How hospital CIOs learn from data, security breaches

Security breaches and privacy protection are big buzzwords in the healthcare industry, and two Boston-based hospital CIOs recently offered up advice on how their facilities are working to keep data safe.

In two separate articles at HealthcareInfoSecurity.com, John Halamka, CIO of Beth Israel Deaconess Medical Center in Boston, and Daniel Nigrin, CIO of Boston Children's Hospital, discussed changes their facilities have made to improve security in the wake of cyberattacks and breaches.

Halamka, a member of FierceHealthIT's advisory board, told HealthcareInfoSecurity.com that BIDMC took a harder look at its security efforts after a laptop was stolen from the hospital in 2012.

The stolen laptop was unencrypted and contained the data for thousands of patients. After the theft, the hospital tightened up encryption of devices, both personal and corporate, Halamka said.

BIDMC also learned a security lesson from the aftermath of the Boston Marathon bombing. The facility faced scrutiny over protection of the privacy of the victims it treated. Halamka said they made an "aggressive approach" to keep information secure. Reminders in its systems were created to dissuade staff of violating patients' privacy, he said.

For Children's Hospital's Nigrin, a distributed-denial-of-service (DDoS) attack tested the facility's security. The hacktivist group Anonymous is suspected of launching the attacks, according to the article.

Nigrin told HealthcareInfoSecurity.com that thanks to education efforts and proactive measures on the part of the hospital, the hackers were not able to get into the systems and the attacks subsided.

However, problems were still uncovered during the attacks. One lesson learned was how much the hospital depends on email, Nigrin said, after it was forced to shut down its email system during the attack. In addition, he said the hospital's connection to the outside world was put at risk. Staff were unable to send electronic prescriptions to outside pharmacies because the Internet was also shut down, Nigrin said.

He added that all the hospitals, including Children's, impacted by the DDoS attack learned the importance of having DDoS protection in place--and says it's something they have all invested in.

In July, Nigrin published a perspective article in the New England Journal of Medicine outlining some of the lessons learned from that attack, as well.

To learn more:
- read the Halamka article
- listen to the Nigrin interview