When it comes to cyber-security, it can seem that there is a never-ending cycle where experts in cyber-security identifies a new virus, the public is made aware of it, a fix is soon created along with a way to protect yourself from getting it and then the cycle begins again. Many experts in security follow the mantra of don’t click on email links or open attachments and we’ll all be safer. However, there is a new philosophy that is getting noticed and it has to do with debunking the belief in cyber-security that the weakest link is humans.
Acknowledging the Norm Doesn’t Work
According to writer Tom Sullivan’s article on Healthcare IT News, the recent HIMSS Healthcare Security Forum in Boston hosted many experts who had a lot to say regarding cyber-security. While many cyber-security experts would say that humans are the weakest link in tackling the threats within the cyber-world, the forum had speakers who feel that the next phase of InfoSec needs to secure humans in addition to putting in place safety nets for protection.
Theresa Payton, former White House CIO and current CEO of Fortalice Solutions spoke at the security forum and said it is time to break away from the security mantra of don’t click on email links or open attachments and we’ll all be safer. We’ve been saying that for 15 years and the strategy doesn’t work.
Unfortunately, Payton pointed out how she continues to see compromises in business emails that are on the rise within healthcare. She added that from a social engineering standpoint, it has never been easier to trick employees. Business email compromise is one of the largest unreported crimes after ransomware.
Salwa Rafee, worldwide security leader for life sciences and healthcare at IBM., commented that there is a probability of twenty-five percent that a healthcare organization within the next two-and-a-half-years will end up being hacked. Also, there is no getting away from human error, such as an individual who clicks on a malicious link or utilizing recycled passwords.
Focusing on Protecting the User
Since the current norm is not working, experts feel the time has come to try something different. Payton said that humans are not the weakest link. Technology is open to be hacked and data can never be 100 percent secure. We have to design for the human. According to Chad Wilson, who is the IT director and chief of security at Children’s National Health System, this must apply to all clinicians, employees, administration as well as patients.
Anahi Santiago, CISO of Christiana Care Health System, added that hospitals will need to protect patients and their information outside the electronic health record, past their four walls and into the consumers daily lives and homes. He said that information security is a patient safety issue.
Keeping this in mind, Payton recommended a two-factor authentication and network segmentation, to become a minimum safety net, which would isolate an attack that when they happen, hospitals will have the ability to stop them from reaching other software systems, departments, facilities and devices. Sonia Arista, the national healthcare practice director at Fortinet, said segment, segment, segment.
Payton said that segmentation is not a guarantee, however, it can maximize resilience while minimize the damage. We’ve been so focused on data and network and hardware that we’ve kind of forgotten about the human cyber and social footprint. The next thing is putting a safety net around the user.