HIMSS16: Tackling the impossible task of cybersecurity

While attendees at this year's Healthcare Information and Management Systems Society conference in Las Vegas no doubt will be interested in hearing about how providers, payers and innovative companies are developing and implementing tools to provide value-based care to patients, cybersecurity issues continue to hang over the industry like an ominous storm cloud.

In 2015, four announced payer breaches alone--Anthem, Premera Blue Cross, Excellus BlueCross BlueShield and CareFirst BlueCross BlueShield--accounted for nearly 100 million consumers being put at risk. A hack of UCLA Health announced in July accounted for another 4.5 million consumers being put in jeopardy. That's just a sampling of some of the higher-profile cyber incidents.

And so far in 2016, the industry doesn't appear to be much safer. Two hospitals--Mount Pleasant, Texas-based Titus Regional Medical Center and Los Angeles-based Hollywood Presbyterian Medical Center--both have been the targets of ransomware attacks, with the latter paying its attackers $17,000 (40 bitcoins) to regain control of its electronic systems.

When asked about the best ways to protect against such breaches, Ronald Mehring, vice president of technology and security at Dallas-based Texas Health Resources, told FierceHealthIT that having backups and providers knowing their recovery point objectives and limitations was key. He also said organizations must be both cognizant about their backup and detection latency and vigorous in monitoring for file changes in directories and abnormal user behavior.

Additionally, however, he said while he's not a big fan of the measures Hollywood Presbyterian took in ultimately paying ransom, the option is not one that can be taken off the table.

"I am sure there are many who would not agree with that statement," Mehring said. "[But] if there are no other solutions to get the data recovered quickly, and the data is absolutely necessary to treat a patient or get clinical/business operations going again, paying a ransom may be the only option."

A number of sessions at HIMSS16 will focus on the various aspects of cybersecurity within the industry, from strategies for improving medical device security to taking actions as if your organization is the target of the next big hack. Officials from the federal government will also give their take on the state of the industry and their role in trying to stay ahead of the curve.

The bottom line, however, is that--as Mehring and other hospital security executives such as Seattle Children's Medical Center's Cris Ewell have pointed out--the elimination of cybersecurity threats is an impossible goal.

The best defense, then, is execution of a flexible strategy that enables resilience in the event of adversity.

"The key is to try and put yourself in the best position possible to recover quickly," Mehring said. "Walking through cybersecurity threat scenarios and performing cyberexercises is critical to success."

What issues will be top of mind for you and your organization at HIMSS16 in Las Vegas? Let us know in the comments, or via social media on Twitter (@FierceHealthIT, @Dan_Bowman, @KMDvorak87, or @Gienna) or LinkedIn. - Dan

Suggested Articles

To build a successful network for health information exchange, policies must provide enough time and flexibility for the networks to develop and scale

Welcome to this week's Chutes & Ladders, our roundup of hirings, firings and retirings throughout the industry.

Federal lawmakers are taking a hard look at how the VA protects patient data shared with VA-approved health apps.