable device.
Planning to prevent data breaches and being prepared for cyberattacks are essential in today’s management environment—from employee access controls to assessments of risk. Learn more about mitigating risk of cybersecurity attacks with these resources from The OPEN MINDS Circle Industry Library:
- The Dark Side & Management Challenge Of The ‘Internet of Things’
- Your Data Security Deserves A Second Look
- More & Larger Health Care Databases Mean More Data Security Concerns
- Do You Have The Right Data Security ‘Attitude’?
- What Is Your HIPAA Security Score?
- Will Security & Interoperability Shape Our Health Care Future?
- Digital Security Isn’t Where It Needs To Be
- It’s The People, Stupid!
- Avoiding The “Wall of Shame”
And join me August 25, 2020 for The New CFO Challenge: An OPEN MINDS Seminar On Keeping Your Cost In Sync With Your Rates In A Changing Market, during the 2020 OPEN MINDS Management Best Practices Institute in Newport Beach, California.