Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

10 Health IT Security Questions Every Healthcare CIO Must Answer

Posted on April 19, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Logicalis recently sent out 10 Security Questions Every CIO Must Be Able to Answer. Here’s their list:

  1. If you knew that your company was going to be breached tomorrow, what would you do differently today?
  2. Has your company ever been breached? How do you know?
  3. What assets am I protecting, what am I protecting them from (i.e., theft, destruction, compromise), and who am I protecting them from (i.e. cybercriminals or even insiders)?
  4. What damage will we sustain if we are breached (i.e., financial loss, reputation, regulatory fines, loss of competitive advantage)?
  5. Have you moved beyond an “inside vs. outside” perimeter-based approach to information security?
  6. Does your IT security implementation match your business-centric security policies? Does it rely on written policies, technical controls or both?
  7. What is your security strategy for IoT (also known as “the Internet of threat”)?
  8. What is your security strategy for “anywhere, anytime, any device” mobility?
  9. Do you have an incident response plan in place?
  10. What is your remediation process? Can you recover lost data and prevent a similar attack from happening again?

Given the incredible rise in hospitals being breached or held ransom, it’s no surprise that this is one of the hottest topics in healthcare. No doubt many a hospital CIO has had sleepless nights thanks to these challenges. If you’re a CIO that has been sleeping well at night, I’m afraid for your organization.

The good news is that I think most healthcare organizations are taking these threats seriously. Many would now be able to answer the questions listed above. Although, I imagine some of them need some work. Maybe that’s the key lesson to all of this. There’s no silver bullet solution. Security is an ongoing process and has to be built into the culture of an organization. There’s always new threats and new software being implemented that needs to be protected.

With that said, health IT leaders need to sometimes shake things up in their organization too. A culture of security is an incredible starting point. However, there’s nothing that focuses an organization more than for a breach to occur. The hyper focus that occurs is incredible to watch. If I was a health IT leader, I’d consider staging a mock breach and see what happens. It will likely open your eyes to some poor processes and some vulnerabilities you’d missed.

How Secure Are Wearables?

Posted on October 1, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

JaneenB asks a really fantastic question in this tweet. Making sure that wearables are secure is going to be a really hot topic. Yesterday, I was talking with Mac McMillan from Cynergistek and he suggested that the FDA was ready to make medical device security a priority. I’ll be interested to see what the FDA does to try and regulate security in medical devices, but you can see why this is an important thing. Mac also commented that while it’s incredibly damaging for someone to hack a pacemaker like the one Vice President Cheney had (has?), the bigger threat is the 300 pumps that are installed in a hospital. If one of them can be hacked, they all can be hacked and the process for updating them is not simple.

Of course, Mac was talking about medical device security from more of an enterprise perspective. Now, let’s think about this across millions of wearable devices that are used by consumers. Plus, many of these consumer wearable devices don’t require FDA clearance and so the FDA won’t be able to impose more security restrictions on them.

I’m not really sure the answer to this problem of wearable security. Although, I think two steps in the right direction could be for health wearable companies to first build a culture of security into their company and their product. This will add a little bit of expense on the front end, but it will more than pay off on the back end when they avoid security issues which could literally leave the company in financial ruins. Second, we could use some organization to take on the effort of reporting on the security (or lack thereof) of these devices. I’m not sure if this is a consumer reports type organization or a media company. However, I think the idea of someone holding organizations accountable is important.

We’re definitely heading towards a world of many connected devices. I don’t think we have a clear picture of what this means from a security perspective.

Complete Health IT Security is a Myth, But That Doesn’t Mean We Shouldn’t Try

Posted on August 11, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

As I mentioned, last week I had the opportunity to attend the Black Hat conference in Las Vegas. There were over 9000 attendees and 180+ speakers sharing on the latest and greatest IT security and privacy topics. Black Hat is more appropriately called a hackers conference (although Defcon is more hardcore hacker than Black Hat which had plenty of corporate prensence) for good reason. You turn off your devices and be careful what you do. There’s a certain paranoia that comes when one of the vendor handouts is a foil credit card cover that prevents someone from stealing your credit card number. I didn’t quite have my tin foil hat on, but you could start to understand the sentiment.

One of the most interesting things about Black Hat is to get an idea of the mentality of the hacker. Their creative process is fascinating. Their ability to work around obstacles is something we should all learn to incorporate into our lives. I think for most of these hackers, there’s never a mentality of something can’t be done. It’s just a question of figuring out a way to work around whatever obstacles are in their way. We could use a little more of this mentality in dealing with the challenges of healthcare.

The biggest thing I was reminded of at the event was that complete security and privacy is a myth. If someone wants to get into something badly enough, they’ll find a way. As one security expert I met told me, the only secure system is one that’s turned off, not connected to anything, and buried underground. If a computer or device is turned on, then it’s vulnerable.

The reality is that complete security shouldn’t be our goal. Our goal should be to make our systems secure enough that it’s not worth someone’s time or effort to break through the security. I can assure you that most of healthcare is far from this level of security. What a tremendous opportunity that this presents.

The first place to start in any organization is to create a culture of security and privacy. The one off efforts that most organization apply after a breach or an audit aren’t going to get us there. Instead, you have to incorporate a thoughtful approach to security into everything you do. This starts at the RFP continues through the procurement process extends into the implementation and continues on through the maintenance of the product.

Security and privacy efforts in an organization are hard to justify since they don’t increase the bottom line. This is another reason why the efforts need to be integrated into everything that’s done and not just tied to a specific budget line item. As a budget line item, it’s too easy to cut it out when budgets get tight. The good news is that a little effort throughout the process can avoid a lot of heartache later on. Ask an organization that’s had a breach or failed an audit.

iPad Lifecycle Versus Other Tablets

Posted on February 13, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Every once in a while I like to put my old IT hat back on (I am @techguy on Twitter after all) and look at some of the more physical IT aspects of EMR and healthcare IT. I still get really excited about EMR Technology products and the evolution of these products.

I’ve long argued that most IT administrators would much rather have a set of Windows 8 tablets in their environment over a bunch of iPads or Android tablets. The biggest reasons for this was because of the security and management of these devices. Most hospital and healthcare IT administrators are comfortable securing a Windows based device and they aren’t as comfortable with new tablets like the iPad or Android tablets. Plus, the tools for managing and imaging Windows based tablets is so much more developed than those of the iPad or Android (although, I think both of these are catching up pretty quickly).

While I think both of these arguments are reasonable, I heard two new arguments for why an organization might want to stick with Windows 8 tablets instead of moving to iPads and Androids.

The first reason is that the lifecycle of a Windows 8 machine is much longer than an iPad or Android tablet. A Windows 8 tablet that you bought 5 years ago could still easily be supported by an IT shop and will work with your various software systems. A 3 year old iPad could very well not work with your EHR software and Apple has already stopped supporting O/S upgrades on the original iPads which poses similar HIPAA Compliance issues to Windows XP.

The whole release cycle with iPad and Android tablets is intent on replacing the previous versions. They don’t quite make them obsolete, but they’ve been releasing new versions every year with the intent for you to buy a new one every year. This stands in stark contrast to the Windows tablet approach.

Another reason many IT admins will likely lean towards Windows 8 tablets over iPads and Androids is that they’re just generally more rugged. Sure, you can make iPads and Androids more rugged with certain cases, but then you lose the look and feel of having an iPad in your hand and nicely in your pocket.

This point is accentuated even more when you look at devices like the new Toughpad tablets from Panasonic. They’ve finally got the processing power in these machines to match that of a desktop so they can run any software you want. Plus, they are crazy durable. I saw them at CES last month and a journalist from India was slamming it on the ground and stepping on it and the thing kept ticking without a problem. I don’t need to explain to any of you why durability matters in healthcare where you’re always carrying around multiple items and drops are common.

Of course, the reality is that it’s “sexy” to carry around an iPad while you work. Software vendors are going to continue developing for the iPad and doctors are going to want to be carrying an iPad around with them. IT staff are likely going to have to support iPads and other tablets in their environment. However, when it’s left to the IT staff, you can be sure that the majority of them will be pushing for the more rugged, easier to secure, easier to manage, and longer lifecycle Windows 8 tablets. Unless of course, they’re ordering an iPad for their own “test” environment.