On cy­ber­se­cu­rity

Modern Healthcare - - NEWS -

MH: A lot of peo­ple want to steal med­i­cal records. What are you do­ing to pro­tect them? How much are you in­vest­ing? How se­ri­ous a prob­lem is this?


I wish I could tell you any of the de­tails, but my chief in­for­ma­tion se­cu­rity of­fi­cer told me not to.

It’s fair to say that over the past three years we’ve dou­bled se­cu­rity bud­gets, be­cause the na­ture of the threats is far dif­fer­ent than ever be­fore. It used to be MIT fresh­men. Now, it’s cy­bert­er­ror­ists, or­ga­nized crime and hac­tivism. Why? I have 2 mil­lion So­cial Se­cu­rity num­bers.

I spend about 2% to 2.2% of the oper­at­ing bud­get of the or­ga­ni­za­tion on IT. Fi­delity spends 35% of their oper­at­ing bud­get on IT. So, if you’re Wil­lie Sut­ton and you want to steal So­cial Se­cu­rity data, are you go­ing to go af­ter Fort Knox or pa­pier-mache? The an­swer is, you’re go­ing to go where no one spends money on se­cu­rity.

Of course we’re do­ing our very best. It’s a huge focus. But the threats are real and in­creas­ing. The one mes­sage I’d give you is that your peo­ple are your worst en­emy, be­cause you’re as vul­ner­a­ble as your most gullible em­ployee.

True story: I sent the fol­low­ing email to the Har­vard fac­ulty, “You now pass­word change,” and gave them the URL, “Change my pass­word dot Nige­ria.” (Laugh­ter) You know what per­cent­age of the Har­vard fac­ulty clicked? Thirty-one per­cent.


We spend about 7% of our IT bud­get on IT se­cu­rity. That’s up from zero six years ago when it was pass­word man­age­ment, iden­tity man­age­ment. That’s all we did for se­cu­rity. Six years ago we had two peo­ple in­volved in IT se­cu­rity. To­day we have 50.

We take it se­ri­ously. We’re a soft tar­get com­pared to fi­nan­cial ser­vices or some of th­ese other or­ga­ni­za­tions. But we’re try­ing to stay on top of it. As an in­dus­try, I love the aware­ness that’s come up over the past three years. Boards are talk­ing about it. Man­age­ment teams aren’t ar­gu­ing about it. They un­der­stand that we need to make the ex­pense. But we’ve got a long way to go to catch up.


Our ex­pe­ri­ences are quite sim­i­lar. It’s a board-level dis­cus­sion and we’ve had sim­i­lar growth and sim­i­lar ad­di­tional in­vest­ment. I get the unique plea­sure of sit­ting with our chief se­cu­rity of­fi­cer and talk­ing about our cy­ber­se­cu­rity with the au­dit and com­pli­ance sub­com­mit­tee of our board.

They see the Ya­hoo breaches. They hear about the Tar­get and the Home De­pot breaches. Their ques­tion is, “Are we safe?” Well, no. We’re never safe. I mean, get­ting out of bed is a gam­ble, right? But, we do have a cer­tain amount of in­vest­ment and we treat our pa­tients’ records with an abun­dance of cau­tion. But I agree that the weak­est link is peo­ple.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.