Editor's Note: Welltok and Oliver Wyman recently hosted a webinar to demystify data security, with a focus on why we all need to play a role in protecting health data. Here are some of the most salient points from David MacLeod, CIO/CISO at Welltok, and Paul Mee, Partner and Cyber Platform Lead at Oliver Wyman, on a critically important and sensitive topic that is too often overlooked.
Health data in particular attracts a high value on the Dark Web, and there are major implications for businesses and consumers when it is compromised. It is no longer a question of if you’ll be hacked, but when, will you know, and how quickly you act to respond and recover effectively.
Here, we present eight hard-hitting statements from the experts to understand why all healthcare executives need to step up their security game:
1. “There are estimated to be 300,000 professional hackers across the world (many more unprofessional ones!). That’s like an entire medium-sized city coming at you all the time.”
Thanks to advancements over the last three to five years, we generate and share more data today than at any other time in human history. That is a lot of data and unfortunately, bad actors are innovating faster on the offense side than enterprises are on the defense side. Organizations need to recognize this and consistently take the right proactive measures to stay ahead of what is a growing and persistent threat.
2. “We have to be careful about what we make available to the consumers of healthcare, and [the consumers] should only trust those organizations with the highest level of security.”
The landscape is changing, and consumers want to integrate clinical care with activities to stay healthy or become healthier. Take free apps as an example. They make it convenient to have 24/7 access to health data, but some survive by selling data to others. This can create a vulnerability in our data armor. Consumers need to read the fine print and be prepared to look for resources from reputable organizations who demonstrate that they are committed to protecting their health data.
3. “When your jewelry is stolen, you know that it has been, as you no longer have it. But when health data is stolen it’s is still there. So how do you know it has been compromised?”
Data doesn’t disappear when it is stolen, so there isn’t an identifiable void. The data is often copied, cloned, or obscured in some way, making detection of a breach particularly challenging - the digital equivalent of dirty footprints and broken glass can be found but only when you know technically where to look. Some data may be exfiltrated slowly too, so the breach may take a long time to detect if the right systems are not in place. Early detection is essential and will help minimize the threats and breach costs.
4. “Much like an onion, there have to be many layers in place to protect the healthcare information and privacy. Not all the layers will fail, but we have to anticipate that one or more layer might.”
The Health Insurance Portability and Accountability Act (HIPAA) is the floor of requirements, and it is table stakes to be in the healthcare business. But technology has come a long way since HIPAA was established more than 20 years ago. We are not happy with "just enough" — we want to be better. A layered approach that includes things like Health Information Trust Alliance (HITRUST), National Institute of Standards and Technology (NIST), and General Data Protection Regulation (GDPR) compliance, and even more advanced standards, is needed to manage and secure the connected landscape that exists today.
5. “Once personal healthcare information is compromised, it can't be undone.”
It's a unique and very real problem. A ransomware attack could cause an organization to lose access to key systems, be unable to have trust or confidence in electronic information, or result in large-scale reversion to "pencil and paper" procedures. Not to mention that a breach is also a massive distraction to senior management (especially where there is subsequent media or regulatory attention), taking away focus from the primary purpose of their business. Unlike the compromise of your financial accounts, where the financial institution makes you whole by returning the money, you cannot be made whole in the event of compromised personal information. (You cannot un-ring the proverbial bell!)
6. “In the middle of a storm is not the time to be developing a plan or starting to get to know those who can help you! Do it before the storm!”
Be prepared for how an event can unwind and figure out what to do from a legal, technology, and customer service perspective long before a breach occurs. Fortune favors the prepared and having a plan, clear proven protocols, and management muscle-memory built through repeated practice, is critical to minimizing the impact and pain. This includes knowing what you will say publicly to your stakeholders – nobody wants to see you crafting an answer in front of the media!
7. “Security is everyone’s job.”
Educating the workforce and empowering all individuals in an organization to identify and help prevent a data breach is essential. Organizations that do this well will tap into potentially thousands of sensing mechanisms to raise the alarm and minimize impact of a data breach. Beyond technical capabilities, an organization’s next best firewall is its workforce.
8. “It's a wake-up call for the healthcare industry: there should be more transparency when it comes to cyber-defense."
Other industries like aviation have a more open dialogue about risks and issues, especially technical failings. When an event happens, findings from a detailed forensics investigation are widely shared about what went wrong. And, importantly what the sector can collectively do about it. This does not happen in healthcare. The industry needs to be more transparent when it comes to protecting the larger healthcare community from future threats and sharing what happened when an attack has occurred.
For the full conversation, watch the webinar replay here.